jeff1675 Posted September 11, 2012 ID:595879 Share Posted September 11, 2012 DDS Scan Below. Thanks..DDS (Ver_2011-08-26.01) - NTFSAMD64Internet Explorer: 9.0.8112.16421Run by jeffrey at 12:33:33 on 2012-09-11Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8190.5934 [GMT -4:00].SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Program Files\NVIDIA Corporation\Display\nvxdsync.exeC:\Windows\system32\nvvsvc.exeC:\Windows\SYSTEM32\WISPTIS.EXEC:\Program Files (x86)\Bonjour\mDNSResponder.exeC:\Windows\system32\BRUNVPRNPC64.EXEC:\Windows\System32\svchost.exe -k LocalServiceNoNetworkd:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exeD:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exeD:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exeD:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exeC:\Windows\system32\WUDFHost.exeC:\Windows\system32\taskhost.exeC:\Windows\SYSTEM32\WISPTIS.EXEC:\Program Files\Common Files\microsoft shared\ink\TabTip.exeC:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Microsoft IntelliType Pro\itype.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exeD:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exeD:\Program Files (x86)\PFU\ScanSnap\CardMinder V3.0\CardLauncher.exeD:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exeC:\Program Files (x86)\Hitachi Software Engineering\FX-DuoDriver\LSDRVA.exeC:\Program Files\UltraMon\UltraMon.exeD:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exeD:\Program Files (x86)\HitachiSoft\StarBoard Software\win32\release\starboardprintlistener.exeC:\Program Files (x86)\Hitachi Software Engineering\StarBoard Driver\DGBoard.exeC:\Windows\Samsung\PanelMgr\SSMMgr.exeC:\Windows\SSDriver\fi5110\SsWiaChecker.exeC:\Windows\Samsung\PanelMgr\caller64.exeC:\Program Files (x86)\Hitachi Software Engineering\StarBoard Driver\DGBWinTouchChg.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Program Files\UltraMon\UltraMonTaskbar.exeC:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exeC:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEC:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exeC:\Program Files\UltraMon\UltraMonUiAcc.exeC:\Program Files (x86)\Common Files\Realtime Soft\RTSHookInterop\x32\RTSHookInterop.exeC:\Users\jeffrey.ONEIDA-AIR\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\jeffrey.ONEIDA-AIR\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\jeffrey.ONEIDA-AIR\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\jeffrey.ONEIDA-AIR\AppData\Local\Google\Chrome\Application\chrome.exeC:\Users\jeffrey.ONEIDA-AIR\AppData\Local\Google\Chrome\Application\chrome.exe"C:\Windows\SysWOW64\svchost.exe" -k LocalServiceDnsC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\system32\conhost.exeC:\Windows\SysWOW64\cscript.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.google.com/uInternet Settings,ProxyOverride = *.localBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - D:\Program Files (x86)\Java\jre6\bin\ssv.dllBHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - C:\Program Files (x86)\LastPass\LPBar.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllBHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - D:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLLBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - D:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllBHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllTB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dllTB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No FileuRun: [Mikogo] "C:\Users\jeffrey.ONEIDA-AIR\AppData\Roaming\Mikogo 4\mikogo-host.exe" -aspuRun: [LaCie Ethernet Agent Startup] "C:\Program Files\LaCie\Network Assistant\LaCie Network Assistant.exe" silentmRun: [NUSB3MON] "D:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exemRun: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbyloginmRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [Adobe Acrobat Speed Launcher] "D:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"mRun: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"mRun: [starBoardPrintListener] "D:\Program Files (x86)\HitachiSoft\StarBoard Software\win32\release\starboardprintlistener.exe"mRun: [starBoardDriver] "C:\Program Files (x86)\Hitachi Software Engineering\StarBoard Driver\DGBoard.exe"mRun: [MyScriptStylusAutoStart.vbe] "d:\Program Files (x86)\Vision Objects\MyScript Stylus\MyScriptStylusAutoStart.vbe"mRun: [samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorunmRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"mRun: [scanSnap WIA Service Checker] C:\Windows\SSDriver\fi5110\SsWiaChecker.exemRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimemRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScriptdRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activexStartupFolder: C:\Users\JEFFRE~1.ONE\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\jeffrey.ONEIDA-AIR\AppData\Roaming\Dropbox\bin\Dropbox.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CARDMI~1.LNK - D:\Program Files (x86)\PFU\ScanSnap\CardMinder V3.0\CardLauncher.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SCANSN~1.LNK - D:\Program Files (x86)\PFU\ScanSnap\Driver\PfuSsMon.