nachum Posted September 16, 2013 ID:730468 Share Posted September 16, 2013 Been through all then steps in "FAQ - Malwarebytes anti-Malware won't run or failed to resolve my issue", managed to get MAB running via chamelion, but nothing was detected, Rkill didn't find anything either. Symptoms are: can't turn on firewall, no access to control panel (windows explorer crashes), folder options greyed out, regedit closes after 1 second, system restore closes after 1 second, etc. Downloaded and ran DDS but the logs are not created. Appreciate your help, Cheers, Nachum Link to post Share on other sites More sharing options...
Psychotic Posted September 16, 2013 ID:730492 Share Posted September 16, 2013 Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding. Scan with FRST in normal modePlease download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)Run FRST. Don´t change one of the checkboxes and hit Scan. Logfiles are created on your desktop. Poste the FRST.txt and (after the first scan only!) the Addition.txt. Link to post Share on other sites More sharing options...
nachum Posted September 16, 2013 Author ID:730624 Share Posted September 16, 2013 Marius, Thank you very much for your assistance. the FRST and ADDITION logs are attached. I had tried to paste in the post, but when trying to post got an error message "post_too_long". I had this infection problem recently, and did a clean install of Windows, However, the problem returned yesterday when I connected my USB HD to my computer - the folders on the external drive appear as shortcuts and a AUTORUN file is present. Best regards, NachumAddition.txtFRST.txt Link to post Share on other sites More sharing options...
Psychotic Posted September 16, 2013 ID:730628 Share Posted September 16, 2013 Scan with aswMBRPlease download aswMBR ( 4.5MB ) to your desktop.Double click the aswMBR.exe icon, and click Run. There will be a short delay before the next dialog box comes up. Please just wait a minute or two. When asked if you'd like to "download the latest Avast! virus definitions", click Yes. Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready. Click the Scan button to start the scan once the update has finished downloading On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record). Link to post Share on other sites More sharing options...
nachum Posted September 16, 2013 Author ID:730631 Share Posted September 16, 2013 Marius, here is the aswMBR log: aswMBR version 0.9.9.1771 Copyright© 2011 AVAST SoftwareRun date: 2013-09-16 10:16:44-----------------------------10:16:44.173 OS Version: Windows x64 6.1.7601 Service Pack 110:16:44.173 Number of processors: 4 586 0x2A0710:16:44.174 ComputerName: NACHUM-OFFICE UserName: Nachum10:16:44.369 Initialze error 110:17:26.120 AVAST engine defs: 1309160010:17:45.772 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-110:17:45.774 Disk 0 Vendor: ST320LT0 0004 Size: 305245MB BusType: 310:17:45.818 Disk 0 MBR read successfully10:17:45.823 Disk 0 MBR scan10:17:45.834 Disk 0 unknown MBR code10:17:45.841 Disk 0 Partition 1 00 EE GPT 2097151 MB offset 110:17:45.853 Disk 0 scanning C:\Windows\system32\drivers10:17:45.860 Service scanning10:17:46.434 Modules scanning10:17:46.443 Disk 0 trace - called modules:10:17:46.453 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll10:17:46.463 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8009fea060]10:17:46.468 3 CLASSPNP.SYS[fffff88001c5143f] -> nt!IofCallDriver -> [0xfffffa8007ab1e00]10:17:46.799 5 ACPI.sys[fffff88000f777a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8007aff050]10:17:46.811 AVAST engine scan C:\Windows10:17:46.822 AVAST engine scan C:\Windows\system3210:17:46.830 AVAST engine scan C:\Windows\system32\drivers10:17:46.837 AVAST engine scan C:\Users\Nachum10:17:46.843 AVAST engine scan C:\ProgramData10:17:46.850 Scan finished successfully10:18:09.500 Disk 0 MBR has been saved successfully to "C:\Users\Nachum\Desktop\MBR.dat"10:18:09.503 The log file has been saved successfully to "C:\Users\Nachum\Desktop\aswMBR.txt" Link to post Share on other sites More sharing options...
