nachum
Honorary Members-
Posts
24 -
Joined
-
Last visited
Reputation
0 Neutral-
I solved the firewall issue by deleting the above regedit value, it was enforcing the firewall to be turned off. All's well now Thank you very much for your assistance!! Nachum
-
Ran Fubar again, this is the report regarding Windows Firewall (no other findings): Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 Any action I should take?
-
Marius, thank you. I have uninstalled combifix and run delfix (log below). The remaining issue is windows firewall - i cannot turn it on. Message center cannot turn it on, and when I try manually and click "use recommended settings" nothing happens and the firewall is not turned on. # DelFix v10.4 - Logfile created 21/09/2013 at 08:44:22 # Updated 19/07/2013 by Xplode # Username : Nachum - NACHUM-OFFICE # Operating System : Windows 7 Professional Service Pack 1 (64 bits) ~ Activating UAC ... OK ~ Removing disinfection tools ... Deleted : C:\FRST Deleted : C:\ComboFix.txt Deleted : C:\TDSSKiller.2.8.16.0_15.09.2013_22.18.57_log.txt Deleted : C:\Users\Nachum\Desktop\adwcleaner.exe Deleted : C:\Users\Nachum\Desktop\aswmbr.exe Deleted : C:\Users\Nachum\Desktop\aswMBR.txt Deleted : C:\Users\Nachum\Desktop\FSS.exe Deleted : C:\Users\Nachum\Desktop\FSS.txt Deleted : C:\Users\Nachum\Desktop\Log_combifix_script.txt Deleted : C:\Users\Nachum\Desktop\MBR.dat Deleted : C:\Users\Nachum\Desktop\SecurityCheck.exe Deleted : HKLM\SOFTWARE\AdwCleaner Deleted : HKLM\SOFTWARE\Swearware Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR ~ Creating registry backup ... OK ~ Cleaning system restore ... Deleted : RP #20 [ComboFix created restore point | 09/21/2013 12:40:35] New restore point created ! ~ Resetting system settings ... OK ########## - EOF - ##########
-
Here are the results of the AdwCleaner, Security Check and Farbar. In addition I have decided to do a clean Windows 7 install on my wife's laptop - can you please send me instructions for a full format during installation from a Win 7 DVD? # AdwCleaner v3.004 - Report created 20/09/2013 at 10:26:55 # Updated 15/09/2013 by Xplode # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : Nachum - NACHUM-OFFICE # Running from : C:\Users\Nachum\Desktop\adwcleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** ***** [ Browsers ] ***** -\\ Internet Explorer v10.0.9200.16686 -\\ Mozilla Firefox v23.0.1 (en-US) [ File : C:\Users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\prefs.js ] ************************* AdwCleaner[R0].txt - [781 octets] - [20/09/2013 10:26:11] AdwCleaner[s0].txt - [703 octets] - [20/09/2013 10:26:55] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [762 octets] ########## Results of screen317's Security Check version 0.99.73 Windows 7 Service Pack 1 x64 (UAC is disabled!) Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` Webroot SecureAnywhere Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 Adobe Flash Player 11.8.800.168 Mozilla Firefox (23.0.1) Mozilla Thunderbird (17.0.8) ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 1% ````````````````````End of Log`````````````````````` Farbar Service Scanner Version: 13-09-2013 Ran by Nachum (administrator) on 20-09-2013 at 10:33:13 Running from "C:\Users\Nachum\Desktop" Microsoft Windows 7 Professional Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. LAN connected. Google IP is accessible. Google.com is accessible. Yahoo.com is accessible. Windows Firewall: ============= MpsSvc Service is not running. Checking service configuration: The start type of MpsSvc service is OK. The ImagePath of MpsSvc service is OK. The ServiceDll of MpsSvc service is OK. Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Action Center: ============ Windows Update: ============ Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys => MD5 is legit C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit **** End of log ****
-
Here are the results of the latest ESET scan C:\Qoobox\Quarantine\H\2c2c\g3d9f.js.vir JS/Kryptik.AKG trojan C:\Qoobox\Quarantine\H\2c2c\i31313.js.vir JS/Kryptik.AKG trojan C:\Qoobox\Quarantine\I\2c2c\g3d9f.js.vir JS/Kryptik.AKG trojan C:\Qoobox\Quarantine\I\2c2c\i31313.js.vir JS/Kryptik.AKG trojan C:\Qoobox\Quarantine\J\Install_files\epm.exe.vir Win32/OpenCandy application
-
Just to let you know, ESET is still scanning but has already found 4 instances of JS/Kryptik.AKG.trojan on the C drive, and also 1 of Win32/OpenCandy application
-
Forgot the ESET scan, will post as soon as ready
-
MBAM found no malicious items (see below). One remaining issue is that I cannot turn Windows firewall on, need to go to "manual" and when I click "recommended settings" nothing happens. I have also activated the MBAM Pro version. In addition my wife's laptop is infected, same symptoms as I had (we shared one of the external hard drives). Do you want to have a go at it? If so, where should I start (KAV rescure disk?)? Alternatively, will a clean Windows install be effictive? Malwarebytes Anti-Malware (Trial) 1.75.0.1300 www.malwarebytes.org Database version: v2013.09.19.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16686 Nachum :: NACHUM-OFFICE [administrator] Protection: Enabled 9/19/2013 7:32:23 AM mbam-log-2013-09-19 (07-32-23).txt Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 2163977 Time elapsed: 3 hour(s), 12 minute(s), 2 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
-
Here is the combifix with script log: ComboFix 13-09-17.01 - Nachum 09/18/2013 8:19.5.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.5887 [GMT -4:00] Running from: c:\users\Nachum\Desktop\nk.exe Command switches used :: c:\users\Nachum\Desktop\CFScript.txt AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401} SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0} SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . FILE :: "h:\2c2c\g3d9f.js" "h:\2c2c\i31313.js" "i:\2c2c\g3d9f.js" "i:\2c2c\i31313.js" "j:\install_files\epm.exe" . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . h:\2c2c\g3d9f.js h:\2c2c\i31313.js i:\2c2c\g3d9f.js i:\2c2c\i31313.js j:\install_files\epm.exe . . ((((((((((((((((((((((((( Files Created from 2013-08-18 to 2013-09-18 ))))))))))))))))))))))))))))))) . . 2013-09-18 12:24 . 2013-09-18 12:24 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST 2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware 2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore 2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET 2013-09-16 00:18 . 2013-09-16 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe 2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS 2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys 2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft 2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd 2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7 2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers 2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe 2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe 2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys 2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll 2013-09-05 14:47 . 2013-09-17 20:42 -------- d-----w- C:\Temp 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype 2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE 2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt 2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird 2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer 2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll 2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software 2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft 2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll 2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet 2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared 2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe 2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG 2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll 2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard 2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll 2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll 2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll 2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll 2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll 2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP 2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS 2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel 2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight 2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard 2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO 2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud 2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS 2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther 2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys 2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services 2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help 2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache 2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed 2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET 2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe 2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys 2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot 2013-09-01 18:11 . 