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SOLIDW~1.LNK - C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\STARBO~1.LNK - C:\Program Files (x86)\Hitachi Software Engineering\FX-DuoDriver\LSDRVA.exeStartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\UltraMon.lnk - C:\Windows\Installer\{537056B7-32A4-4408-9B54-0341963C7C9C}\IcoUltraMon.icomPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)mPolicies-system: PromptOnSecureDesktop = 0 (0x0)IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - D:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000IE: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpassIE: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillformsIE: Se&nd to OneNote - D:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - D:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dllIE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dllIE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - D:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dllLSP: mswsock.dllTrusted Zone: oneida-air.com\oasvpnDPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://oasvpn.oneida-air.com/XTSAC.cabDPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxps://a248.e.akamai.net/f/248/14778/2h/dlmanager.download.akamai.com/14778/dlmanager/versions/activex/dlm-activex-2.2.6.0.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cabDPF: {B94C2238-346E-4C5E-9B36-8CC627F35574}DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cabTCP: Interfaces\{EC49DE3F-2CFF-4052-8090-8CF207F3ED0E} : NameServer = 10.0.0.2,10.0.0.5Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLLBHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO-X64: AcroIEHelperStub - No FileBHO-X64: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files (x86)\Java\jre6\bin\ssv.dllBHO-X64: LastPass Browser Helper Object: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dllBHO-X64: LastPass Browser Helper Object - No FileBHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllBHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLLBHO-X64: URLRedirectionBHO - No FileBHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllBHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllBHO-X64: SmartSelect - No FileTB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dllTB-X64: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dllTB-X64: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No FilemRun-x64: [NUSB3MON] "D:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"mRun-x64: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exemRun-x64: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbyloginmRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun-x64: [Adobe Acrobat Speed Launcher] "D:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"mRun-x64: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"mRun-x64: [starBoardPrintListener] "D:\Program Files (x86)\HitachiSoft\StarBoard Software\win32\release\starboardprintlistener.exe"mRun-x64: [starBoardDriver] "C:\Program Files (x86)\Hitachi Software Engineering\StarBoard Driver\DGBoard.exe"mRun-x64: [MyScriptStylusAutoStart.vbe] "d:\Program Files (x86)\Vision Objects\MyScript Stylus\MyScriptStylusAutoStart.vbe"mRun-x64: [samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorunmRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"mRun-x64: [scanSnap WIA Service Checker] C:\Windows\SSDriver\fi5110\SsWiaChecker.exemRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimemRunOnce-x64: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript.============= SERVICES / DRIVERS ===============.R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]R2 BrUnvPrnPortPCL;BrUnvPrnPortPCL;C:\Windows\system32\\BRUNVPRNPC64.EXE --> C:\Windows\system32\\BRUNVPRNPC64.EXE [?]R2 MBAMScheduler;MBAMScheduler;D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-11 399432]R2 SSPORT;SSPORT;\??\C:\Windows\system32\Drivers\SSPORT.sys --> C:\Windows\system32\Drivers\SSPORT.sys [?]R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-12-10 381248]R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files (x86)\Common Files\Realtime Soft\UltraMonMirrorDrv\x64\UltraMonUtility.sys [2008-11-14 20512]R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-8-29 846448]R2 vmware-converter-agent;VMware vCenter Converter Standalone Agent;D:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter-a.exe [2011-8-19 423536]R2 vmware-converter-server;VMware vCenter Converter Standalone Server;D:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2011-8-19 423536]R2 vmware-converter-worker;VMware vCenter Converter Standalone Worker;D:\Program Files (x86)\VMware\VMware vCenter Converter Standalone\vmware-converter.exe [2011-8-19 423536]R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]R3 StarBoardMT;StarBoard Software Multi-touch;C:\Windows\system32\DRIVERS\StarBoardMT.sys --> C:\Windows\system32\DRIVERS\StarBoardMT.sys [?]