Psychotic Posted September 16, 2013 ID:730633 Share Posted September 16, 2013 CombofixCombofix should only be run when adviced by a team member!LinkImportant - Save the file to your desktop! Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work. Run Combofix.exeWhen finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this. Link to post Share on other sites More sharing options...
nachum Posted September 16, 2013 Author ID:730640 Share Posted September 16, 2013 Marius, combifix initally wouldn't run, but did after i changed the .exe file name. Here is the log: ComboFix 13-09-14.01 - Nachum 09/16/2013 10:27:46.1.4 - x64Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.5193 [GMT -4:00]Running from: c:\users\Nachum\Desktop\nk.exeAV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\programdata\Roamingc:\users\Nachum\AppData\Local\Microsoft\Windows\Temporary Internet Files\{2DD9637E-57C1-4AB2-BD4F-923667711C95}.xpsc:\users\Nachum\AppData\Local\Microsoft\Windows\Temporary Internet Files\{63CB63EA-59E3-4480-9749-A4AF8FE658DE}.xps..((((((((((((((((((((((((( Files Created from 2013-08-16 to 2013-09-16 )))))))))))))))))))))))))))))))..2013-09-16 14:37 . 2013-09-16 14:37 46112 ----a-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\6fd.js2013-09-16 14:33 . 2013-09-16 14:33 -------- d-----w- c:\users\Default\AppData\Local\temp2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET2013-09-16 00:18 . 2013-09-16 00:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 22013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys2013-09-15 23:32 . 2013-09-15 23:32 -------- d-----w- C:\2d92013-09-15 23:32 . 2013-09-15 23:32 -------- d-sh--w- c:\program files\3382013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X72013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll2013-09-05 14:47 . 2013-09-16 14:11 -------- d-----w- C:\Temp2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.02013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.22013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot2013-09-01 18:11 . 2013-09-16 13:58 -------- d-----w- c:\programdata\WRData2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll..(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"3a9"="c:\users\Nachum\AppData\Roaming\2c8b\3a9.js" [X]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-08-15 6581488].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712]"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]"WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760]"Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168]"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784].c:\users\Nachum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fd.js [2013-9-16 46112].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\6fd.js [2013-9-16 46112]HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0)"DisableCAD"= 1 (0x1).[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"NoAutorun"= 1 (0x1).[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NofolderOptions"= 1"NoWindowsUpdate"= 1"NoControlPanel"= 1.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]"LoadAppInit_DLLs"=1 (0x1)"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]@="".R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x]R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x]R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x]S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x]S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x]S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]..--- Other Services/Drivers In Memory ---.*NewlyCreated* - WS2IFSL.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.Contents of the 'Scheduled Tasks' folder.2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk]@="{3A87EE91-AED7-46E9-B8A3-5360628BA718}"[HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}]2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending]@="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}"[HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}]2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError]@="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}"[HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}]2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TpShocks"="TpShocks.exe" [2013-06-20 382248]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=c:\windows\System32\nvinitx.dll.------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmmLocal Page = c:\windows\SysWOW64\blank.htmIE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105TCP: DhcpNameServer = 192.168.1.1FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpiFF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.comFF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.comFF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi.- - - - ORPHANS REMOVED - - - -.Wow6432Node-HKLM-Run-EaseUS EPM tray - c:\program files (x86)\EaseUS\EaseUS Partition Master 9.2.2\bin\EpmNews.exeWow6432Node-HKLM-Run-<NO NAME> - (no file)Notify-SDWinLogon - SDWinLogon.dllHKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).------------------------ Other Running Processes ------------------------.c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exec:\windows\SysWOW64\SAsrv.exec:\progra~1\Lenovo\Zoom\TPSCREX.EXEc:\progra~1\Lenovo\HOTKEY\TPONSCR.EXEc:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exec:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exec:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe.**************************************************************************.Completion time: 2013-09-16 10:41:03 - machine was rebootedComboFix-quarantined-files.txt 2013-09-16 14:41.Pre-Run: 98,788,335,616 bytes freePost-Run: 98,858,082,304 bytes free.- - End Of File - - 46B1549479BECF4964BE75E01C41744E Link to post Share on other sites More sharing options...
Psychotic Posted September 16, 2013 ID:730642 Share Posted September 16, 2013 uh oh - I´ve seen this before and it will be really "funny" to get rid of this... o.O Combofix scripting1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Download the attached CFScript.txt and save it to the location where Combofix is.Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Full System Scan with Malwarebytes AntimalwareIf not existing, please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If the program is already installed:Run Malwarebytes Antimalware If an update is found, it will download and install the latest version. Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt Post that log back here.CFScript.txt Link to post Share on other sites More sharing options...
nachum Posted September 16, 2013 Author ID:730645 Share Posted September 16, 2013 Marius, the combix scan is running. For the Malwarebytes Antimalware scan should I attach the external hard drive I mentioned above? Link to post Share on other sites More sharing options...