2013-09-16 16:55 -------- d-----w- c:\programdata\WRData 2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll 2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat 2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys 2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys 2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui 2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll 2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT 2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll 2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll 2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll 2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec 2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll 2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll 2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys 2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll 2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll 2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll 2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2013-09-01 17:17 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll 2013-09-01 17:16 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll 2013-09-01 17:15 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe 2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe 2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe 2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe 2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll 2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl 2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe 2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys 2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL 2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL 2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808] "Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712] "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048] "WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760] "Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168] "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoAutorun"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x] R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x] R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x] R2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x] R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x] R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x] R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x] S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x] S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x] S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x] S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x] S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x] S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x] S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x] S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x] S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x] S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x] S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x] S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2013-09-18 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk] @="{3A87EE91-AED7-46E9-B8A3-5360628BA718}" [HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending] @="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}" [HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError] @="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}" [HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl] @="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}" [HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen] @="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}" [HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed] @="{1914B27A-33C8-46F8-A1C2-F993268D4564}" [HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow] @="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}" [HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TpShocks"="TpShocks.exe" [2013-06-20 382248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024] "ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056] "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032] "PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\windows\System32\nvinitx.dll . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\ FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKLM-Run-<NO NAME> - (no file) Notify-SDWinLogon - SDWinLogon.dll . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exe c:\windows\SysWOW64\SAsrv.exe c:\progra~1\Lenovo\Zoom\TPSCREX.EXE c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe . ************************************************************************** . Completion time: 2013-09-18 08:30:52 - machine was rebooted ComboFix-quarantined-files.txt 2013-09-18 12:30 ComboFix2.txt 2013-09-17 16:47 ComboFix3.txt 2013-09-17 15:16 ComboFix4.txt 2013-09-16 15:08 ComboFix5.txt 2013-09-18 12:18 . Pre-Run: 98,760,097,792 bytes free Post-Run: 98,659,074,048 bytes free . - - End Of File - - B91DCACBEA7E3186BACBA284F2351FBC
-
Here are the results: Combifix: ComboFix 13-09-17.01 - Nachum 09/17/2013 12:09:52.4.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.5737 [GMT -4:00] Running from: c:\users\Nachum\Desktop\nk.exe Command switches used :: c:\users\Nachum\Desktop\CFScript.txt AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401} SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0} SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\2d9 c:\2d9\2828 c:\2d9\2c2c2 c:\2d9\3082 c:\2d9\3b873 c:\2d9\3b97 c:\program files\338 . . ((((((((((((((((((((((((( Files Created from 2013-08-17 to 2013-09-17 ))))))))))))))))))))))))))))))) . . 2013-09-17 16:14 . 2013-09-17 16:14 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST 2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware 2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore 2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET 2013-09-16 00:18 . 2013-09-16 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe 2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS 2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys 2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft 2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd 2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7 2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers 2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe 2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe 2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys 2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll 2013-09-05 14:47 . 2013-09-17 09:59 -------- d-----w- C:\Temp 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype 2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE 2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt 2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird 2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer 2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll 2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software 2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft 2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll 2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet 2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared 2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe 2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG 2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll 2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard 2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll 2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll 2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll 2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll 2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll 2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP 2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS 2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel 2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight 2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard 2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO 2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud 2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS 2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther 2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys 2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services 2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help 2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache 2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed 2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET 2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe 2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys 2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot 2013-09-01 18:11 . 2013-09-16 16:55 -------- d-----w- c:\programdata\WRData 2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll 2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat 2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys 2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys 2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui 2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll 2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT 2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll 2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll 2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll 2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec 2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll 2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll 2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys 2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll 2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll 2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll 2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2013-09-01 17:17 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll 2013-09-01 17:16 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll 2013-09-01 17:15 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe 2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe 2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe 2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe 2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll 2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl 2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe 2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys 2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL 2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL 2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808] "Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712] "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048] "WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760] "Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168] "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoAutorun"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x] R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x] R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x] R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x] S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x] S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x] S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x] S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x] S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x] S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x] S2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x] S2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x] S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x] S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x] S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x] S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x] S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x] S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x] S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x] S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x] S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x] S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x] S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2013-09-17 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk] @="{3A87EE91-AED7-46E9-B8A3-5360628BA718}" [HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending] @="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}" [HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError] @="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}" [HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl] @="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}" [HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen] @="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}" [HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed] @="{1914B27A-33C8-46F8-A1C2-F993268D4564}" [HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow] @="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}" [HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TpShocks"="TpShocks.exe" [2013-06-20 382248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024] "ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056] "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032] "PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\windows\System32\nvinitx.dll . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\ FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKLM-Run-<NO NAME> - (no file) Notify-SDWinLogon - SDWinLogon.dll . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . ------------------------ Other Running Processes ------------------------ . c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exe c:\windows\SysWOW64\SAsrv.exe c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe c:\progra~1\Lenovo\Zoom\TPSCREX.EXE c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe . ************************************************************************** . Completion time: 2013-09-17 12:47:02 - machine was rebooted ComboFix-quarantined-files.txt 2013-09-17 16:47 ComboFix2.txt 2013-09-17 15:16 ComboFix3.txt 2013-09-16 15:08 ComboFix4.txt 2013-09-16 14:41 . Pre-Run: 98,892,083,200 bytes free Post-Run: 98,833,932,288 bytes free . - - End Of File - - 6D37093ECF421444409600BB70FA507C MBAM: Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.09.17.08 Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking) Internet Explorer 10.0.9200.16686 Nachum :: NACHUM-OFFICE [administrator] 9/17/2013 1:03:03 PM MBAM-log-2013-09-17 (16-38-02).txt Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 2162436 Time elapsed: 3 hour(s), 20 minute(s), 2 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 1 HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel|HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) ESET: H:\2c2c\g3d9f.js JS/Kryptik.AKG trojan H:\2c2c\i31313.js JS/Kryptik.AKG trojan I:\2c2c\g3d9f.js JS/Kryptik.AKG trojan I:\2c2c\i31313.js JS/Kryptik.AKG trojan J:\Install_files\epm.exe Win32/OpenCandy application
-
Thanks! Will do, currently in the middle of the MBAM scan, will have all the logs for you tomorrow morning (my time).
-
Sorry, the ESET cyber security if for mac, I'll download NOD32 antivirus
-
Will do. I don't have ESET, which version should I download, the cyber security pro free trial?
-
Combifix done, it gave a message that Webroot secure anyware was active even though i had disabled the protection. Here is the log: ComboFix 13-09-14.01 - Nachum 09/17/2013 11:10:51.3.4 - x64 MINIMAL Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.6715 [GMT -4:00] Running from: c:\users\Nachum\Desktop\nk.exe AV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401} SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0} SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . E:\autorun.inf H:\Autorun.inf I:\install.exe . . ((((((((((((((((((((((((( Files Created from 2013-08-17 to 2013-09-17 ))))))))))))))))))))))))))))))) . . 2013-09-17 15:15 . 2013-09-17 15:15 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-09-16 15:01 . 2013-09-17 10:33 -------- d-sh--w- c:\program files\338 2013-09-16 15:01 . 2013-09-16 15:06 -------- d-----w- C:\2d9 2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST 2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware 2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore 2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET 2013-09-16 00:18 . 2013-09-16 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe 2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes 2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo 2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software 2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield 2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS 2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys 2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft 2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd 2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7 2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers 2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe 2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe 2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys 2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll 2013-09-05 14:47 . 2013-09-17 09:59 -------- d-----w- C:\Temp 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0 2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype 2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype 2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE 2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE 2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt 2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird 2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer 2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll 2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software 2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft 2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft 2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll 2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet 2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared 2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe 2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG 2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll 2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP 2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard 2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll 2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll 2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll 2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll 2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll 2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP 2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP 2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS 2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel 2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW 2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight 2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard 2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO 2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud 2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS 2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help 2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther 2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys 2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office 2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services 2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help 2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache 2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed 2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed 2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET 2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe 2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys 2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll 2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot 2013-09-01 18:11 . 2013-09-16 16:55 -------- d-----w- c:\programdata\WRData 2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll 2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat 2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat 2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys 2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys 2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui 2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll 2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT 2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll 2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys 2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll 2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll 2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll 2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec 2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll 2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll 2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys 2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys 2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll 2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll 2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll 2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2013-09-01 17:17 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe 2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe 2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe 2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe 2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll 2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl 2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe 2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys 2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL 2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL 2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808] "Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712] "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048] "WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760] "Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168] "Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128] "Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] "1"="c:\program files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" [2013-04-04 218184] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoAutorun"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) "AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x] R1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x] R2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x] R2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x] R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x] R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x] R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x] R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x] R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x] R2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x] R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x] R2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x] R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x] R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x] R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x] R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x] R3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x] R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x] R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x] R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x] S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x] S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x] S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x] S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x] . . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder . 2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk] @="{3A87EE91-AED7-46E9-B8A3-5360628BA718}" [HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending] @="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}" [HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError] @="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}" [HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}] 2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl] @="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}" [HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen] @="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}" [HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed] @="{1914B27A-33C8-46F8-A1C2-F993268D4564}" [HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow] @="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}" [HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}] 2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TpShocks"="TpShocks.exe" [2013-06-20 382248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472] "Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024] "ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056] "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032] "PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"=c:\windows\System32\nvinitx.dll . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 192.168.1.1 FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\ FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKLM-Run-<NO NAME> - (no file) Notify-SDWinLogon - SDWinLogon.dll . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2013-09-17 11:16:36 ComboFix-quarantined-files.txt 2013-09-17 15:16 ComboFix2.txt 2013-09-16 15:08 ComboFix3.txt 2013-09-16 14:41 . Pre-Run: 98,988,253,184 bytes free Post-Run: 98,821,361,664 bytes free . - - End Of File - - 0F911C090FA6D98D593056DD53D4A03E
-
quarantine successful except for one file: Trojan program Trojan.win E:/autorun.inf (not found), should I scan the external E drive again?