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-7-17 116648]S2 MBAMService;MBAMService;D:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-11 676936]S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;D:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [2011-12-30 89160]S3 DraftSight API Service;DraftSight API Service;C:\Program Files (x86)\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [2012-4-13 78336]S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2012-1-19 1431888]S3 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\428\g2ax_service.exe [2012-8-15 609720]S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-7-17 116648]S3 LSDRVA;StarBoard FX-DUO Light Sensor USB Driver (lsdrva.sys);C:\Windows\system32\Drivers\lsdrva.sys --> C:\Windows\system32\Drivers\lsdrva.sys [?]S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]S3 Remote Solver for Flow Simulation 2012;Remote Solver for Flow Simulation 2012;D:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [2011-12-9 113800]S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?].=============== Created Last 30 ================.2012-09-11 15:30:01 -------- d-----w- C:\TDSSKiller_Quarantine2012-08-27 17:47:44 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\3F43.tmp2012-08-27 17:47:44 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\3F42.tmp2012-08-17 15:42:36 -------- d-----w- C:\Program Files\Microsoft Analysis Services2012-08-17 15:41:41 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services2012-08-17 15:41:34 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition2012-08-17 15:41:31 -------- d-----w- C:\Windows\SysWow64\10332012-08-17 15:41:31 -------- d-----w- C:\Windows\System32\10332012-08-17 15:37:27 -------- d-----w- C:\Program Files\Microsoft SQL Server2012-08-16 18:19:00 60304 ----a-w- C:\Users\jeffrey.ONEIDA-AIR\g2mdlhlpx.exe2012-08-16 18:00:26 -------- d-----w- C:\ProgramData\Realtime Soft2012-08-16 18:00:26 -------- d-----w- C:\Program Files\UltraMon2012-08-16 18:00:26 -------- d-----w- C:\Program Files (x86)\Common Files\Realtime Soft2012-08-15 20:53:55 -------- d-----w- C:\Users\jeffrey.ONEIDA-AIR\AppData\Local\Citrix2012-08-15 20:53:54 111032 ----a-w- C:\Users\jeffrey.ONEIDA-AIR\g2ax_customer_downloadhelper_win32_x86.exe.==================== Find3M ====================.2012-09-07 21:04:46 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys2012-08-08 21:29:56 167696 ----a-w- C:\Windows\System32\drivers\tmcomm.sys2012-07-10 15:12:12 175616 ----a-w- C:\Windows\System32\msclmd.dll2012-07-10 15:12:12 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll2012-01-03 19:46:42 13844000 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe.============= FINISH: 12:33:46.03 ===============Attach.txtDDS.txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 11, 2012 ID:595880 Share Posted September 11, 2012 Welcome to the forum.Please remove any usb or external drives from the computer before you run this scan!Please download and run RogueKiller to your desktop.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything!Don't run any other options, they're not all bad!!!!!!!Post back the report which should be located on your desktop.MrC Link to post Share on other sites More sharing options...
jeff1675 Posted September 11, 2012 Author ID:595882 Share Posted September 11, 2012 RogueKiller V8.0.2 [08/31/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : jeffrey [Admin rights]Mode : Scan -- Date : 09/11/2012 12:42:44¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 10 ¤¤¤[RUN][sUSP PATH] HKCU\[...]\Run : Mikogo ("C:\Users\jeffrey.ONEIDA-AIR\AppData\Roaming\Mikogo 4\mikogo-host.exe" -asp) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1229272821-1409082233-839522115-1119[...]\Run : Mikogo ("C:\Users\jeffrey.ONEIDA-AIR\AppData\Roaming\Mikogo 4\mikogo-host.exe" -asp) -> FOUND[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{EC49DE3F-2CFF-4052-8090-8CF207F3ED0E} : NameServer (10.0.0.2,10.0.0.5) -> FOUND[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{EC49DE3F-2CFF-4052-8090-8CF207F3ED0E} : NameServer (10.0.0.2,10.0.0.5) -> FOUND[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][FILE] @ : C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\@ --> FOUND[ZeroAccess][FOLDER] U : C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\U --> FOUND[ZeroAccess][FOLDER] L : C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\L --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND[susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ Infection : ZeroAccess ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts127.0.0.1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: Main +++++--- User ---[MBR] d13e4411ae15cbc1204037a801f514c1[bSP] 2080a9313410d9a59b36e44c9bb29f69 : Windows 7 MBR CodePartition table:0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907731 MoUser = LL1 ... OK!Error reading LL2 MBR!+++++ PhysicalDrive1: OCZ-VERTEX2 ATA Device +++++--- User ---[MBR] 889c44ce5fe6f5e349c21c8826e4a79e[bSP] ade5d072fd87f7df663f824951c8b4d5 : Windows 7 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 57139 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[1].txt >>RKreport[1].txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 11, 2012 ID:595884 Share Posted September 11, 2012 Here you go......Your computer is infected with a nasty rootkit. Please read the following information first.You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.BACKDOOR WARNING------------------------------One or more of the identified infections is known to use a backdoor.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?http://www.dslreports.com/faq/10451When Should I Format, How Should I Reinstallhttp://www.dslreports.com/faq/10063I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards.Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.-----------------------------------------Please make sure system restore is running and create a new restore point before continuing!For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.How to tell > 32 or 64 bitPlug the flashdrive into the infected PC.Enter System Recovery Options.To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Select US as the keyboard language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press EnterNote: Replace letter e with the drive letter of your flash drive.[*]The tool will start to run.[*]When the tool opens click Yes to disclaimer.[*]Press Scan button.[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:services.exe[*]Now press the Search button[*]When the search is complete, search.txt will also be written to your USB[*]Type exit and reboot the computer normally[*]Please copy and paste both logs in your reply.(FRST.txt and Search.txt)MrC Link to post Share on other sites More sharing options...
jeff1675 Posted September 11, 2012 Author ID:595888 Share Posted September 11, 2012 Files attached.FRST.txtSearch.txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 11, 2012 ID:595894 Share Posted September 11, 2012 OK, here you go......Please carefully carry out this procedure!!!!!!Please download the attached fixlist.txt and copy it to your flashdrive.NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7: Now please enter System Recovery Options. (as you did before)Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.MrC Link to post Share on other sites More sharing options...
jeff1675 Posted September 11, 2012 Author ID:595908 Share Posted September 11, 2012 Fixlog AttachedFixlog.txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 11, 2012 ID:595914 Share Posted September 11, 2012 That's not right.Run another scan with RogueKiller and post the log, MrC Link to post Share on other sites More sharing options...
jeff1675 Posted September 11, 2012 Author ID:595924 Share Posted September 11, 2012 RogueKiller V8.0.2 [08/31/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : jeffrey [Admin rights]Mode : Scan -- Date : 09/11/2012 14:42:19¤¤¤ Bad processes : 1 ¤¤¤[sUSP PATH] mikogo-host.exe -- C:\Users\jeffrey.ONEIDA-AIR\AppData\Roaming\Mikogo 4\mikogo-host.exe -> KILLED [TermProc]¤¤¤ Registry Entries : 10 ¤¤¤[RUN][sUSP PATH] HKCU\[...]\Run : Mikogo ("C:\Users\jeffrey.ONEIDA-AIR\AppData\Roaming\Mikogo 4\mikogo-host.exe" -asp) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1229272821-1409082233-839522115-1119[...]\Run : Mikogo ("C:\Users\jeffrey.ONEIDA-AIR\AppData\Roaming\Mikogo 4\mikogo-host.exe" -asp) -> FOUND[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{EC49DE3F-2CFF-4052-8090-8CF207F3ED0E} : NameServer (10.0.0.2,10.0.0.5) -> FOUND[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{EC49DE3F-2CFF-4052-8090-8CF207F3ED0E} : NameServer (10.0.0.2,10.0.0.5) -> FOUND[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤[ZeroAccess][FILE] @ : C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\@ --> FOUND[ZeroAccess][FOLDER] U : C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\U --> FOUND[ZeroAccess][FOLDER] L : C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\L --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND[susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ Infection : ZeroAccess ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts127.0.0.1 localhost¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: Main +++++--- User ---[MBR] d13e4411ae15cbc1204037a801f514c1[bSP] 2080a9313410d9a59b36e44c9bb29f69 : Windows 7 MBR CodePartition table:0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907731 MoUser = LL1 ... OK!Error reading LL2 MBR!+++++ PhysicalDrive1: OCZ-VERTEX2 ATA Device +++++--- User ---[MBR] 889c44ce5fe6f5e349c21c8826e4a79e[bSP] ade5d072fd87f7df663f824951c8b4d5 : Windows 7 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 57139 MoUser = LL1 ... OK!User = LL2 ... OK!+++++ PhysicalDrive2: Flash Disk USB Device +++++--- User ---[MBR] 4f47507938a42996db0c3cb7d671ecc3[bSP] e1347fcc1a7016b8beebb8f736a9d8c0 : Standard MBR CodePartition table:0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 32 | Size: 30 MoUser = LL1 ... OK!Error reading LL2 MBR!Finished : << RKreport[3].txt >>RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 11, 2012 ID:595930 Share Posted September 11, 2012 For some reason the fix didn't work, lets try a different method:Please read the directions carefully so you don't end up deleting something that is good!!Please download the latest version of TDSSKiller from here and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.Put a checkmark beside loaded modules.A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK.Click the Start Scan button.The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.Here's a summary of what to do if you would like to print it out:If a suspicious object is detected, the default action will be Skip, click on ContinueIf you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on ContinueIf malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.MrC Link to post Share on other sites More sharing options...