Psychotic Posted September 16, 2013 ID:730646 Share Posted September 16, 2013 place a checkmark on all hard drives, then click Scan. "all harddrives" should include your external, so please connect and scan it, too. Link to post Share on other sites More sharing options...
nachum Posted September 16, 2013 Author ID:730647 Share Posted September 16, 2013 Marius, here in the combifix log after running with the script. After this Malwarebytes anti-Malware would not start, and I could only get it going through chamelion #5. Should I proceed with the MAM scan? ComboFix 13-09-14.01 - Nachum 09/16/2013 10:57:30.2.4 - x64Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.6135 [GMT -4:00]Running from: c:\users\Nachum\Desktop\nk.exeCommand switches used :: c:\users\Nachum\Desktop\CFScript.txtAV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point.FILE ::"c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\6fd.js""c:\users\Nachum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fd.js"..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..C:\2d9c:\2d9\2828c:\2d9\2c2c2c:\2d9\3082c:\2d9\3b873c:\2d9\3b97c:\program files\338c:\program files\338\3282.jsc:\windows\SysWow64\kWab.dll..((((((((((((((((((((((((( Files Created from 2013-08-16 to 2013-09-16 )))))))))))))))))))))))))))))))..2013-09-16 15:02 . 2013-09-16 15:02 -------- d-----w- c:\users\Default\AppData\Local\temp2013-09-16 15:01 . 2013-09-16 15:04 -------- d-sh--w- c:\program files\3382013-09-16 15:01 . 2013-09-16 15:04 -------- d-----w- C:\2d92013-09-16 15:00 . 2013-09-16 15:02 46112 ----a-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\6e.js2013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET2013-09-16 00:18 . 2013-09-16 00:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 22013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X72013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll2013-09-05 14:47 . 2013-09-16 14:11 -------- d-----w- C:\Temp2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.02013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.22013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot2013-09-01 18:11 . 2013-09-16 14:55 -------- d-----w- c:\programdata\WRData2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll..(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"3a9"="c:\users\Nachum\AppData\Roaming\2c8b\3a9.js" [X]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-08-15 6581488].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712]"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]"WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760]"Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168]"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784].c:\users\Nachum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6e.js [2013-9-16 46112].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\6e.js [2013-9-16 46112]HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0)"DisableCAD"= 1 (0x1).[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"NoAutorun"= 1 (0x1).[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NofolderOptions"= 1"NoWindowsUpdate"= 1"NoControlPanel"= 1.[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]"LoadAppInit_DLLs"=1 (0x1)"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]@="".R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x]R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x]R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x]R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x]S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x]S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]S2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]..[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.Contents of the 'Scheduled Tasks' folder.2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk]@="{3A87EE91-AED7-46E9-B8A3-5360628BA718}"[HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}]2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending]@="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}"[HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}]2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError]@="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}"[HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}]2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TpShocks"="TpShocks.exe" [2013-06-20 382248]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=c:\windows\System32\nvinitx.dll.------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmmLocal Page = c:\windows\SysWOW64\blank.htmIE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105TCP: DhcpNameServer = 192.168.1.1FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpiFF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.comFF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.comFF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi.- - - - ORPHANS REMOVED - - - -.Wow6432Node-HKLM-Run-<NO NAME> - (no file)Notify-SDWinLogon - SDWinLogon.dll...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).------------------------ Other Running Processes ------------------------.c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exec:\windows\SysWOW64\SAsrv.exec:\progra~1\Lenovo\Zoom\TPSCREX.EXEc:\progra~1\Lenovo\HOTKEY\TPONSCR.EXEc:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exec:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exec:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe.**************************************************************************.Completion time: 2013-09-16 11:08:34 - machine was rebootedComboFix-quarantined-files.txt 2013-09-16 15:08ComboFix2.txt 2013-09-16 14:41.Pre-Run: 99,306,733,568 bytes freePost-Run: 99,224,027,136 bytes free.- - End Of File - - FEC56E8B35D9452E4C0967E3F4BDED36 Link to post Share on other sites More sharing options...
Psychotic Posted September 16, 2013 ID:730649 Share Posted September 16, 2013 No, that will not help us because the virus has already respawned... Create/Scan with Kaspersky Rescue DiskFollow the instructions on this page for downloading the kav_rescue_10.iso (200 mb) file and creating the Kaspersky Rescue Disk.Make sure you set to boot the machine from the CDRom drive first. Then save and exit the BIOS. The computer will begin to boot. Insert the disc in the CDrom drive, then restart the machine. It should then boot from that CD.It's best if you refer to the instructions and images at Kaspersky How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?Once it boots from CD, press a key so it continues to boot from that CD.Select the language, then be sure to select Kaspersky Rescue Disk Graphic Mode.Kaspersky should begin scanning your machine. If it finds infection, look carefully at the files it lists. If any of them seem to be legit files, do not allow it to clean/quarantine/delete them. Rather, save the log and post the results for me to look over. Link to post Share on other sites More sharing options...
