Jump to content

GlennR

Members
  • Posts

    7
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Hello Chris, Thanks for getting back to me. I ran ESET Online Scanner - failed to load updates at first complaining about some proxy issue. As a last resort I just rebooted the system and then it loaded and ran fine. Did not find anything in the system, and it even scanned an external I forgot to disconnect. The ESET result is here. ESETSmartInstaller@High as CAB hook log: OnlineScanner64.ocx - registred OK OnlineScanner.ocx - registred OK esets_scanner_update returned -1 esets_gle=12 esets_scanner_update returned -1 esets_gle=12 I ran Security Check and the result is here. Results of screen317's Security Check version 0.99.18 Windows 7 (UAC is enabled) Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! ESET Online Scanner v3 McAfee Security Scan Plus WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java Web Start Java 6 Update 18 Java 2 Runtime Environment, SE v1.4.1_07 Out of date Java installed! Adobe Flash Player 10.3.183.7 Adobe Reader X (10.1.0) Mozilla Firefox (x86 en-US..) ```````````````````````````````` Process Check: objlist.exe by Laurent Windows Defender MSMpEng.exe Microsoft Security Essentials msseces.exe ``````````End of Log```````````` As I reported last time,I am not having any visible issues with performance or with any malware. The only thing I have left is the hibernate / powercfg issues I mentioned and I believe that has nothing to do with the malware episode. I have been able to keep my Win 7 system pretty clean with Microsoft Security Essentials, regular Windows updates, and Malwareebytes and Spybot S&D in my back pocket. Microsoft is doing something right with Win7 - the only unknown being Internet Explorer. The only time I have ever had any issue has been when I use IE for a day simply because my other browser sessions are overloaded with activity. That was certainly the case here. Do you have a favorite commercial antivirus, etc. that runs light on resources? Norton and McAafee were always heavy and caused more performance issues than the protection they provided. With a bad taste in my mouth, I decided to use neither in moving to Win7 and the decision has served me well so far. I would also like to learn more what Combifix is doing. I think it ran a ccleaner type operation that was probably very beneficial. Thanks for walking me through this. Glenn
  2. Bump Hello Chris, I have not gotten any feedback regarding the results of running Combifix on my system. I was hoping to hear do this next, or an all clear - with any general suggestions from someone associated with the Malwarebytes forum. The good news is the following. I have not had any STOP SCREEN reboots or any evidence of compromised performance since my last post. I do believe Combifix did fix something in addition to the general cleanup that it does. Shutdowns seem to go smoother - could be coincidence. Is it safe for me to re-enable Defogger at this point? Is it necessary and/or wise to uninstall Combifix when this is all done? I've concluded that my problem with hibernate is unrelated and powercfg revealed some issues - I will address that separately. If you have suggestions on who to ask, that would be appreciated. Thank you again for the help. Glenn
  3. Hello Chris, Updating my system status as promised. 16. Downloaded an ran Combifix. It ran without issue and reported the following. ComboFix 11-09-13.04 - Glenn 09/13/2011 23:00:59.1.8 - x64 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8181.6138 [GMT -5:00] Running from: c:\users\Glenn\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Glenn\AppData\Local\{DD817C5A-B1A0-45FB-BF87-1FD6C773C01C} c:\users\Glenn\AppData\Local\{DD817C5A-B1A0-45FB-BF87-1FD6C773C01C}\chrome.manifest c:\users\Glenn\AppData\Local\{DD817C5A-B1A0-45FB-BF87-1FD6C773C01C}\chrome\content\_cfg.js c:\users\Glenn\AppData\Local\{DD817C5A-B1A0-45FB-BF87-1FD6C773C01C}\chrome\content\overlay.xul c:\users\Glenn\AppData\Local\{DD817C5A-B1A0-45FB-BF87-1FD6C773C01C}\install.rdf c:\users\Glenn\AppData\Local\ApplicationHistory c:\users\Glenn\AppData\Local\ApplicationHistory\ngen.exe.2c05686e.ini c:\users\Glenn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Recovery.lnk c:\users\Glenn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\My Disk c:\users\Glenn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\My Disk\My Disk.lnk c:\users\Glenn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\My Disk\Uninstall My Disk.lnk c:\users\Glenn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Recovery c:\users\Glenn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Recovery\System Recovery.lnk c:\users\Glenn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Recovery\Uninstall System Recovery.lnk c:\users\Glenn\g2mdlhlpx.exe c:\users\Glenn\GoToAssistDownloadHelper.exe c:\windows\SysWow64\comct332.ocx E:\install.exe . . ((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 ))))))))))))))))))))))))))))))) . . 2011-09-14 04:35 . 2011-09-14 04:35 -------- d-----w- c:\users\Default\AppData\Local\temp 2011-09-13 22:31 . 2011-09-13 22:31 -------- d-----w- c:\programdata\Seagate 2011-09-13 22:31 . 2011-09-13 22:31 -------- d-----w- c:\program files (x86)\Seagate 2011-09-13 21:54 . 2011-09-13 22:30 -------- d-----w- c:\users\Glenn\AppData\Local\Downloaded Installations 2011-09-13 21:51 . 2011-09-13 21:51 -------- d-----w- c:\windows\SysWow64\URTTEMP 2011-09-13 06:58 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{99ADEE3C-20E2-4C08-94EB-14D499E366D7}\mpengine.dll 2011-09-13 00:34 . 2011-09-13 00:35 -------- d-----w- c:\program files\WhoCrashed 2011-09-09 01:37 . 2011-09-09 01:37 -------- d-----w- c:\windows\Sun 2011-09-08 21:13 . 2011-09-08 21:14 -------- d-----w- c:\windows\system32\appmgmt 2011-09-08 21:04 . 2011-09-08 21:06 -------- d-----w- c:\program files\RsetmySQL 2011-09-08 17:44 . 2010-11-30 16:43 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EECD0777-4629-4965-8DB8-05DFBB02F79A}\gapaengine.dll 2011-09-08 06:13 . 2011-09-08 06:21 -------- d-----w- C:\wamp 2011-09-02 15:47 . 2011-09-02 15:50 -------- d-----w- C:\My Web Sites 2011-09-02 15:44 . 2011-09-02 15:44 -------- d-----w- c:\program files\WinHTTrack 2011-08-29 04:25 . 2011-08-15 19:32 224048 ----a-w- c:\windows\system32\drivers\VBoxDrv.sys 2011-08-29 04:25 . 2011-08-15 19:32 128816 ----a-w- c:\windows\system32\drivers\VBoxUSBMon.sys 2011-08-28 04:15 . 2011-08-28 04:15 -------- d-----w- c:\program files\Oracle 2011-08-25 22:09 . 2011-08-25 22:09 -------- d-----w- c:\programdata\Apple Computer 2011-08-24 07:47 . 2011-07-09 05:26 2048 ----a-w- c:\windows\system32\tzres.dll 2011-08-24 07:47 . 2011-07-09 04:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2011-08-17 15:34 . 2011-08-17 15:34 -------- d-----w- c:\users\Glenn\AppData\Roaming\inkscape 2011-08-17 15:30 . 2011-08-17 15:34 -------- d-----w- c:\program files (x86)\Inkscape 2011-08-16 18:39 . 2011-08-16 18:39 -------- d-----w- c:\windows\en 2011-08-16 18:38 . 2011-08-16 18:38 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2011-08-15 19:32 . 2011-08-15 19:32 165680 ----a-w- c:\windows\system32\drivers\VBoxNetFlt.sys 2011-08-15 19:32 . 2011-08-15 19:32 146736 ----a-w- c:\windows\system32\drivers\VBoxNetAdp.sys 2011-08-15 19:32 . 2011-08-15 19:32 320816 ----a-w- c:\windows\system32\VBoxNetFltNobj.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-09-08 18:10 . 2011-06-20 16:00 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2011-08-31 22:00 . 2011-03-08 06:26 25416 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-08-21 15:00 . 2011-04-24 22:36 64272 ----a-w- c:\windows\system32\drivers\RapportKE64.sys 2011-08-12 04:10 . 2011-03-09 22:38 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-07-22 05:42 . 2011-08-10 08:01 2303488 ----a-w- c:\windows\system32\jscript9.dll 2011-07-22 05:36 . 2011-08-10 08:01 1389056 ----a-w- c:\windows\system32\wininet.dll 2011-07-22 05:32 . 2011-08-10 08:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2011-07-22 02:54 . 2011-08-10 08:01 1797632 ----a-w- c:\windows\SysWow64\jscript9.dll 2011-07-22 02:48 . 