jeff1675 Posted September 11, 2012 Author ID:595941 Share Posted September 11, 2012 Didn't find anythign requiring a cure / reboot...log attached.TDSSKiller.2.8.8.0_11.09.2012_15.27.37_log.txt Link to post Share on other sites More sharing options...
jeff1675 Posted September 11, 2012 Author ID:595943 Share Posted September 11, 2012 Malwarebytes still sees the junk though...Just ran the scan, no action taken.mbam-log-2012-09-11 (15-31-33).txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 11, 2012 ID:595949 Share Posted September 11, 2012 Run TDSSKiller again and choose Delete for this one only: (no need to post the log)15:28:01.0046 5556 \Device\Harddisk1\DR1 ( TDSS File System ) - skipped by user15:28:01.0046 5556 \Device\Harddisk1\DR1 ( TDSS File System ) - User select action: Skip~~~~~~~~~~~~~~~~~~~~Please download OTL from one of the links below:http://oldtimer.geekstogo.com/OTL.exehttp://www.itxassoci...T-Tools/OTL.exehttp://oldtimer.geekstogo.com/OTL.com (<---renamed version)Save it to your desktop.Run OTLUnder the Custom Scans/Fixes box at the bottom, paste in the following :FilesC:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\U\00000008.@C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\U\000000cb.@C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\U\80000000.@C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\@C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\UC:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\LC:\Windows\Assembly\GAC_32\Desktop.iniC:\Windows\Assembly\GAC_64\Desktop.ini:FilesC:\Windows\System32\services.exe|C:\Windows\erdnt\cache64\services.exe /replace:Commands[EMPTYJAVA][emptytemp][EMPTYFLASH]Then click the Run Fix button at the topLet the program run unhindered, when done it will say "Fix Complete press ok to open the log"Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.MrC Link to post Share on other sites More sharing options...
jeff1675 Posted September 11, 2012 Author ID:595958 Share Posted September 11, 2012 All processes killed========== FILES ==========File\Folder C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\U\00000008.@ not found.File\Folder C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\U\000000cb.@ not found.File\Folder C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\U\80000000.@ not found.File move failed. C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\@ scheduled to be moved on reboot.C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\U folder moved successfully.C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\L folder moved successfully.File\Folder C:\Windows\Assembly\GAC_32\Desktop.iniC:\Windows\Assembly\GAC_64\Desktop.ini not found.========== FILES ==========Unable to replace file: C:\Windows\System32\services.exe with C:\Windows\erdnt\cache64\services.exe without a reboot.========== COMMANDS ==========[EMPTYJAVA]User: administratorUser: All UsersUser: DefaultUser: Default UserUser: jeffreyUser: jeffrey.ONEIDA-AIR->Java cache emptied: 2152566 bytesUser: JEFFRE~1~ONEUser: PublicTotal Java Files Cleaned = 2.00 mb[EMPTYTEMP]User: administrator->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytesUser: All UsersUser: Default->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytes->Flash cache emptied: 56502 bytesUser: Default User->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 0 bytes->Flash cache emptied: 0 bytesUser: jeffrey->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 1621560 bytesUser: jeffrey.ONEIDA-AIR->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 287696880 bytes->Java cache emptied: 0 bytes->Google Chrome cache emptied: 155469423 bytes->Apple Safari cache emptied: 6557696 bytes->Flash cache emptied: 79006 bytesUser: JEFFRE~1~ONE->Temp folder emptied: 0 bytesUser: Public->Temp folder emptied: 0 bytes%systemdrive% .tmp files removed: 0 bytes%systemroot% .tmp files removed: 0 bytes%systemroot%\System32 .tmp files removed: 0 bytes%systemroot%\System32 (64bit) .tmp files removed: 0 bytes%systemroot%\System32\drivers .tmp files removed: 0 bytesWindows Temp folder emptied: 88614948 bytes%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytesRecycleBin emptied: 83528 bytesTotal Files Cleaned = 515.00 mb[EMPTYFLASH]User: administratorUser: All UsersUser: Default->Flash cache emptied: 0 bytesUser: Default User->Flash cache emptied: 0 bytesUser: jeffreyUser: jeffrey.ONEIDA-AIR->Flash cache emptied: 0 bytesUser: JEFFRE~1~ONEUser: PublicTotal Flash Files Cleaned = 0.00 mbOTL by OldTimer - Version 3.2.61.3 log created on 09112012_161940Files\Folders moved on Reboot...File move failed. C:\Windows\Installer\{1f998b8e-6b0a-b33c-a311-6f4a1962c2e7}\@ scheduled to be moved on reboot.C:\Windows\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-2052.log moved successfully.PendingFileRenameOperations files...