nachum Posted September 16, 2013 Author ID:730654 Share Posted September 16, 2013 Will do. One question - do I connect all my exteranl hard drives for the kaspersky scan? I have 3 disks with lots of data, I suppose they are infected as well? Link to post Share on other sites More sharing options...
nachum Posted September 17, 2013 Author ID:730948 Share Posted September 17, 2013 Update: running the kaspersky rescue disk with all external hard drives attached. The good new is that it's finding infections - virus HEUR.work.script.generic on the main and external hard drivers and HEUR.trojan.WinLNK.generic, torojan.win32.autorun.gen on the external drive. I will disinfect once the scan is done and send you the log. Please advise as to next steps after disinfection. Link to post Share on other sites More sharing options...
Psychotic Posted September 17, 2013 ID:731002 Share Posted September 17, 2013 I need to see the log to coordinate the next steps. Link to post Share on other sites More sharing options...
nachum Posted September 17, 2013 Author ID:731121 Share Posted September 17, 2013 Here is the KAV rescue disk report, Should I quarrantine or delete?<pre style='color:#141312;background-color:#ffffff;'>Status: Detected (events: 45) 9/16/13 1:25 PM Detected virus HEUR:Worm.Script.Generic C:/Users/Nachum/AppData/Roaming/2c8b/3a9.js High 9/16/13 2:00 PM Detected virus HEUR:Worm.Script.Generic C:/Program Files/338/3282.js High 9/16/13 2:02 PM Detected virus HEUR:Worm.Script.Generic C:/Qoobox/Quarantine/C/Program Files/338/3282.js.vir High 9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/$RECYCLE.BIN.lnk High 9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/2e2e.lnk High 9/16/13 2:32 PM Detected Trojan program Trojan.Win32.AutoRun.gen E:/autorun.inf High 9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/DK_backup_current.lnk High 9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/Creative_webcam_instant.lnk High 9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/Original_setup.lnk High 9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/RECYCLER.lnk High 9/16/13 2:32 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic E:/System Volume Information.lnk High 9/16/13 2:37 PM Detected virus HEUR:Worm.Script.Generic E:/2c2c/g3d9f.js High 9/16/13 2:37 PM Detected virus HEUR:Worm.Script.Generic E:/2c2c/i31313.js High 9/16/13 2:37 PM Detected virus HEUR:Worm.Script.Generic E:/2e2e/g3fe4.js High 9/16/13 2:37 PM Detected virus HEUR:Worm.Script.Generic E:/2e2e/i333.js High 9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/$RECYCLE.BIN.lnk High 9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/Affinium.lnk High 9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/Backup Files.lnk High 9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/Original Config.lnk High 9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/RECYCLER.lnk High 9/16/13 4:01 PM Detected Trojan program HEUR:Trojan.WinLNK.Generic H:/System Volume Information.lnk High 9/17/13 2:54 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic I:/$RECYCLE.BIN.lnk High 9/17/13 2:54 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic I:/Music_iTunes.lnk High 9/17/13 2:54 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic I:/Music.lnk High 9/17/13 2:54 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic I:/System Volume Information.lnk High 9/17/13 2:54 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic I:/Archives.lnk High 9/17/13 2:54 AM Detected Trojan program Trojan.Win32.AutoRun.gen I:/autorun.inf High 9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.Cydoor I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0018.BIN//cd_htm.dll//PECompact Medium 9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.CommonName.bt I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0019.BIN//ASPack Medium 9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.CommonName.bt I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0019.BIN//ASPack//data0000//CNForm.exe Medium 9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.NewDotNet I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0020.BIN Medium 9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.HotBar.ab I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0021.BIN Medium 9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.Gator.1050 I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0023.BIN Medium 9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.SaveNow.w I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0025.BIN//data0003.res//SaveNow.exe Medium 9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.SaveNow.au I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0025.BIN//data0003.res//Uninst.exe Medium 9/17/13 3:07 AM Detected adware not-a-virus:AdWare.Win32.SaveNow.au I:/Archives/Archives_2002/Family_100702/Kaynan/iMeshV3.exe//WISE0025.BIN//# Medium 9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/$RECYCLE.BIN.lnk High 9/17/13 3:09 AM Detected Trojan program Trojan.Win32.AutoRun.gen J:/autorun.inf High 9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/Install_files.lnk High 9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/Music.lnk High 9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/MUSICSTUDIO-PC.lnk High 9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/Original_programs.lnk High 9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/System Volume Information.lnk High 9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/Temp.lnk High 9/17/13 3:09 AM Detected Trojan program HEUR:Trojan.WinLNK.Generic J:/WindowsImageBackup.lnk High </pre> Link to post Share on other sites More sharing options...
Psychotic Posted September 17, 2013 ID:731126 Share Posted September 17, 2013 quarantine the files - then reboot into safe mode WITHOUT networking and run combofix Link to post Share on other sites More sharing options...
nachum Posted September 17, 2013 Author ID:731132 Share Posted September 17, 2013 quarantine successful except for one file: Trojan program Trojan.win E:/autorun.inf (not found), should I scan the external E drive again? Link to post Share on other sites More sharing options...
Psychotic Posted September 17, 2013 ID:731135 Share Posted September 17, 2013 no, that´s ok. Proceed with combofix Link to post Share on other sites More sharing options...
nachum Posted September 17, 2013 Author ID:731142 Share Posted September 17, 2013 Combifix done, it gave a message that Webroot secure anyware was active even though i had disabled the protection. Here is the log:ComboFix 13-09-14.01 - Nachum 09/17/2013 11:10:51.3.4 - x64 MINIMALMicrosoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8074.6715 [GMT -4:00]Running from: c:\users\Nachum\Desktop\nk.exeAV: Webroot SecureAnywhere *Enabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}SP: Webroot SecureAnywhere *Enabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..E:\autorun.infH:\Autorun.infI:\install.exe..((((((((((((((((((((((((( Files Created from 2013-08-17 to 2013-09-17 )))))))))))))))))))))))))))))))..2013-09-17 15:15 . 2013-09-17 15:15 -------- d-----w- c:\users\Default\AppData\Local\temp2013-09-16 15:01 . 2013-09-17 10:33 -------- d-sh--w- c:\program files\3382013-09-16 15:01 . 2013-09-16 15:06 -------- d-----w- C:\2d92013-09-16 13:56 . 2013-09-16 13:56 -------- d-----w- C:\FRST2013-09-16 03:00 . 2013-09-16 03:01 -------- d-----w- c:\program files\SUPERAntiSpyware2013-09-16 03:00 . 2013-09-16 03:00 -------- d-----w- c:\programdata\SUPERAntiSpyware.com2013-09-16 02:30 . 2013-09-16 02:30 -------- d-----w- c:\windows\system32\MpEngineStore2013-09-16 00:55 . 2013-09-16 00:55 -------- d-----w- c:\program files (x86)\ESET2013-09-16 00:18 . 2013-09-16 15:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy2013-09-16 00:18 . 2009-01-25 17:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe2013-09-16 00:17 . 2013-09-16 00:19 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy 22013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\programdata\Malwarebytes2013-09-16 00:06 . 2013-09-16 00:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware2013-09-16 00:06 . 2013-04-04 18:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys2013-09-13 08:47 . 2013-08-20 04:46 9515512 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files\Common Files\Lenovo2013-09-12 23:19 . 2013-09-12 23:19 -------- d-----w- c:\program files (x86)\Common Files\Lenovo2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\windows\Downloaded Installations2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\Common Files\SPBA2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files\ThinkVantage Fingerprint Software2013-09-12 23:08 . 2013-09-12 23:08 -------- d-----w- c:\program files (x86)\Common Files\SPBA2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- c:\program files (x86)\Common Files\InstallShield2013-09-12 22:54 . 2013-09-12 22:54 -------- d-----w- C:\DRIVERS2013-09-12 11:54 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys2013-09-05 15:41 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft2013-09-05 15:38 . 2013-09-05 15:38 -------- d-----w- c:\program files (x86)\Common Files\Risxtd2013-09-05 15:38 . 2013-09-05 15:41 -------- d-----w- c:\program files (x86)\EndNote X72013-09-05 15:37 . 2013-09-05 15:41 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers2013-09-05 15:12 . 2013-09-05 15:12 66344 ----a-w- c:\windows\system32\ibmpmsvc.exe2013-09-05 15:12 . 2013-09-05 15:12 60712 ----a-w- c:\windows\system32\ibmpmctl.exe2013-09-05 15:12 . 2013-09-05 15:12 54528 ----a-w- c:\windows\system32\drivers\ibmpmdrv.sys2013-09-05 15:12 . 2013-09-05 15:12 40232 ----a-w- c:\windows\system32\tpinspm.dll2013-09-05 14:47 . 2013-09-17 09:59 -------- d-----w- C:\Temp2013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\MSXML 4.02013-09-03 19:52 . 2013-09-03 19:52 -------- d-----w- c:\program files (x86)\Microsoft CAPICOM 2.1.0.22013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\program files (x86)\Common Files\Skype2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----r- c:\program files (x86)\Skype2013-09-03 17:39 . 2013-09-03 17:39 -------- d-----w- c:\programdata\Skype2013-09-03 17:36 . 2013-09-03 17:36 -------- d-----w- c:\program files\7-Zip2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MSMAPI2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\windows\SysWow64\MAPI2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\program files (x86)\IPBLUE2013-09-03 17:23 . 2013-09-03 17:23 -------- d-----w- c:\programdata\IPBLUE2013-09-03 16:05 . 2013-09-03 16:05 -------- d-----w- c:\windows\system32\appmgmt2013-09-02 22:08 . 2013-09-02 22:08 -------- d-----w- c:\program files (x86)\Mozilla Thunderbird2013-09-02 21:59 . 2013-09-02 21:59 -------- d-----w- c:\program files (x86)\TeamViewer2013-09-02 21:39 . 2009-08-20 03:50 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll2013-09-02 20:33 . 2013-09-02 20:33 -------- d-----w- c:\programdata\GraphPad Software2013-09-02 20:32 . 2013-09-02 20:33 -------- d-----w- c:\program files (x86)\GraphPad2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\programdata\CambridgeSoft2013-09-02 20:21 . 2013-09-02 20:21 -------- d-----w- c:\program files (x86)\CambridgeSoft2013-09-02 20:05 . 2009-08-20 03:50 52568 ----a-w- c:\windows\system32\AdobePDF.dll2013-09-02 20:01 . 2013-09-02 20:02 -------- d-----w- c:\programdata\FLEXnet2013-09-02 20:00 . 2013-09-02 20:00 -------- d-----w- c:\program files (x86)\Common Files\Macrovision Shared2013-09-02 19:59 . 2013-09-02 20:04 -------- d-----w- c:\program files (x86)\Common Files\Adobe2013-09-02 19:26 . 2013-09-02 19:26 -------- d-----w- c:\programdata\WEBREG2013-09-02 19:25 . 2010-05-14 19:04 253440 ----a-w- c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll2013-09-02 19:24 . 2013-09-02 19:24 -------- d-----w- c:\windows\SysWow64\spool2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\HP2013-09-02 16:50 . 2013-09-02 16:50 -------- d-----w- c:\program files (x86)\Common Files\Hewlett-Packard2013-09-02 16:50 . 2010-05-14 19:04 138752 ----a-w- c:\windows\system32\hpf3l02t.dll2013-09-02 16:48 . 2010-05-13 10:29 553472 ----a-w- c:\windows\system32\hppldcoi.dll2013-09-02 16:48 . 2010-05-13 10:25 906240 ----a-w- c:\windows\system32\hpwwiax5.dll2013-09-02 16:48 . 2010-05-13 10:25 1422848 ----a-w- c:\windows\system32\hpwtiop4.dll2013-09-02 16:48 . 2010-04-26 08:52 644456 ----a-w- c:\windows\system32\hpzids40.dll2013-09-02 16:48 . 2010-02-01 06:54 488960 ----a-w- c:\windows\system32\hpovst11.dll2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\programdata\HP2013-09-02 16:47 . 2013-09-02 19:24 -------- d-----w- c:\program files (x86)\HP2013-09-02 16:33 . 2013-09-02 16:33 -------- d-----w- C:\Phoenix.JPS2013-09-02 16:32 . 2013-09-02 16:32 -------- d-----w- c:\windows\system32\APSystem2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\Pharsight2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\programdata\SafeNet Sentinel2013-09-02 16:30 . 2013-09-02 16:35 -------- d-----w- c:\program files (x86)\Pharsight2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- C:\PHSTMinGW2013-09-02 16:30 . 2013-09-02 16:30 -------- d-----w- c:\program files (x86)\Common Files\Pharsight2013-09-02 16:28 . 2013-09-05 15:36 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard2013-09-02 16:13 . 2013-09-02 16:13 -------- d-----w- c:\program files (x86)\TIBCO2013-09-01 21:40 . 2013-09-01 21:40 -------- d-----w- c:\program files (x86)\Egnyte Local Cloud2013-09-01 20:39 . 2013-09-01 20:39 -------- d-----w- c:\program files (x86)\EaseUS2013-09-01 19:55 . 2013-09-01 19:55 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help2013-09-01 19:50 . 2013-09-01 16:04 -------- d-----w- c:\windows\Panther2013-09-01 19:38 . 2010-09-07 18:09 15472 ----a-w- c:\windows\system32\drivers\smiifx64.sys2013-09-01 19:10 . 2013-09-01 19:10 -------- d-----w- c:\windows\PCHEALTH2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files\Microsoft Office2013-09-01 19:06 . 2013-09-01 19:06 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services2013-09-01 19:06 . 2013-09-12 12:03 -------- d-----w- c:\programdata\Microsoft Help2013-09-01 19:05 . 2013-09-01 19:05 -------- d-----r- C:\MSOCache2013-09-01 19:00 . 2013-09-12 11:37 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl2013-09-01 19:00 . 2013-09-12 11:37 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\SysWow64\Macromed2013-09-01 19:00 . 2013-09-01 19:00 -------- d-----w- c:\windows\system32\Macromed2013-09-01 18:31 . 2013-09-03 03:05 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service2013-09-01 18:25 . 2013-09-01 19:10 -------- d-----w- c:\program files (x86)\Microsoft.NET2013-09-01 18:21 . 2013-09-01 18:21 9842040 ----a-w- c:\program files (x86)\Common Files\wruninstall.exe2013-09-01 18:11 . 2013-09-01 18:11 150160 ----a-w- c:\windows\SysWow64\WRusr.dll2013-09-01 18:11 . 2013-09-01 18:11 113152 ----a-w- c:\windows\system32\drivers\WRkrn.sys2013-09-01 18:11 . 2013-09-01 18:11 102792 ----a-w- c:\windows\system32\WRusr.dll2013-09-01 18:11 . 2013-09-01 18:11 -------- d-----w- c:\program files\Webroot2013-09-01 18:11 . 2013-09-16 16:55 -------- d-----w- c:\programdata\WRData2013-09-01 18:11 . 2013-04-09 23:34 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll2013-09-01 18:11 . 2013-04-02 22:51 1643520 ----a-w- c:\windows\system32\DWrite.dll2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\SysWow64\Wat2013-09-01 17:59 . 2013-09-01 17:59 -------- d-----w- c:\windows\system32\Wat2013-09-01 17:42 . 2012-07-26 04:55 785512 ----a-w- c:\windows\system32\drivers\Wdf01000.sys2013-09-01 17:42 . 2012-07-26 04:55 54376 ----a-w- c:\windows\system32\drivers\WdfLdr.sys2013-09-01 17:42 . 2012-07-26 04:47 2560 ----a-w- c:\windows\system32\drivers\en-US\wdf01000.sys.mui2013-09-01 17:42 . 2012-07-26 02:36 9728 ----a-w- c:\windows\system32\Wdfres.dll2013-09-01 17:34 . 2013-09-12 12:04 -------- d-----w- c:\windows\system32\MRT2013-09-01 17:24 . 2013-01-13 19:53 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll2013-09-01 17:23 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys2013-09-01 17:23 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll2013-09-01 17:23 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll2013-09-01 17:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll2013-09-01 17:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll2013-09-01 17:20 . 2013-09-01 17:20 -------- d-----w- c:\program files\AuthenTec2013-09-01 17:19 . 2012-05-04 11:00 366592 ----a-w- c:\windows\system32\qdvd.dll2013-09-01 17:19 . 2012-05-04 09:59 514560 ----a-w- c:\windows\SysWow64\qdvd.dll2013-09-01 17:19 . 2012-08-24 18:13 154480 ----a-w- c:\windows\system32\drivers\ksecpkg.sys2013-09-01 17:19 . 2012-08-24 18:09 458712 ----a-w- c:\windows\system32\drivers\cng.sys2013-09-01 17:19 . 2012-08-24 18:05 340992 ----a-w- c:\windows\system32\schannel.dll2013-09-01 17:19 . 2012-08-24 18:03 1448448 ----a-w- c:\windows\system32\lsasrv.dll2013-09-01 17:19 . 2012-08-24 16:57 247808 ----a-w- c:\windows\SysWow64\schannel.dll2013-09-01 17:19 . 2012-08-24 16:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll2013-09-01 17:19 . 2012-08-24 16:53 96768 ----a-w- c:\windows\SysWow64\sspicli.dll2013-09-01 17:17 . 2013-05-27 05:50 1011712 ----a-w- c:\program files\Windows Defender\MpSvc.dll..(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2013-08-07 08:22 . 2010-11-21 03:27 278800 ------w- c:\windows\system32\MpSigStub.exe2013-08-02 01:48 . 2013-09-12 11:54 44032 ----a-w- c:\windows\apppatch\acwow64.dll2013-06-20 21:43 . 2013-06-20 21:43 382248 ----a-w- c:\windows\system32\TpShocks.exe2013-06-20 21:43 . 2013-06-20 21:43 280872 ----a-w- c:\windows\system32\TpShEvUI.exe2013-06-20 21:43 . 2013-06-20 21:43 107816 ----a-w- c:\windows\system32\TpShCTL.exe2013-06-20 21:43 . 2013-06-20 21:43 484648 ----a-w- c:\windows\system32\TpShCPL.dll2013-06-20 21:43 . 2013-06-20 21:43 419624 ----a-w- c:\windows\system32\TpShCPL.cpl2013-06-20 20:49 . 2013-06-20 20:49 49920 ----a-w- c:\windows\system32\TPHDEXLG64.exe2013-06-20 20:49 . 2013-06-20 20:49 25856 ----a-w- c:\windows\system32\drivers\ApsHM64.sys2013-06-20 20:49 . 2013-06-20 20:49 24056 ----a-w- c:\windows\system32\Sensor64.DLL2013-06-20 20:49 . 2013-06-20 20:49 22520 ----a-w- c:\windows\SysWow64\Sensor.DLL2013-06-20 20:49 . 2013-06-20 20:49 150272 ----a-w- c:\windows\system32\drivers\ApsX64.sys..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712]"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]"WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760]"Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168]"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784].[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]"1"="c:\program files (x86)\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" [2013-04-04 218184].c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040].[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)"ConsentPromptBehaviorUser"= 3 (0x3)"EnableLUA"= 0 (0x0)"EnableUIADesktopToggle"= 0 (0x0)"PromptOnSecureDesktop"= 0 (0x0)"DisableCAD"= 1 (0x1).