2011-08-10 08:01 1126912 ----a-w- c:\windows\SysWow64\wininet.dll 2011-07-22 02:44 . 2011-08-10 08:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb 2011-07-16 05:41 . 2011-08-09 22:40 362496 ----a-w- c:\windows\system32\wow64win.dll 2011-07-16 05:41 . 2011-08-09 22:40 243200 ----a-w- c:\windows\system32\wow64.dll 2011-07-16 05:41 . 2011-08-09 22:40 13312 ----a-w- c:\windows\system32\wow64cpu.dll 2011-07-16 05:39 . 2011-08-09 22:40 16384 ----a-w- c:\windows\system32\ntvdm64.dll 2011-07-16 05:37 . 2011-08-09 22:40 421888 ----a-w- c:\windows\system32\KernelBase.dll 2011-07-16 05:21 . 2011-08-09 22:40 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll 2011-07-16 05:21 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll 2011-07-16 04:29 . 2011-08-09 22:40 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll 2011-07-16 04:26 . 2011-08-09 22:40 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2011-07-16 04:25 . 2011-08-09 22:40 25600 ----a-w- c:\windows\SysWow64\setup16.exe 2011-07-16 04:24 . 2011-08-09 22:40 5120 ----a-w- c:\windows\SysWow64\wow32.dll 2011-07-16 04:24 . 2011-08-09 22:40 272384 ----a-w- c:\windows\SysWow64\KernelBase.dll 2011-07-16 04:15 . 2011-08-09 22:40 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-string-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 5120 ---ha-w- c:\windows\SysWow64\api-ms-win-core-file-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-io-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll 2011-07-16 04:15 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-console-l1-1-0.dll 2011-07-16 02:21 . 2011-08-09 22:40 7680 ----a-w- c:\windows\SysWow64\instnm.exe 2011-07-16 02:21 . 2011-08-09 22:40 2048 ----a-w- c:\windows\SysWow64\user.exe 2011-07-16 02:17 . 2011-08-09 22:40 6144 ---ha-w- c:\windows\SysWow64\api-ms-win-security-base-l1-1-0.dll 2011-07-16 02:17 . 2011-08-09 22:40 4608 ---ha-w- c:\windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll 2011-07-16 02:17 . 2011-08-09 22:40 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll 2011-07-16 02:17 . 2011-08-09 22:40 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-core-util-l1-1-0.dll 2011-07-13 04:53 . 2011-07-29 20:36 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll 2011-07-09 02:46 . 2011-08-09 22:40 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys 2011-07-05 23:37 . 2011-07-05 23:37 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx 2011-07-05 23:37 . 2011-07-05 23:37 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts 2011-06-28 13:56 . 2011-06-28 13:56 74752 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe 2011-06-28 13:56 . 2011-06-28 13:56 161792 ----a-w- c:\windows\SysWow64\msls31.dll 2011-06-28 13:56 . 2011-06-28 13:56 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll 2011-06-28 13:56 . 2011-06-28 13:56 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll 2011-06-28 13:56 . 2011-06-28 13:56 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe 2011-06-28 13:56 . 2011-06-28 13:56 74752 ----a-w- c:\windows\SysWow64\iesetup.dll 2011-06-28 13:56 . 2011-06-28 13:56 63488 ----a-w- c:\windows\SysWow64\tdc.ocx 2011-06-28 13:56 . 2011-06-28 13:56 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll 2011-06-28 13:56 . 2011-06-28 13:56 420864 ----a-w- c:\windows\SysWow64\vbscript.dll 2011-06-28 13:56 . 2011-06-28 13:56 367104 ----a-w- c:\windows\SysWow64\html.iec 2011-06-28 13:56 . 2011-06-28 13:56 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll 2011-06-28 13:56 . 2011-06-28 13:56 152064 ----a-w- c:\windows\SysWow64\wextract.exe 2011-06-28 13:56 . 2011-06-28 13:56 150528 ----a-w- c:\windows\SysWow64\iexpress.exe 2011-06-28 13:56 . 2011-06-28 13:56 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe 2011-06-28 13:56 . 2011-06-28 13:56 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl 2011-06-28 13:56 . 2011-06-28 13:56 11776 ----a-w- c:\windows\SysWow64\mshta.exe 2011-06-28 13:56 . 2011-06-28 13:56 101888 ----a-w- c:\windows\SysWow64\admparse.dll 2011-06-28 13:56 . 2011-06-28 13:56 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Glenn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Glenn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 94208 ----a-w- c:\users\Glenn\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2011-05-13 4283256] "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480] "LMab1err"="c:\program files\Lexmark\ErrorApp\LMab1err.exe" [2008-10-14 569344] "TOSDOCKAPP"="c:\program files\TOSHIBA\dynadock_II\TosDockApp.exe" [2009-10-29 264568] "uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2011-03-29 399736] "Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-04-18 15146376] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-10-02 284696] "BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2008-07-08 91432] "RemoteControl"="c:\program files (x86)\CyberLink\PowerDVD\PDVDServ.exe" [2008-05-14 87336] "LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD\Language\Language.exe" [2008-05-14 62760] "CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2008-01-16 103720] "P2Go_Menu"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-01-04 222504] "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "SSBkgdUpdate"="c:\program files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896] "OpwareSE4"="c:\program files (x86)\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304] "RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192] "BlackBerryAutoUpdate"="c:\program files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-10-27 648536] "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888] "MaxMenuMgr"="c:\program files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640] . c:\users\Glenn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Dropbox.lnk - c:\users\Glenn\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-5-25 24176560] OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Desktop Manager.lnk - c:\program files (x86)\Research In Motion\BlackBerry\DesktopMgr.exe [2010-10-27 1819992] Dimdim.lnk - c:\program files (x86)\Dimdim\Plugin\Application\Dimdim.exe [2010-9-15 632104] ImageMixer 3 SE Camera Monitor Ver.6.lnk - c:\program files (x86)\PIXELA\ImageMixer 3 SE Ver.6\Transfer Utility\CameraMonitor.exe [2010-12-19 537968] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-8-31 1207312] McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli c:\program files\Protector Suite\psqlpwd.dll Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R0 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys [x] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 136176] R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560] R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 136176] R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x] R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232] R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x] R3 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2011-01-07 63304] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272] R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x] R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x] R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x] R3 VBoxUSB;VirtualBox USB;c:\windows\system32\Drivers\VBoxUSB.sys [x] R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x] S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [x] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x] S0 RapportKE64;RapportKE64;c:\windows\System32\Drivers\RapportKE64.sys [x] S1 RapportCerberus_29574;RapportCerberus_29574;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus64_29574.sys [2011-08-03 386128] S1 RapportEI64;RapportEI64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2011-08-21 52496] S1 RapportPG64;RapportPG64;c:\program files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2011-08-21 61200] S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [x] S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [x] S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952] S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2011-02-16 9520488] S2 FreeAgentGoNext Service;Seagate Service;c:\program files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736] S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-10-02 13336] S2 RapportMgmtService;Rapport Management Service;c:\program files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-08-21 870200] S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368] S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\windows\SysWOW64\nvSCPAPISvr.exe [2009-10-17 239720] S3 dfmirage;dfmirage;c:\windows\system32\DRIVERS\dfmirage.sys [x] S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.5.30661.0.sys [x] S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [x] S3 fspad_wlh64;Finger-sensing Pad Driver for Windows 2000/XP/Vista/Win7_wlh64;c:\windows\system32\DRIVERS\fspad_wlh64.sys [x] S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [x] S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x] S3 USBMULCD;USB Multi-Channel Audio Device Interface;c:\windows\system32\drivers\CM10664.sys [x] S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x] S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x] S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x] . . Contents of the 'Scheduled Tasks' folder . 2011-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 23:35] . 2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-08-20 23:35] . 2011-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2841501842-1150761130-229039673-1001Core.job - c:\users\Glenn\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-15 21:47] . 2011-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2841501842-1150761130-229039673-1001UA.job - c:\users\Glenn\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-15 21:47] . 2011-09-13 c:\windows\Tasks\next.job - c:\programdata\Dimdim\Updater\next.exe [2010-09-15 13:52] . . --------- x86-64 ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1] @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Glenn\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2] @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Glenn\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3] @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}] 2011-02-18 05:12 97792 ----a-w- c:\users\Glenn\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay] @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}" [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}] 2009-08-25 18:51 5943048 ----a-w- c:\program files\Protector Suite\farchns.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen] @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}" [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}] 2009-08-25 18:51 5943048 ----a-w- c:\program files\Protector Suite\farchns.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-17 16405096] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-08-11 8060960] "fspuip"="c:\program files\FSP\fspuip.exe" [2009-06-19 1096192] "PSQLLauncher"="c:\program files\Protector Suite\launcher.exe" [2009-08-25 84744] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856] "TOSDOCKAPP"="c:\program files\TOSHIBA\dynadock_II\TosDockApp.exe" [2009-10-29 264568] "Cm106Sound"="c:\windows\Syswow64\cm106.dll" [2009-09-06 8146944] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736] "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-05-19 440824] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "LoadAppInit_DLLs"=0x0 . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 Trusted Zone: intuit.com\ttlc TCP: DhcpNameServer = 192.168.1.1 68.238.64.12 FF - ProfilePath - c:\users\Glenn\AppData\Roaming\Mozilla\Firefox\Profiles\85eyzo0c.default\ . - - - - ORPHANS REMOVED - - - - . Wow6432Node-HKCU-Run-Fw1H6RJih8SrV - c:\programdata\Fw1H6RJih8SrV.exe HKLM-Run-(Default) - (no file) . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MsDepSvc] "ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}] "ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.10" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10i.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b5 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2011-09-13 23:59:02 ComboFix-quarantined-files.txt 2011-09-14 04:58 . Pre-Run: 219,159,191,552 bytes free Post-Run: 218,951,307,264 bytes free . - - End Of File - - 757080C542CF6EBDFB184C831D4CA826 17. Rebooted system after Combifix and restarted MSE, Windows Firewall, and S&D resident. 18. Let Windows update weekly security updates. 19. Ran DDS again and it reported the following. DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_18 Run by Glenn at 0:43:51 on 2011-09-14 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8181.6050 [GMT -5:00] . AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\nvvsvc.exe C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe C:\Program Files\Protector Suite\upeksvr.exe C:\Windows\system32\WUDFHost.exe C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k WbioSvcGroup C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe C:\Windows\system32\LMabcoms.exe C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE C:\Windows\SysWOW64\nvSCPAPISvr.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe C:\Windows\system32\PrintIsolationHost.exe C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe C:\Program Files\FSP\FspUip.exe C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE C:\Program Files\TOSHIBA\dynadock_II\TosDockApp.exe C:\Windows\SysWOW64\rundll32.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\Protector Suite\psqltray.exe C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Lexmark\ErrorApp\LMab1err.EXE C:\Program Files (x86)\Skype\Phone\Skype.exe C:\Program Files (x86)\PIXELA\ImageMixer 3 SE Ver.6\Transfer Utility\CameraMonitor.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe C:\Windows\system32\SearchIndexer.exe C:\Users\Glenn\AppData\Roaming\Dropbox\bin\Dropbox.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE C:\Windows\system\Cm106eye.exe C:\Program Files (x86)\CyberLink\Shared Files\brs.exe C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe C:\Program Files (x86)\ScanSoft\OmniPageSE4.0\OpWareSE4.exe C:\Program Files (x86)\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe C:\Program Files (x86)\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Windows\system32\DllHost.exe C:\Windows\System32\svchost.exe -k swprv C:\Windows\system32\taskeng.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\REGSVR32.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uInternet Settings,ProxyOverride = <local> BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe uRun: [LMab1err] C:\Program Files\Lexmark\ErrorApp\LMab1err.exe uRun: [TOSDOCKAPP] C:\Program Files\TOSHIBA\dynadock_II\TosDockApp.exe uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe mRun: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe mRun: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe" mRun: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe" mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" mRun: [P2Go_Menu] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun: [sSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot mRun: [OpwareSE4] "C:\Program Files (x86)\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe mRun: [blackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun: [MaxMenuMgr] "C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" StartupFolder: C:\Users\Glenn\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Glenn\AppData\Roaming\Dropbox\bin\Dropbox.exe StartupFolder: C:\Users\Glenn\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DESKTO~1.LNK - C:\Program Files (x86)\Research In Motion\BlackBerry\DesktopMgr.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\Dimdim.lnk - C:\Program Files (x86)\Dimdim\Plugin\Application\Dimdim.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\IMAGEM~1.LNK - C:\Program Files (x86)\PIXELA\ImageMixer 3 SE Ver.6\Transfer Utility\CameraMonitor.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files\Logitech\SetPoint\SetPoint.