[2009/07/13 21:39:37 | 000,328,704 | ---- | M] (Microsoft Corporation) C:\Windows\System32\services.exe : MD5=24ACB7E5BE595468E3B9AA488B9B4FCBRegistry entries deleted on Reboot... Link to post Share on other sites More sharing options...
MrCharlie Posted September 11, 2012 ID:595959 Share Posted September 11, 2012 Run another RogueKiller scan and post the new log, MrC Link to post Share on other sites More sharing options...
jeff1675 Posted September 11, 2012 Author ID:595960 Share Posted September 11, 2012 AttachedRKreport4.txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 11, 2012 ID:595971 Share Posted September 11, 2012 Still there, please do this.............Please create a new system restore point before you run ComboFix.If after running ComboFix you can't connect to the internet, please use that system restore point and that will correct the problem.Please download and run ComboFix.The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.Please visit this webpage for download links, and instructions for running ComboFixhttp://www.bleepingc...to-use-combofixEnsure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Information on disabling your malware programs can be found Here.Make sure you run ComboFix from your desktop. Give it at least 30-45 minutes to finish if needed.Please include the C:\ComboFix.txt in your next reply for further review.---------->NOTE<----------If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.MrC Link to post Share on other sites More sharing options...
jeff1675 Posted September 11, 2012 Author ID:595973 Share Posted September 11, 2012 Not having such great luck here... Comobofix doesn't seem to run through completely. It runs for a bit, screen flashes I hear a critical stop type beep from windows and then it is gone. I do not see any log file created.I have to head out to pick up my son. Won't be able to do much more on this tonight unless I can run it via remote desktop etc from home. Am I seeing a fresh install in my future? Thanks for your help. Link to post Share on other sites More sharing options...
MrCharlie Posted September 11, 2012 ID:595986 Share Posted September 11, 2012 Try it like this......Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet.Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).Click Start --> Run, and enter this command exactly as shown: (copy and paste)"%userprofile%\desktop\combofix.exe" /nombrSee if it will run successfully now. MrC Link to post Share on other sites More sharing options...
jeff1675 Posted September 12, 2012 Author ID:596304 Share Posted September 12, 2012 Seemingly no-dice.I can get into safe mode but when I try to run combofix (or almost anything else too) I get a warning that says "Internet security setting prevented one or more files from being opened..." This seems like some hijack vs actual security settings holding anything back. This is now coming up after a regular re-boot as well and my user profile seemes all botched now, windows theme has reverted to the more basic look (like safe mode). Unless you think this is worth persuing much farther I think I am inclined to wipe it. It seems pretty messy! Link to post Share on other sites More sharing options...
MrCharlie Posted September 12, 2012 ID:596308 Share Posted September 12, 2012 Unless you think this is worth persuing much farther I think I am inclined to wipe it. It seems pretty messy!I think this is always best in cases like this, this way you're sure the computer is clean and secure.Take a look at My Preventive Maintenance to avoid being infected again.Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 13, 2012 ID:596722 Share Posted September 13, 2012 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts