nachum
-
Posts
24 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by nachum
-
-
Ran Fubar again, this is the report regarding Windows Firewall (no other findings):
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0Any action I should take?
-
Marius, thank you. I have uninstalled combifix and run delfix (log below). The remaining issue is windows firewall - i cannot turn it on. Message center cannot turn it on, and when I try manually and click "use recommended settings" nothing happens and the firewall is not turned on.
# DelFix v10.4 - Logfile created 21/09/2013 at 08:44:22
# Updated 19/07/2013 by Xplode
# Username : Nachum - NACHUM-OFFICE
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
~ Activating UAC ... OK
~ Removing disinfection tools ...
Deleted : C:\FRST
Deleted : C:\ComboFix.txt
Deleted : C:\TDSSKiller.2.8.16.0_15.09.2013_22.18.57_log.txt
Deleted : C:\Users\Nachum\Desktop\adwcleaner.exe
Deleted : C:\Users\Nachum\Desktop\aswmbr.exe
Deleted : C:\Users\Nachum\Desktop\aswMBR.txt
Deleted : C:\Users\Nachum\Desktop\FSS.exe
Deleted : C:\Users\Nachum\Desktop\FSS.txt
Deleted : C:\Users\Nachum\Desktop\Log_combifix_script.txt
Deleted : C:\Users\Nachum\Desktop\MBR.dat
Deleted : C:\Users\Nachum\Desktop\SecurityCheck.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR
~ Creating registry backup ... OK
~ Cleaning system restore ...
Deleted : RP #20 [ComboFix created restore point | 09/21/2013 12:40:35]
New restore point created !
~ Resetting system settings ... OK
########## - EOF - ##########
-
Here are the results of the AdwCleaner, Security Check and Farbar.
In addition I have decided to do a clean Windows 7 install on my wife's laptop - can you please send me instructions for a full format during installation from a Win 7 DVD?
# AdwCleaner v3.004 - Report created 20/09/2013 at 10:26:55
# Updated 15/09/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Nachum - NACHUM-OFFICE
# Running from : C:\Users\Nachum\Desktop\adwcleaner.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
***** [ Browsers ] *****
-\\ Internet Explorer v10.0.9200.16686
-\\ Mozilla Firefox v23.0.1 (en-US)
[ File : C:\Users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\prefs.js ]
*************************
AdwCleaner[R0].txt - [781 octets] - [20/09/2013 10:26:11]
AdwCleaner[s0].txt - [703 octets] - [20/09/2013 10:26:55]
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [762 octets] ##########
Results of screen317's Security Check version 0.99.73
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Webroot SecureAnywhere
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Adobe Flash Player 11.8.800.168
Mozilla Firefox (23.0.1)
Mozilla Thunderbird (17.0.8)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
Farbar Service Scanner Version: 13-09-2013
Ran by Nachum (administrator) on 20-09-2013 at 10:33:13
Running from "C:\Users\Nachum\Desktop"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
Other Services:
==============
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log **** -
Here are the results of the latest ESET scan
C:\Qoobox\Quarantine\H\2c2c\g3d9f.js.vir JS/Kryptik.AKG trojan
C:\Qoobox\Quarantine\H\2c2c\i31313.js.vir JS/Kryptik.AKG trojan
C:\Qoobox\Quarantine\I\2c2c\g3d9f.js.vir JS/Kryptik.AKG trojan
C:\Qoobox\Quarantine\I\2c2c\i31313.js.vir JS/Kryptik.AKG trojan
C:\Qoobox\Quarantine\J\Install_files\epm.exe.vir Win32/OpenCandy application
-
Just to let you know, ESET is still scanning but has already found 4 instances of JS/Kryptik.AKG.trojan on the C drive, and also 1 of Win32/OpenCandy application
-
Forgot the ESET scan, will post as soon as ready
-
MBAM found no malicious items (see below). One remaining issue is that I cannot turn Windows firewall on, need to go to "manual" and when I click "recommended settings" nothing happens. I have also activated the MBAM Pro version. In addition my wife's laptop is infected, same symptoms as I had (we shared one of the external hard drives). Do you want to have a go at it? If so, where should I start (KAV rescure disk?)? Alternatively, will a clean Windows install be effictive?