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll Trusted Zone: intuit.com\ttlc DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: DhcpNameServer = 192.168.1.1 68.238.64.12 TCP: Interfaces\{1D371872-00F9-4BFB-82FF-38151284944C} : DhcpNameServer = 192.168.1.1 68.238.64.12 TCP: Interfaces\{358CB42E-7575-494F-A2AB-39BDDAC7B16A}\0516E6164747F6E696 : DhcpNameServer = 10.1.37.10 192.168.12.10 192.168.12.19 TCP: Interfaces\{358CB42E-7575-494F-A2AB-39BDDAC7B16A}\849454 : DhcpNameServer = 192.168.90.1 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll LSA: Notification Packages = scecli C:\Program Files\Protector Suite\psqlpwd.dll BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO-X64: AcroIEHelperStub - No File BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe mRun-x64: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe mRun-x64: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe" mRun-x64: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe" mRun-x64: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" mRun-x64: [P2Go_Menu] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun-x64: [sSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot mRun-x64: [OpwareSE4] "C:\Program Files (x86)\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" mRun-x64: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe mRun-x64: [blackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime mRun-x64: [MaxMenuMgr] "C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Glenn\AppData\Roaming\Mozilla\Firefox\Profiles\85eyzo0c.default\ . ============= SERVICES / DRIVERS =============== . R0 dlkmdldr;dlkmdldr;C:\Windows\system32\drivers\dlkmdldr.sys --> C:\Windows\system32\drivers\dlkmdldr.sys [?] R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?] R0 RapportKE64;RapportKE64;C:\Windows\system32\Drivers\RapportKE64.sys --> C:\Windows\system32\Drivers\RapportKE64.sys [?] R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?] R1 RapportCerberus_29574;RapportCerberus_29574;C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus64_29574.sys [2011-8-3 386128] R1 RapportEI64;RapportEI64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2011-8-21 52496] R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2011-8-21 61200] R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952] R2 DisplayLinkService;DisplayLinkManager;C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [2011-2-16 9520488] R2 FreeAgentGoNext Service;Seagate Service;C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-9-25 189736] R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-2-9 13336] R2 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-8-21 870200] R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-6-26 1153368] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Windows\SysWOW64\nvSCPAPISvr.exe [2009-10-17 239720] R3 dfmirage;dfmirage;C:\Windows\system32\DRIVERS\dfmirage.sys --> C:\Windows\system32\DRIVERS\dfmirage.sys [?] R3 DisplayLinkUsbPort;DisplayLink USB Device;C:\Windows\system32\DRIVERS\DisplayLinkUsbPort_5.5.30661.0.sys --> C:\Windows\system32\DRIVERS\DisplayLinkUsbPort_5.5.30661.0.sys [?] R3 dlkmd;dlkmd;C:\Windows\system32\drivers\dlkmd.sys --> C:\Windows\system32\drivers\dlkmd.sys [?] R3 fspad_wlh64;Finger-sensing Pad Driver for Windows 2000/XP/Vista/Win7_wlh64;C:\Windows\system32\DRIVERS\fspad_wlh64.sys --> C:\Windows\system32\DRIVERS\fspad_wlh64.sys [?] R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?] R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?] R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?] R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?] R3 USBMULCD;USB Multi-Channel Audio Device Interface;C:\Windows\system32\drivers\CM10664.sys --> C:\Windows\system32\drivers\CM10664.sys [?] R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?] S0 johci;JMicron 1394 Filter Driver;C:\Windows\system32\DRIVERS\johci.sys --> C:\Windows\system32\DRIVERS\johci.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-20 136176] S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560] S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?] S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840] S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-20 136176] S3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?] S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?] S3 MsDepSvc;Web Deployment Agent Service;C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2011-1-7 63304] S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?] S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?] S3 VBoxUSB;VirtualBox USB;C:\Windows\system32\Drivers\VBoxUSB.sys --> C:\Windows\system32\Drivers\VBoxUSB.sys [?] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?] . =============== Created Last 30 ================ . 2011-09-14 05:07:47 -------- d-----w- C:\Users\Glenn\AppData\Local\{C49F725A-1B8C-4727-A6F4-5FB0542C61AE} 2011-09-14 05:07:35 -------- d-----w- C:\Users\Glenn\AppData\Local\{9FE8E4BC-9854-4C1F-B70D-20210252D160} 2011-09-14 05:06:03 -------- d-sh--w- C:\$RECYCLE.BIN 2011-09-14 03:53:04 98816 ----a-w- C:\Windows\sed.exe 2011-09-14 03:53:04 518144 ----a-w- C:\Windows\SWREG.exe 2011-09-14 03:53:04 256000 ----a-w- C:\Windows\PEV.exe 2011-09-14 03:53:04 208896 ----a-w- C:\Windows\MBR.exe 2011-09-14 03:51:58 -------- d-----w- C:\ComboFix 2011-09-13 22:31:56 -------- d-----w- C:\ProgramData\Seagate 2011-09-13 22:31:56 -------- d-----w- C:\Program Files (x86)\Seagate 2011-09-13 21:54:16 -------- d-----w- C:\Users\Glenn\AppData\Local\Downloaded Installations 2011-09-13 21:51:46 -------- d-----w- C:\Windows\SysWow64\URTTEMP 2011-09-13 11:44:35 -------- d-----w- C:\Users\Glenn\AppData\Local\{875BE3EC-6A8D-495B-A7F1-ED36C2409ADF} 2011-09-13 11:44:24 -------- d-----w- C:\Users\Glenn\AppData\Local\{EB69DC8D-B5DD-422A-B3FF-FDBD060ABF67} 2011-09-13 06:58:00 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{99ADEE3C-20E2-4C08-94EB-14D499E366D7}\mpengine.dll 2011-09-13 00:34:15 -------- d-----w- C:\Program Files\WhoCrashed 2011-09-12 18:49:53 -------- d-----w- C:\Users\Glenn\AppData\Local\{196D63D4-B173-47BD-9C23-2D52B85D518D} 2011-09-12 18:49:24 -------- d-----w- C:\Users\Glenn\AppData\Local\{ABC2BDA3-6965-41DD-A33F-8E32F18C4E6F} 2011-09-11 14:20:29 -------- d-----w- C:\Users\Glenn\AppData\Local\{230A3E33-9BA4-471D-B948-7E63F34D9C4D} 2011-09-11 02:19:57 -------- d-----w- C:\Users\Glenn\AppData\Local\{301D0597-319B-452D-896B-B8CDB1524D3B} 2011-09-10 14:19:24 -------- d-----w- C:\Users\Glenn\AppData\Local\{8C7B2866-5868-4FF3-92A5-09AA14631C9D} 2011-09-10 14:19:03 -------- d-----w- C:\Users\Glenn\AppData\Local\{D2542E99-2AB7-424C-8EB8-78E6350527EE} 2011-09-10 02:18:38 -------- d-----w- C:\Users\Glenn\AppData\Local\{ABFA1A05-2727-4701-A90D-0EB60D2756EC} 2011-09-09 14:18:05 -------- d-----w- C:\Users\Glenn\AppData\Local\{68AC8A6D-7E41-460C-920B-8F0C99591B6B} 2011-09-09 14:17:44 -------- d-----w- C:\Users\Glenn\AppData\Local\{D61AE756-171A-46D1-8E1B-4B81B7231143} 2011-09-09 02:17:06 -------- d-----w- C:\Users\Glenn\AppData\Local\{C98B1AC6-42E6-44D2-82CB-9EF6D2AA7C0C} 2011-09-09 02:16:44 -------- d-----w- C:\Users\Glenn\AppData\Local\{1ED447DF-C8C0-469A-8F39-4F128BA05CA7} 2011-09-08 21:13:38 -------- d-----w- C:\Windows\System32\appmgmt 2011-09-08 21:04:58 -------- d-----w- C:\Program Files\RsetmySQL 2011-09-08 17:44:03 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EECD0777-4629-4965-8DB8-05DFBB02F79A}\gapaengine.dll 2011-09-08 06:13:51 -------- d-----w- C:\wamp 2011-09-02 15:47:13 -------- d-----w- C:\My Web Sites 2011-09-02 15:44:50 -------- d-----w- C:\Program Files\WinHTTrack 2011-08-30 14:54:09 -------- d-----w- C:\Users\Glenn\AppData\Local\{3DF6E8DC-F5C9-49D1-801E-340FFB3F1F11} 2011-08-30 14:53:58 -------- d-----w- C:\Users\Glenn\AppData\Local\{7B976EA9-83A9-45CE-9E80-8ED4795FC27C} 2011-08-30 12:55:02 -------- d-----w- C:\Users\Glenn\AppData\Local\{A63F8C77-5407-45E2-BFA3-6546E648399D} 2011-08-29 04:25:23 224048 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys 2011-08-29 04:25:12 128816 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys 2011-08-28 04:15:59 -------- d-----w- C:\Program Files\Oracle 2011-08-24 19:52:46 -------- d-----w- C:\Users\Glenn\AppData\Local\{DE4A4B16-3D63-45A4-993E-76794E0C1221} 2011-08-24 19:52:25 -------- d-----w- C:\Users\Glenn\AppData\Local\{9471D79E-21F6-4CC6-A5DB-699EA62B14AF} 2011-08-24 07:47:11 2048 ----a-w- C:\Windows\SysWow64\tzres.dll 2011-08-24 07:47:11 2048 ----a-w- C:\Windows\System32\tzres.dll 2011-08-23 14:11:21 -------- d-----w- C:\Users\Glenn\AppData\Local\{658AC793-A3C2-4052-804B-9FA0F6440D4E} 2011-08-23 14:11:10 -------- d-----w- C:\Users\Glenn\AppData\Local\{C744A275-71F1-4FC4-9781-5792BDDB31E2} 2011-08-23 12:59:29 -------- d-----w- C:\Users\Glenn\AppData\Local\{49E40CD9-4685-4531-B743-7CE3722E4155} 2011-08-17 15:34:49 -------- d-----w- C:\Users\Glenn\AppData\Roaming\inkscape 2011-08-17 15:30:34 -------- d-----w- C:\Program Files (x86)\Inkscape 2011-08-16 18:54:40 -------- d-----w- C:\Users\Glenn\AppData\Local\{EFADCB18-507B-4AB4-BEDC-E19695B989A3} 2011-08-16 18:54:23 -------- d-----w- C:\Users\Glenn\AppData\Local\{AB0AE6AE-1C46-4FEB-BAB3-C7547D98E62A} 2011-08-16 18:39:58 -------- d-----w- C:\Windows\en 2011-08-16 18:38:08 18328 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2011-08-16 18:32:08 -------- d-----w- C:\Users\Glenn\AppData\Local\{A9C7D5A4-BC97-49B6-B3DB-707F6BC5E26D} 2011-08-16 18:31:39 -------- d-----w- C:\Users\Glenn\AppData\Local\{6F6FB241-0D25-4F17-A371-D8C1383EDE09} 2011-08-15 19:32:10 165680 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys 2011-08-15 19:32:10 146736 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys 2011-08-15 19:32:08 320816 ----a-w- C:\Windows\System32\VBoxNetFltNobj.dll . ==================== Find3M ==================== . 2011-09-08 18:10:12 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2011-08-31 22:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys 2011-08-21 15:00:42 64272 ----a-w- C:\Windows\System32\drivers\RapportKE64.sys 2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll 2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll 2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll 2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll 2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll 2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll 2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll 2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll 2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll 2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll 2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll 2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe 2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll 2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll 2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe 2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe 2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll 2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll 2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll 2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll 2011-07-09 02:46:28 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys 2011-07-05 23:37:00 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx 2011-07-05 23:37:00 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts 2011-06-28 13:55:59 85504 ----a-w- C:\Windows\System32\iesetup.dll 2011-06-28 13:55:59 603648 ----a-w- C:\Windows\System32\vbscript.dll 2011-06-28 13:55:59 30720 ----a-w- C:\Windows\System32\licmgr10.dll 2011-06-28 13:55:59 165888 ----a-w- C:\Windows\System32\iexpress.exe 2011-06-28 13:55:59 160256 ----a-w- C:\Windows\System32\wextract.exe 2011-06-28 13:55:59 1492992 ----a-w- C:\Windows\System32\inetcpl.cpl 2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll 2011-06-24 05:25:49 338432 ----a-w- C:\Windows\System32\conhost.exe 2011-06-23 05:43:12 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe 2011-06-23 04:33:57 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2011-06-23 04:33:57 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys . ============= FINISH: 0:52:01.35 =============== 20. Current Status – System has been stable all day. But my usage pattern today has been significantly less than normal and I have run less variety of apps since I was concentrating on backups, and the issues at hand in this thread. And truthfully being a cautious user today. I took a quick glance at the Combifix results. Some good catches there as well as a couple I don't necessarily agree with in terms of file deletions. Several registry key items to review. I didn't do the hardware checks. Will continue monitoring behavior and report. Looking forward to your next response – Thanks for everything. Glenn ComboFix.txt DDS2.txt Attach2.txt
  4. Hello Chris, Thanks for offering your guidance. I have a few more data points on the current state of my system. 8. I've continued to run MBAM full scans with a clean report each time. Spybot scans reported the same. At your request, I grabbed today's MBAM update and ran a quick scan. A clean report again. Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 7709 Windows 6.1.7601 Service Pack 1 Internet Explorer 9.0.8112.16421 9/13/2011 11:57:13 AM mbam-log-2011-09-13 (11-57-13).txt Scan type: Quick scan Objects scanned: 189121 Time elapsed: 1 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) 9. The anticipation of a response from the forum was too much. I broke down and ran unhide.exe to restore normal visibility and access to my files, programs and start menus after reviewing details of what it does and recognizing that my info still existed in the smtmp directory that the virus created. The program ran, but ended with a "parse error". I don't know what that means, but it seemed to have worked as advertised. I have my desktop icons, my fully populated start menu, and I was able to reset the desktop theme. Had to reset Recycle bin and Computer icon visibility, an easy fix. So for the most part, look and feel is back to normal. 10. I have had a few freezes / blue screen reboots that occurred after I was MBAM clean, so there is probably more to do. After initial investigation, I am thinking this could be a user induced Firefox issue - which also auto-updated earlier in the day of this episode. I tend to load up on browser windows and tabs and leave things running forever. If I overdid it. FF would crash and right now my system is crashing instead. Needless to say, I am correcting this FF use behavior as of yesterday and monitoring the system for freezes. 11. Investigation into the freezes revealed that these were STOP SCREEN commands with warnings of LOCKED PROCESSES. I've never seen them before even though they have occurred on rare occasion because I use a Dynadock and external monitor and I miss the Windows startup sequence. I know that 10.2+ versions of Adobe Flash player have been the culprit in the recent past. And wouldn't you know it, Adobe Flash updated again in Firefox earlier in the day of this episode. 12. Checking into the locked processes issue, I downloaded and ran WhoCrashed.exe It gives some insight into the dumps. The PROCESS HAS LOCKED PAGES entries are the current ones and relevant here. The older PAGE FAULT IN NONPAGED AREA entries are directly related to the Adobe Flash Player. I have attached the WhoCrashed.rtf log file. It is very likely that this is virus related, but it could not be. It will require additional debugging. I understand if this goes outside the scope of what you are able to help with. Here's one the last WhoCrashed entries for reference. On Tue 9/13/2011 12:22:19 AM GMT your computer crashed crash dump file: C:\Windows\Minidump\091211-25958-01.dmp This was probably caused by the following module: ntoskrnl.exe (nt+0x7CC40) Bugcheck code: 0x76 (0x0, 0xFFFFFA80144246A0, 0x7D1, 0x0) Error: PROCESS_HAS_LOCKED_PAGES file path: C:\Windows\system32\ntoskrnl.exe product: Microsoft® Windows® Operating System company: Microsoft Corporation description: NT Kernel & System Bug check description: This bug check indicates that a driver failed to release locked pages after an I/O operation, or that it attempted to unlock pages that were already unlocked. The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time. On Tue 9/13/2011 12:22:19 AM GMT your computer crashed crash dump file: C:\Windows\memory.dmp This was probably caused by the following module: ntkrnlmp.exe (nt!KeBugCheckEx+0x0) Bugcheck code: 0x76 (0x0, 0xFFFFFA80144246A0, 0x7D1, 0x0) Error: PROCESS_HAS_LOCKED_PAGES Bug check description: This bug check indicates that a driver failed to release locked pages after an I/O operation, or that it attempted to unlock pages that were already unlocked. The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time. 13. I did have one new crash that occurred when I did a hibernate / shutdown. When I powered up to restore, Windows indicated that it did not shut down properly – and of course did not restore but simply booted fresh. 14. Current State. The only problems visible to me is the stop screen freezes and the hibernate failure. Advisories suggest running MEMCHK and CHKDSK to check for if it is a hardware problems. It is more likely that this is related to the virus. or some action I mistook. DO YOU SEE ANY REASON I SHOULD NOT RUN THE HARDWARE CHECKS AT THIS POINT? 15. Next Steps. I want to run the hardware checks, unless I am advised otherwise. I will also download and run Combifix as you recommend. PLEASE REVIEW AND ADVISE I will post again after running Combifix and rerunning DDS. Thanks for your help and everything you do for the user community. Glenn WhoCrashed.rtf
  5. I have reposted this topic in the Computer Help - Malware Removal - HijackThis Logs forum. Thanks
  6. Hello, Reposting after initial post in General Malwarebytes' Anti-Malware Forum. I need guidance in completing cleanup from the System Recovery virus that infected my Win7-64 system and became visible Thursday evening. I was unable to close apps fast enough to prevent the "cosmetic" damage of the infection and resorted to forcing a shutdown. I have cleaned the obvious, but just don't trust messing with the registry. There are too many variables in this specific occurrence and too many opinions on how to address it. I had executed several browser based downloads from supposedly credible sources. Some combination of IE9, a Firefox security update including an Adobe flash player update mixed in with the real stuff I was working on – a WAMP server build. Symptoms of the infection. This is the System Recovery panel that pops on your screen, "scanning" your system, telling you everything is wrong with your system. This wiped out my desktop icons, hid files/directories, changed the desktop theme and wiped my startup menu recent entries and All Programs entries. Basically made the system look mostly wiped out. Since my initial post, I have followed your recommended prep work to analyze my system and have incorporated that into my activity log here. 1. In Windows explore, I set Show hidden files. This made my files/directories visible again. I did several 'locked' directories and was at times denied access to stuff as I was exploring and debugging the impact of the infection. The hidden.exe is going to be useful to me. 2. Ran Malwarebytes full scan. It reported and fixed the following. Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org Database version: 7681 Windows 6.1.7601 Service Pack 1 Internet Explorer 9.0.8112.16421 9/9/2011 12:41:08 AM mbam-log-2011-09-09 (00-41-08).txt Scan type: Full scan (C:\|E:\|) Objects scanned: 440924 Time elapsed: 1 hour(s), 13 minute(s), 4 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 3 Memory Processes Infected: c:\programdata\p1kalmig2kb7fz.exe (Rogue.FakeHDD) -> 7292 -> Failed to unload process. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xINAfOOBcRr (Trojan.FakeAlert) -> Value: xINAfOOBcRr -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) 3. Investigated the ProgramData directory based on what was reported. I did some manual deletes in addition to those Malwarebytes did. There were initially 3 files and 2 ~ remnants. Malwarebytes did not remove them all. So I did and also removed a desktop link. I reran Malwarebytes, but only a quick scan which gave me a clean report. 4. A background sequence of events - that I did not notice until much later. The rogue executables that got removed during the Malwarebytes sequence were "installed" at ~8:45pm, the time when hell broke. On my system I have Spybot S&D resident. I also have Microsoft Security Essentials real time monitoring with a weekly quick scan. MSE had trapped a trogan at ~9:45pm, after the initial infection, but before I had regained my composure to run Malwarebytes. MSE reported two entries Trojan: Win32/FakeSysDef Severe 9/8/2011 9:44pm Quarantined Items: process:pid:4052 Trojan: Win32/FakeSysDef Severe 9/8/2011 9:55pm Removed Items: folder:C:\Users\Glenn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\my disk\ 5. I ran Spybot S&D. Detection updates failed – maybe an artifact of the infection. Downloaded the updated detection signatures and ran. Spybot reported and fixed the following. --- Report generated: 2011-09-09 11:50 --- Fraud.WindowsRecovery: [sBI $9C8FE954] Settings (Registry value, fixed) HKEY_USERS\S-1-5-21-2841501842-1150761130-229039673-1001\Software\75fa38b7-8b94-4995-ad32-52e938867954 Fraud.WindowsRecovery: [sBI $597FC39E] Settings (Registry value, fixed) HKEY_USERS\S-1-5-21-2841501842-1150761130-229039673-1001\Software\BD --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) --- Reran Malwarebytes full scan which reported clean. 6. Running stable since then – ran recommended analyses. Executed defogger disable. Ran clean without issue. Executed DDS.scr without issue. Saved DDS.txt. Saved Attach.txt. Executed GMER rootkit scanner without issue. Saved ark.txt. 7. Current State. Appear to be running close to "normal" with some desktop look and feel issues and possible file/directory access issues noticed during exploration/debug of virus contamination. I see several "locked" directories that I just never noticed before. Most desktop icons missing. Rogue desktop theme (black screen). Cannot change desktop theme or background. Start menu All Programs is empty. It's time for some registry cleanup I think. This issue is very similar to a Forum posting Infected by Windows Restore virus, desktop icons missing from 02 May 2011. I see unhide.exe, roguekiller,etc. I'd appreciate assistance with this to make sure I am running the latest versions and taking the right steps for my particular situation. Thank you, Glenn DDS.txt . DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_18 Run by Glenn at 17:27:23 on 2011-09-09 Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8181.1124 [GMT -5:00] . AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160} SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\nvvsvc.exe C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe C:\Windows\system32\WUDFHost.exe C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\Protector Suite\upeksvr.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k WbioSvcGroup C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\system32\LMabcoms.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe C:\Program Files\FSP\FspUip.exe C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE C:\Program Files\TOSHIBA\dynadock_II\TosDockApp.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\PrintIsolationHost.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Protector Suite\psqltray.exe C:\Program Files\Lexmark\ErrorApp\LMab1err.EXE C:\Program Files (x86)\uTorrent\uTorrent.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe C:\Program Files (x86)\CyberLink\Shared Files\brs.exe C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe C:\Windows\system\Cm106eye.exe C:\Program Files (x86)\ScanSoft\OmniPageSE4.0\OpWareSE4.exe C:\Program Files (x86)\Common Files\Research in Motion\USB Drivers\RIMBBLaunchAgent.exe C:\Program Files (x86)\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE C:\Windows\SysWOW64\nvSCPAPISvr.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\svchost.exe -k LocalServicePeerNet C:\Windows\system32\DllHost.exe C:\Windows\system32\taskmgr.exe C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AcroRd32.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\wamp\wampmanager.exe C:\Windows\SysWOW64\notepad.exe C:\Windows\system32\svchost.exe -k SDRSVC c:\wamp\bin\apache\apache2.2.17\bin\httpd.exe C:\wamp\bin\apache\apache2.2.17\bin\httpd.exe C:\Windows\system32\NOTEPAD.EXE C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\DllHost.exe C:\Windows\system32\REGSVR32.exe C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\conhost.exe C:\Windows\SysWOW64\cscript.exe C:\Windows\system32\wbem\wmiprvse.exe . ============== Pseudo HJT Report =============== . uInternet Settings,ProxyOverride = <local> mWinlogon: Userinit=userinit.exe, BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe uRun: [LMab1err] C:\Program Files\Lexmark\ErrorApp\LMab1err.exe uRun: [TOSDOCKAPP] C:\Program Files\TOSHIBA\dynadock_II\TosDockApp.exe uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" uRun: [Fw1H6RJih8SrV] C:\ProgramData\Fw1H6RJih8SrV.exe uRun: [Google Update] "C:\Users\Glenn\AppData\Local\Google\Update\GoogleUpdate.exe" /c uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe mRun: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe mRun: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe" mRun: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe" mRun: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" mRun: [P2Go_Menu] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun: [sSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot mRun: [OpwareSE4] "C:\Program Files (x86)\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe mRun: [blackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background mRun: [<NO NAME>] mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime StartupFolder: C:\Users\Glenn\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Glenn\AppData\Roaming\Dropbox\bin\Dropbox.exe StartupFolder: C:\Users\Glenn\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE mPolicies-explorer: NoActiveDesktop = 1 (0x1) mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000 IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll Trusted Zone: intuit.com\ttlc DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: DhcpNameServer = 192.168.1.1 68.238.64.12 TCP: Interfaces\{1D371872-00F9-4BFB-82FF-38151284944C} : DhcpNameServer = 192.168.1.1 68.238.64.12 TCP: Interfaces\{358CB42E-7575-494F-A2AB-39BDDAC7B16A}\0516E6164747F6E696 : DhcpNameServer = 10.1.37.10 192.168.12.10 192.168.12.19 TCP: Interfaces\{358CB42E-7575-494F-A2AB-39BDDAC7B16A}\849454 : DhcpNameServer = 192.168.90.1 Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll LSA: Notification Packages = scecli C:\Program Files\Protector Suite\psqlpwd.dll BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO-X64: AcroIEHelperStub - No File BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File mRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe mRun-x64: [bDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe mRun-x64: [RemoteControl] "C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe" mRun-x64: [LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD\Language\Language.exe" mRun-x64: [CLMLServer] "C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe" mRun-x64: [P2Go_Menu] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0" mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" mRun-x64: [sSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot mRun-x64: [OpwareSE4] "C:\Program Files (x86)\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" mRun-x64: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe mRun-x64: [blackBerryAutoUpdate] C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background mRun-x64: [(Default)] mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\Glenn\AppData\Roaming\Mozilla\Firefox\Profiles\85eyzo0c.default\ FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll FF - component: C:\Users\Glenn\AppData\Roaming\Mozilla\Firefox\Profiles\85eyzo0c.default\extensions\passwordbank@upek.com\components\pbgk1_92.dll FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll FF - plugin: C:\Program Files (x86)\Dimdim\Plugin\Application\npDimDimControl.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npsharedview.dll FF - plugin: C:\Program Files (x86)\Research In Motion Limited\BlackBerry App World Browser Plugin\npappworld.dll FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll FF - plugin: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL FF - plugin: C:\Program Files\Microsoft\Web Platform Installer\NPWPIDetector.dll FF - plugin: C:\Users\Glenn\AppData\Local\Google\Update\1.3.21.69\npGoogleUpdate3.dll FF - plugin: C:\Users\Glenn\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll FF - plugin: C:\Users\Glenn\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll . ============= SERVICES / DRIVERS =============== . R0 dlkmdldr;dlkmdldr;C:\Windows\system32\drivers\dlkmdldr.sys --> C:\Windows\system32\drivers\dlkmdldr.sys [?] R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?] R0 RapportKE64;RapportKE64;C:\Windows\system32\Drivers\RapportKE64.sys --> C:\Windows\system32\Drivers\RapportKE64.sys [?] R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?] R1 RapportCerberus_29574;RapportCerberus_29574;C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\29574\RapportCerberus64_29574.sys [2011-8-3 386128] R1 RapportEI64;RapportEI64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [2011-8-21 52496] R1 RapportPG64;RapportPG64;C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [2011-8-21 61200] R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952] R2 DisplayLinkService;DisplayLinkManager;C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [2011-2-16 9520488] R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-2-9 13336] R2 RapportMgmtService;Rapport Management Service;C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-8-21 870200] R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2010-6-26 1153368] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Windows\SysWOW64\nvSCPAPISvr.exe [2009-10-17 239720] R3 dfmirage;dfmirage;C:\Windows\system32\DRIVERS\dfmirage.sys --> C:\Windows\system32\DRIVERS\dfmirage.sys [?] R3 DisplayLinkUsbPort;DisplayLink USB Device;C:\Windows\system32\DRIVERS\DisplayLinkUsbPort_5.5.30661.0.sys --> C:\Windows\system32\DRIVERS\DisplayLinkUsbPort_5.5.30661.0.sys [?] R3 dlkmd;dlkmd;C:\Windows\system32\drivers\dlkmd.sys --> C:\Windows\system32\drivers\dlkmd.sys [?] R3 fspad_wlh64;Finger-sensing Pad Driver for Windows 2000/XP/Vista/Win7_wlh64;C:\Windows\system32\DRIVERS\fspad_wlh64.sys --> C:\Windows\system32\DRIVERS\fspad_wlh64.sys [?] R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?] R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?] R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?] R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272] R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?] R3 USBMULCD;USB Multi-Channel Audio Device Interface;C:\Windows\system32\drivers\CM10664.sys --> C:\Windows\system32\drivers\CM10664.sys [?] R3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?] S0 johci;JMicron 1394 Filter Driver;C:\Windows\system32\DRIVERS\johci.sys --> C:\Windows\system32\DRIVERS\johci.sys [?] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-20 136176] S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560] S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?] S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840] S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-8-20 136176] S3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?] S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232] S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?] S3 MsDepSvc;Web Deployment Agent Service;C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [2011-1-7 63304] S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?] S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?] S3 VBoxUSB;VirtualBox USB;C:\Windows\system32\Drivers\VBoxUSB.sys --> C:\Windows\system32\Drivers\VBoxUSB.sys [?] S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?] . =============== Created Last 30 ================ . 2011-09-09 14:18:05 -------- d-----w- C:\Users\Glenn\AppData\Local\{68AC8A6D-7E41-460C-920B-8F0C99591B6B} 2011-09-09 14:17:44 -------- d-----w- C:\Users\Glenn\AppData\Local\{D61AE756-171A-46D1-8E1B-4B81B7231143} 2011-09-09 02:17:06 -------- d--h--w- C:\Users\Glenn\AppData\Local\{C98B1AC6-42E6-44D2-82CB-9EF6D2AA7C0C} 2011-09-09 02:16:44 -------- d--h--w- C:\Users\Glenn\AppData\Local\{1ED447DF-C8C0-469A-8F39-4F128BA05CA7} 2011-09-08 21:13:38 -------- d-----w- C:\Windows\System32\appmgmt 2011-09-08 21:04:58 -------- d--h--w- C:\Program Files\RsetmySQL 2011-09-08 17:44:03 601424 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EECD0777-4629-4965-8DB8-05DFBB02F79A}\gapaengine.dll 2011-09-08 17:43:43 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EE85C5EF-599A-4B5A-8CC3-42ECA69CFD42}\mpengine.dll 2011-09-08 06:13:51 -------- d--h--w- C:\wamp 2011-09-02 15:47:13 -------- d--h--w- C:\My Web Sites 2011-09-02 15:44:50 -------- d--h--w- C:\Program Files\WinHTTrack 2011-08-30 14:54:09 -------- d--h--w- C:\Users\Glenn\AppData\Local\{3DF6E8DC-F5C9-49D1-801E-340FFB3F1F11} 2011-08-30 14:53:58 -------- d--h--w- C:\Users\Glenn\AppData\Local\{7B976EA9-83A9-45CE-9E80-8ED4795FC27C} 2011-08-30 12:55:02 -------- d--h--w- C:\Users\Glenn\AppData\Local\{A63F8C77-5407-45E2-BFA3-6546E648399D} 2011-08-29 04:25:23 224048 ----a-w- C:\Windows\System32\drivers\VBoxDrv.sys 2011-08-29 04:25:12 128816 ----a-w- C:\Windows\System32\drivers\VBoxUSBMon.sys 2011-08-28 04:15:59 -------- d--h--w- C:\Program Files\Oracle 2011-08-24 19:52:46 -------- d--h--w- C:\Users\Glenn\AppData\Local\{DE4A4B16-3D63-45A4-993E-76794E0C1221} 2011-08-24 19:52:25 -------- d--h--w- C:\Users\Glenn\AppData\Local\{9471D79E-21F6-4CC6-A5DB-699EA62B14AF} 2011-08-24 07:47:11 2048 ----a-w- C:\Windows\SysWow64\tzres.dll 2011-08-24 07:47:11 2048 ----a-w- C:\Windows\System32\tzres.dll 2011-08-23 14:11:21 -------- d--h--w- C:\Users\Glenn\AppData\Local\{658AC793-A3C2-4052-804B-9FA0F6440D4E} 2011-08-23 14:11:10 -------- d--h--w- C:\Users\Glenn\AppData\Local\{C744A275-71F1-4FC4-9781-5792BDDB31E2} 2011-08-23 12:59:29 -------- d--h--w- C:\Users\Glenn\AppData\Local\{49E40CD9-4685-4531-B743-7CE3722E4155} 2011-08-17 15:34:49 -------- d--h--w- C:\Users\Glenn\AppData\Roaming\inkscape 2011-08-17 15:30:34 -------- d-----w- C:\Program Files (x86)\Inkscape 2011-08-16 18:54:40 -------- d--h--w- C:\Users\Glenn\AppData\Local\{EFADCB18-507B-4AB4-BEDC-E19695B989A3} 2011-08-16 18:54:23 -------- d--h--w- C:\Users\Glenn\AppData\Local\{AB0AE6AE-1C46-4FEB-BAB3-C7547D98E62A} 2011-08-16 18:39:58 -------- d-----w- C:\Windows\en 2011-08-16 18:38:08 18328 ----a-w- C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2011-08-16 18:32:08 -------- d--h--w- C:\Users\Glenn\AppData\Local\{A9C7D5A4-BC97-49B6-B3DB-707F6BC5E26D} 2011-08-16 18:31:39 -------- d--h--w- C:\Users\Glenn\AppData\Local\{6F6FB241-0D25-4F17-A371-D8C1383EDE09} 2011-08-15 19:32:10 165680 ----a-w- C:\Windows\System32\drivers\VBoxNetFlt.sys 2011-08-15 19:32:10 146736 ----a-w- C:\Windows\System32\drivers\VBoxNetAdp.sys 2011-08-15 19:32:08 320816 ----a-w- C:\Windows\System32\VBoxNetFltNobj.dll . ==================== Find3M ==================== . 2011-09-08 18:10:12 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl 2011-08-21 15:00:42 64272 ----a-w- C:\Windows\System32\drivers\RapportKE64.sys 2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll 2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll 2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb 2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll 2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll 2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb 2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll 2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll 2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll 2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll 2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll 2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll 2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll 2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe 2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll 2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll 2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe 2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe 2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll 2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll 2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll 2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll 2011-07-09 02:46:28 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys 2011-07-07 00:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys 2011-07-07 00:52:42 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys 2011-07-05 23:37:00 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx 2011-07-05 23:37:00 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts 2011-06-28 13:55:59 85504 ----a-w- C:\Windows\System32\iesetup.dll 2011-06-28 13:55:59 603648 ----a-w- C:\Windows\System32\vbscript.dll 2011-06-28 13:55:59 30720 ----a-w- C:\Windows\System32\licmgr10.dll 2011-06-28 13:55:59 165888 ----a-w- C:\Windows\System32\iexpress.exe 2011-06-28 13:55:59 160256 ----a-w- C:\Windows\System32\wextract.exe 2011-06-28 13:55:59 1492992 ----a-w- C:\Windows\System32\inetcpl.cpl 2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll 2011-06-24 05:25:49 338432 ----a-w- C:\Windows\System32\conhost.exe 2011-06-23 05:43:12 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe 2011-06-23 04:33:57 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe 2011-06-23 04:33:57 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe 2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys 2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll 2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll 2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll 2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll 2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll 2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll 2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll 2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll 2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll . ============= FINISH: 17:35:54.94 =============== ark.txt Attach.txt DDS.txt
  7. Hello, I need guidance in completing cleanup from the System Recovery virus that infected my Win7-64 system yesterday. Unable to shut system down fast enough to prevent some of the "cosmetic" damage. I've cleaned the obvious, just don't trust messing with the registry. Too many variables with this particular virus occurrence. Several browser based downloads when this happened. Some combination of IE9, a Firefox update, and a recommended adobe flash player update for FF mixed in with the real stuff I was working on. Symptoms - wiped out my desktop icons, hid most files, changed desktop theme. What I did - show all hidden files - brought back a few icons too. ran malwarebytes. It detected 3 files in ProgramData that I know are from the virus and 4 or so HKEY entries. Comfirmed the file deletion and removed one that remained plus 2 ~roguefilename files. Reran malwarebytes quickscan clean. Today ran Spybot S&D. Detection updater failed - maybe an artifact of the virus. Able to download detection updates from Softpedia. I also have S&D resident running on my system. Spybot detected and cleaned Fraud Windows Recovery HKEY entries, the same trojan from what I can tell. Reran malwarebytes full scan clean. Current status - running close to "normal" with some desktop look and feel issues and possible file/directory access issues noticed during exploration/debug of virus contamination. I see several "locked" directories that I just never noticed before. Most desktop icons missing. Rogue desktop theme (black screen). Cannot change desktop theme or background. Start menu All Programs is empty. This issue is very similar to a Forum posting Infected by Windows Restore virus, desktop icons missing from 02 May 2011. I see unhide.exe, roguekiller,etc. I'd appreciate assitance with this to make sure I am running the latest and taking the right steps for my particular situation. Thank you, Glenn
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.