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
Database version: v2013.09.19.03
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16686
Nachum :: NACHUM-OFFICE [administrator]
Protection: Enabled
9/19/2013 7:32:23 AM
mbam-log-2013-09-19 (07-32-23).txt
Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 2163977
Time elapsed: 3 hour(s), 12 minute(s), 2 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
Here is the combifix with script log:
ComboFix 13-09-17.01 - Nachum 09/18/2013 8:19.5.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.5887 [GMT -4:00]
Running from: c:\users\Nachum\Desktop\nk.exe
Command switches used :: c:\users\Nachum\Desktop\CFScript.txt
AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"h:\2c2c\g3d9f.js"
"h:\2c2c\i31313.js"
"i:\2c2c\g3d9f.js"
"i:\2c2c\i31313.js"
"j:\install_files\epm.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
h:\2c2c\g3d9f.js
h:\2c2c\i31313.js
i:\2c2c\g3d9f.js
i:\2c2c\i31313.js
j:\install_files\epm.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-08-18 to 2013-09-18 )))))))))))))))))))))))))))))))
.
.
2013-09-18 12:24 . 2013-09-18 12:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST
2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore
2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET
2013-09-16 00:18 . 2013-09-16 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes
2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll
2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo
2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA
2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS
2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft
2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd
2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7
2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers
2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe
2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe
2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys
2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll
2013-09-05 14:47 . 2013-09-17 20:42 -------- d-----w- C:\Temp
2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0
2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype
2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE
2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt
2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer
2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software
2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad
2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft
2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft
2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll
2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet
2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared
2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG
2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll
2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool
2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP
2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard
2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll
2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll
2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll
2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll
2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll
2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll
2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP
2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP
2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS
2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel
2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight
2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO
2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud
2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS
2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther
2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys
2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH
2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office
2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help
2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache
2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed
2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed
2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET
2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe
2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot
2013-09-01 18:11 . 2013-09-16 16:55 -------- d-----w- c:\programdata\WRData
2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat
2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat
2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT
2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec
2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys
2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll
2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll
2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2013-09-01 17:17 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll
2013-09-01 17:16 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2013-09-01 17:15 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe
2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe
2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe
2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll
2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl
2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe
2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys
2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL
2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL
2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760]
"Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x]
R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x]
R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]
S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]
S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x]
S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk]
@="{3A87EE91-AED7-46E9-B8A3-5360628BA718}"
[HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending]
@="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}"
[HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError]
@="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}"
[HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2013-06-20 382248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]
"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\
FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com
FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com
FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exe
c:\windows\SysWOW64\SAsrv.exe
c:\progra~1\Lenovo\Zoom\TPSCREX.EXE
c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-09-18 08:30:52 - machine was rebooted
ComboFix-quarantined-files.txt 2013-09-18 12:30
ComboFix2.txt 2013-09-17 16:47
ComboFix3.txt 2013-09-17 15:16
ComboFix4.txt 2013-09-16 15:08
ComboFix5.txt 2013-09-18 12:18
.
Pre-Run: 98,760,097,792 bytes free
Post-Run: 98,659,074,048 bytes free
.
- - End Of File - - B91DCACBEA7E3186BACBA284F2351FBC
-
Here are the results:
Combifix:
ComboFix 13-09-17.01 - Nachum 09/17/2013 12:09:52.4.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.5737 [GMT -4:00]
Running from: c:\users\Nachum\Desktop\nk.exe
Command switches used :: c:\users\Nachum\Desktop\CFScript.txt
AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\2d9
c:\2d9\2828
c:\2d9\2c2c2
c:\2d9\3082
c:\2d9\3b873
c:\2d9\3b97
c:\program files\338
.
.
((((((((((((((((((((((((( Files Created from 2013-08-17 to 2013-09-17 )))))))))))))))))))))))))))))))
.
.
2013-09-17 16:14 . 2013-09-17 16:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST
2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore
2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET
2013-09-16 00:18 . 2013-09-16 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes
2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll
2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo
2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA
2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS
2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft
2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd
2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7
2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers
2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe
2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe
2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys
2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll
2013-09-05 14:47 . 2013-09-17 09:59 -------- d-----w- C:\Temp
2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0
2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype
2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE
2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt
2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer
2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software
2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad
2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft
2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft
2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll
2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet
2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared
2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG
2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll
2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool
2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP
2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard
2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll
2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll
2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll
2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll
2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll
2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll
2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP
2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP
2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS
2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel
2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight
2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO
2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud
2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS
2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther
2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys
2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH
2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office
2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help
2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache
2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed
2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed
2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET
2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe
2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot
2013-09-01 18:11 . 2013-09-16 16:55 -------- d-----w- c:\programdata\WRData
2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat
2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat
2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT
2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec
2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys
2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll
2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll
2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2013-09-01 17:17 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll
2013-09-01 17:16 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2013-09-01 17:15 . 2013-02-27 06:02 111448 ----a-w- c:\windows\system32\consent.exe
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe
2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe
2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe
2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll
2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl
2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe
2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys
2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL
2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL
2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760]
"Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]
S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]
S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x]
S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x]
S2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x]
S2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk]
@="{3A87EE91-AED7-46E9-B8A3-5360628BA718}"
[HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending]
@="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}"
[HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError]
@="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}"
[HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2013-06-20 382248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]
"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\
FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com
FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com
FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exe
c:\windows\SysWOW64\SAsrv.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\progra~1\Lenovo\Zoom\TPSCREX.EXE
c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2013-09-17 12:47:02 - machine was rebooted
ComboFix-quarantined-files.txt 2013-09-17 16:47
ComboFix2.txt 2013-09-17 15:16
ComboFix3.txt 2013-09-16 15:08
ComboFix4.txt 2013-09-16 14:41
.
Pre-Run: 98,892,083,200 bytes free
Post-Run: 98,833,932,288 bytes free
.
- - End Of File - - 6D37093ECF421444409600BB70FA507C
MBAM:Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Database version: v2013.09.17.08
Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 10.0.9200.16686
Nachum :: NACHUM-OFFICE [administrator]
9/17/2013 1:03:03 PM
MBAM-log-2013-09-17 (16-38-02).txt
Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 2162436
Time elapsed: 3 hour(s), 20 minute(s), 2 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel|HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> No action taken.
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
ESET:
H:\2c2c\g3d9f.js JS/Kryptik.AKG trojan
H:\2c2c\i31313.js JS/Kryptik.AKG trojan
I:\2c2c\g3d9f.js JS/Kryptik.AKG trojan
I:\2c2c\i31313.js JS/Kryptik.AKG trojan
J:\Install_files\epm.exe Win32/OpenCandy application
-
Thanks! Will do, currently in the middle of the MBAM scan, will have all the logs for you tomorrow morning (my time).
-
Sorry, the ESET cyber security if for mac, I'll download NOD32 antivirus
-
Will do. I don't have ESET, which version should I download, the cyber security pro free trial?
-
Combifix done, it gave a message that Webroot secure anyware was active even though i had disabled the protection. Here is the log:
ComboFix 13-09-14.01 - Nachum 09/17/2013 11:10:51.3.4 - x64 MINIMAL
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.6715 [GMT -4:00]
Running from: c:\users\Nachum\Desktop\nk.exe
AV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
E:\autorun.inf
H:\Autorun.inf
I:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-08-17 to 2013-09-17 )))))))))))))))))))))))))))))))
.
.
2013-09-17 15:15 . 2013-09-17 15:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-16 15:01 . 2013-09-17 10:33 -------- d-sh--w- c:\program files\338
2013-09-16 15:01 . 2013-09-16 15:06 -------- d-----w- C:\2d9
2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST
2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore
2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET
2013-09-16 00:18 . 2013-09-16 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes
2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll
2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo
2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA
2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS
2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft
2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd
2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7
2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers
2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe
2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe
2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys
2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll
2013-09-05 14:47 . 2013-09-17 09:59 -------- d-----w- C:\Temp
2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0
2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype
2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE
2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt
2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer
2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software
2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad
2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft
2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft
2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll
2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet
2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared
2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG
2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll
2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool
2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP
2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard
2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll
2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll
2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll
2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll
2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll
2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll
2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP
2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP
2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS
2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel
2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight
2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO
2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud
2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS
2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther
2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys
2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH
2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office
2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help
2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache
2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed
2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed
2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET
2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe
2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot
2013-09-01 18:11 . 2013-09-16 16:55 -------- d-----w- c:\programdata\WRData
2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat
2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat
2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT
2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec
2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys
2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll
2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll
2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2013-09-01 17:17 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe
2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe
2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe
2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll
2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl
2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe
2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys
2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL
2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL
2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760]
"Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"1"="c:\program files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" [2013-04-04 218184]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]
R1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]
R2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x]
R2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x]
R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x]
R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x]
R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]
R2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
R3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk]
@="{3A87EE91-AED7-46E9-B8A3-5360628BA718}"
[HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending]
@="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}"
[HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError]
@="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}"
[HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2013-06-20 382248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]
"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\
FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com
FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com
FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-09-17 11:16:36
ComboFix-quarantined-files.txt 2013-09-17 15:16
ComboFix2.txt 2013-09-16 15:08
ComboFix3.txt 2013-09-16 14:41
.
Pre-Run: 98,988,253,184 bytes free
Post-Run: 98,821,361,664 bytes free
.
- - End Of File - - 0F911C090FA6D98D593056DD53D4A03E
-
quarantine successful except for one file: Trojan program Trojan.win E:/autorun.inf (not found), should I scan the external E drive again?
-
Here is the KAV rescue disk report, Should I quarrantine or delete?<pre style='color:#141312;background-color:#ffffff;'>
Status: Detected (events: 45)
9/16/13 1:25 PM Detected virus HEUR:Worm.Script.Generic C:/Users/Nachum/AppData/Roaming/2c8b/3a9.js High
9/16/13 2:00 PM Detected virus HEUR:Worm.Script.Generic C:/Program Files/338/3282.js High
9/16/13 2:02 PM Detected virus HEUR:Worm.Script.Generic C:/Qoobox/Quarantine/C/Program Files/338/3282.js.vir High
9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/$RECYCLE.BIN.lnk High
9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/2e2e.lnk High
9/16/13 2:32 PM Detected Trojan program Trojan.Win32.AutoRun.gen E:/autorun.inf High
9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/DK_backup_current.lnk High
9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/Creative_webcam_instant.lnk High
9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/Original_setup.lnk High
9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/RECYCLER.lnk High
9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/System Volume Information.lnk High
9/16/13 2:37 PM Detected virus HEUR:Worm.Script.Generic E:/2c2c/g3d9f.js High
9/16/13 2:37 PM Detected virus HEUR:Worm.Script.Generic E:/2c2c/i31313.js High
9/16/13 2:37 PM Detected virus HEUR:Worm.Script.Generic E:/2e2e/g3fe4.js High
9/16/13 2:37 PM Detected virus HEUR:Worm.Script.Generic E:/2e2e/i333.js High
9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/$RECYCLE.BIN.lnk High
9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/Affinium.lnk High
9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/Backup Files.lnk High
9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/Original Config.lnk High
9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/RECYCLER.lnk High
9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/System Volume Information.lnk High
9/17/13 2:54 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic I:/$RECYCLE.BIN.lnk High
9/17/13 2:54 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic I:/Music_iTunes.lnk High
9/17/13 2:54 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic I:/Music.lnk High
9/17/13 2:54 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic I:/System Volume Information.lnk High
9/17/13 2:54 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic I:/Archives.lnk High
9/17/13 2:54 AM Detected Trojan program Trojan.Win32.AutoRun.gen I:/autorun.inf High
9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.Cydoor I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0018.BIN//cd_htm.dll//PECompact Medium
9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.CommonName.bt I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0019.BIN//ASPack Medium
9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.CommonName.bt I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0019.BIN//ASPack//data0000//CNForm.exe Medium
9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.NewDotNet I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0020.BIN Medium
9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.HotBar.ab I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0021.BIN Medium
9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.Gator.1050 I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0023.BIN Medium
9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.SaveNow.w I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0025.BIN//data0003.res//SaveNow.exe Medium
9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.SaveNow.au I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0025.BIN//data0003.res//Uninst.exe Medium
9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.SaveNow.au I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0025.BIN//# Medium
9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/$RECYCLE.BIN.lnk High
9/17/13 3:09 AM Detected Trojan program Trojan.Win32.AutoRun.gen J:/autorun.inf High
9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/Install_files.lnk High
9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/Music.lnk High
9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/MUSICSTUDIO-PC.lnk High
9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/Original_programs.lnk High
9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/System Volume Information.lnk High
9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/Temp.lnk High
9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/WindowsImageBackup.lnk High
</pre>
-
Update: running the kaspersky rescue disk with all external hard drives attached. The good new is that it's finding infections - virus HEUR.work.script.generic on the main and external hard drivers and HEUR.trojan.WinLNK.generic, torojan.win32.autorun.gen on the external drive. I will disinfect once the scan is done and send you the log. Please advise as to next steps after disinfection.
-
Will do. One question - do I connect all my exteranl hard drives for the kaspersky scan? I have 3 disks with lots of data, I suppose they are infected as well?
-
Marius, here in the combifix log after running with the script. After this Malwarebytes anti-Malware would not start, and I could only get it going through chamelion #5. Should I proceed with the MAM scan?
ComboFix 13-09-14.01 - Nachum 09/16/2013 10:57:30.2.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.6135 [GMT -4:00]
Running from: c:\users\Nachum\Desktop\nk.exe
Command switches used :: c:\users\Nachum\Desktop\CFScript.txt
AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\6fd.js"
"c:\users\Nachum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fd.js"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\2d9
c:\2d9\2828
c:\2d9\2c2c2
c:\2d9\3082
c:\2d9\3b873
c:\2d9\3b97
c:\program files\338
c:\program files\338\3282.js
c:\windows\SysWow64\kWab.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-08-16 to 2013-09-16 )))))))))))))))))))))))))))))))
.
.
2013-09-16 15:02 . 2013-09-16 15:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-16 15:01 . 2013-09-16 15:04 -------- d-sh--w- c:\program files\338
2013-09-16 15:01 . 2013-09-16 15:04 -------- d-----w- C:\2d9
2013-09-16 15:00 . 2013-09-16 15:02 46112 ----a-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\6e.js
2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST
2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore
2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET
2013-09-16 00:18 . 2013-09-16 00:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes
2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll
2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo
2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA
2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS
2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft
2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd
2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7
2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers
2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe
2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe
2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys
2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll
2013-09-05 14:47 . 2013-09-16 14:11 -------- d-----w- C:\Temp
2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0
2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype
2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE
2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt
2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer
2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software
2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad
2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft
2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft
2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll
2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet
2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared
2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG
2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll
2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool
2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP
2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard
2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll
2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll
2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll
2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll
2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll
2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll
2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP
2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP
2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS
2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel
2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight
2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO
2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud
2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS
2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther
2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys
2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH
2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office
2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help
2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache
2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed
2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed
2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET
2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe
2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot
2013-09-01 18:11 . 2013-09-16 14:55 -------- d-----w- c:\programdata\WRData
2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat
2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat
2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT
2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec
2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys
2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll
2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll
2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe
2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe
2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe
2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll
2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl
2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe
2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys
2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL
2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL
2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3a9"="c:\users\Nachum\AppData\Roaming\2c8b\3a9.js" [X]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-08-15 6581488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760]
"Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
c:\users\Nachum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
6e.js [2013-9-16 46112]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
6e.js [2013-9-16 46112]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions"= 1
"NoWindowsUpdate"= 1
"NoControlPanel"= 1
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x]
R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x]
R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]
S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]
S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x]
S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk]
@="{3A87EE91-AED7-46E9-B8A3-5360628BA718}"
[HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending]
@="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}"
[HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError]
@="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}"
[HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2013-06-20 382248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]
"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\
FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com
FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com
FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exe
c:\windows\SysWOW64\SAsrv.exe
c:\progra~1\Lenovo\Zoom\TPSCREX.EXE
c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-09-16 11:08:34 - machine was rebooted
ComboFix-quarantined-files.txt 2013-09-16 15:08
ComboFix2.txt 2013-09-16 14:41
.
Pre-Run: 99,306,733,568 bytes free
Post-Run: 99,224,027,136 bytes free
.
- - End Of File - - FEC56E8B35D9452E4C0967E3F4BDED36
-
Marius, the combix scan is running. For the Malwarebytes Antimalware scan should I attach the external hard drive I mentioned above?
-
Marius, combifix initally wouldn't run, but did after i changed the .exe file name. Here is the log:
ComboFix 13-09-14.01 - Nachum 09/16/2013 10:27:46.1.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.5193 [GMT -4:00]
Running from: c:\users\Nachum\Desktop\nk.exe
AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\users\Nachum\AppData\Local\Microsoft\Windows\Temporary Internet Files\{2DD9637E-57C1-4AB2-BD4F-923667711C95}.xps
c:\users\Nachum\AppData\Local\Microsoft\Windows\Temporary Internet Files\{63CB63EA-59E3-4480-9749-A4AF8FE658DE}.xps
.
.
((((((((((((((((((((((((( Files Created from 2013-08-16 to 2013-09-16 )))))))))))))))))))))))))))))))
.
.
2013-09-16 14:37 . 2013-09-16 14:37 46112 ----a-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\6fd.js
2013-09-16 14:33 . 2013-09-16 14:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST
2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore
2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET
2013-09-16 00:18 . 2013-09-16 00:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes
2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-15 23:32 . 2013-09-15 23:32 -------- d-----w- C:\2d9
2013-09-15 23:32 . 2013-09-15 23:32 -------- d-sh--w- c:\program files\338
2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll
2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo
2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software
2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA
2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS
2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft
2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd
2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X7
2013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers
2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe
2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe
2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys
2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll
2013-09-05 14:47 . 2013-09-16 14:11 -------- d-----w- C:\Temp
2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.0
2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype
2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype
2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE
2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE
2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt
2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird
2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer
2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software
2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad
2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft
2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft
2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll
2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet
2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared
2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG
2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll
2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool
2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP
2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard
2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll
2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll
2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll
2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll
2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll
2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll
2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP
2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP
2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS
2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel
2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW
2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight
2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO
2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud
2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS
2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther
2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys
2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH
2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office
2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help
2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache
2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed
2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed
2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET
2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe
2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys
2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot
2013-09-01 18:11 . 2013-09-16 13:58 -------- d-----w- c:\programdata\WRData
2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat
2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat
2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT
2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec
2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll
2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys
2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll
2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll
2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll
2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe
2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe
2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe
2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe
2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll
2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl
2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe
2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys
2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL
2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL
2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3a9"="c:\users\Nachum\AppData\Roaming\2c8b\3a9.js" [X]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-08-15 6581488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760]
"Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
c:\users\Nachum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
6fd.js [2013-9-16 46112]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
6fd.js [2013-9-16 46112]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions"= 1
"NoWindowsUpdate"= 1
"NoControlPanel"= 1
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x]
R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]
S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]
S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x]
S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x]
S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk]
@="{3A87EE91-AED7-46E9-B8A3-5360628BA718}"
[HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending]
@="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}"
[HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError]
@="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}"
[HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}]
2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]
2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2013-06-20 382248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]
"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\
FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com
FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com
FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-EaseUS EPM tray - c:\program files (x86)\EaseUS\EaseUS Partition Master 9.2.2\bin\EpmNews.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exe
c:\windows\SysWOW64\SAsrv.exe
c:\progra~1\Lenovo\Zoom\TPSCREX.EXE
c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-09-16 10:41:03 - machine was rebooted
ComboFix-quarantined-files.txt 2013-09-16 14:41
.
Pre-Run: 98,788,335,616 bytes free
Post-Run: 98,858,082,304 bytes free
.
- - End Of File - - 46B1549479BECF4964BE75E01C41744E
-
Marius, here is the aswMBR log:
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-16 10:16:44
-----------------------------
10:16:44.173 OS Version: Windows x64 6.1.7601 Service Pack 1
10:16:44.173 Number of processors: 4 586 0x2A07
10:16:44.174 ComputerName: NACHUM-OFFICE UserName: Nachum
10:16:44.369 Initialze error 1
10:17:26.120 AVAST engine defs: 13091600
10:17:45.772 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:17:45.774 Disk 0 Vendor: ST320LT0 0004 Size: 305245MB BusType: 3
10:17:45.818 Disk 0 MBR read successfully
10:17:45.823 Disk 0 MBR scan
10:17:45.834 Disk 0 unknown MBR code
10:17:45.841 Disk 0 Partition 1 00 EE GPT 2097151 MB offset 1
10:17:45.853 Disk 0 scanning C:\Windows\system32\drivers
10:17:45.860 Service scanning
10:17:46.434 Modules scanning
10:17:46.443 Disk 0 trace - called modules:
10:17:46.453 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
10:17:46.463 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009fea060]
10:17:46.468 3 CLASSPNP.SYS[fffff88001c5143f] -> nt!IofCallDriver -> [0xfffffa8007ab1e00]
10:17:46.799 5 ACPI.sys[fffff88000f777a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007aff050]
10:17:46.811 AVAST engine scan C:\Windows
10:17:46.822 AVAST engine scan C:\Windows\system32
10:17:46.830 AVAST engine scan C:\Windows\system32\drivers
10:17:46.837 AVAST engine scan C:\Users\Nachum
10:17:46.843 AVAST engine scan C:\ProgramData
10:17:46.850 Scan finished successfully
10:18:09.500 Disk 0 MBR has been saved successfully to "C:\Users\Nachum\Desktop\MBR.dat"
10:18:09.503 The log file has been saved successfully to "C:\Users\Nachum\Desktop\aswMBR.txt"
-
Marius,
Thank you very much for your assistance. the FRST and ADDITION logs are attached. I had tried to paste in the post, but when trying to post got an error message "post_too_long". I had this infection problem recently, and did a clean install of Windows, However, the problem returned yesterday when I connected my USB HD to my computer - the folders on the external drive appear as shortcuts and a AUTORUN file is present. Best regards, Nachum
-
Been through all then steps in "FAQ - Malwarebytes anti-Malware won't run or failed to resolve my issue", managed to get MAB running via chamelion, but nothing was detected, Rkill didn't find anything either. Symptoms are: can't turn on firewall, no access to control panel (windows explorer crashes), folder options greyed out, regedit closes after 1 second, system restore closes after 1 second, etc. Downloaded and ran DDS but the logs are not created.
Appreciate your help,
Cheers,
Nachum
Infected, DDS won't work
in Resolved Malware Removal Logs
Posted
I solved the firewall issue by deleting the above regedit value, it was enforcing the firewall to be turned off. All's well now
Thank you very much for your assistance!! Nachum