[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"NoAutorun"= 1 (0x1).[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]"LoadAppInit_DLLs"=1 (0x1)"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe.[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]@="".R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]R1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]R2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]R2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x]R2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x]R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x]R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x]R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]R2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x]R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]R2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]R2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]R2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]R2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]R2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]R2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]R3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]..[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.Contents of the 'Scheduled Tasks' folder.2013-09-16 c:\windows\Tasks\Adobe Flash Player Updater.job- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37]..--------- X64 Entries -----------..[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk]@="{3A87EE91-AED7-46E9-B8A3-5360628BA718}"[HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}]2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending]@="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}"[HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}]2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError]@="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}"[HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}]2013-06-20 15:53 919656 ----a-w- c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]2013-09-01 18:11 102792 ----a-w- c:\windows\System32\WRusr.dll.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TpShocks"="TpShocks.exe" [2013-06-20 382248]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=c:\windows\System32\nvinitx.dll.------- Supplementary Scan -------.uLocal Page = c:\windows\system32\blank.htmmLocal Page = c:\windows\SysWOW64\blank.htmIE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105TCP: DhcpNameServer = 192.168.1.1FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpiFF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.comFF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.comFF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi.- - - - ORPHANS REMOVED - - - -.Wow6432Node-HKLM-Run-<NO NAME> - (no file)Notify-SDWinLogon - SDWinLogon.dll...--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]@Denied: (A) (Everyone)"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}".[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]@Denied: (A) (Everyone).[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]"Key"="ActionsPane3""Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd".[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]@Denied: (Full) (Everyone).Completion time: 2013-09-17 11:16:36ComboFix-quarantined-files.txt 2013-09-17 15:16ComboFix2.txt 2013-09-16 15:08ComboFix3.txt 2013-09-16 14:41.Pre-Run: 98,988,253,184 bytes freePost-Run: 98,821,361,664 bytes free.- - End Of File - - 0F911C090FA6D98D593056DD53D4A03E Link to post Share on other sites More sharing options...
Psychotic Posted September 17, 2013 ID:731143 Share Posted September 17, 2013 Combofix scripting1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.3. Download the attached CFScript.txt and save it to the location where Combofix is.Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Then reboot into safe mode and run a full scan with MBAM AND ESET. Provide the logs of Combofix, MBAM and ESET in your next reply.CFScript.txt Link to post Share on other sites More sharing options...
nachum Posted September 17, 2013 Author ID:731162 Share Posted September 17, 2013 Will do. I don't have ESET, which version should I download, the cyber security pro free trial? Link to post Share on other sites More sharing options...
nachum Posted September 17, 2013 Author ID:731173 Share Posted September 17, 2013 Sorry, the ESET cyber security if for mac, I'll download NOD32 antivirus Link to post Share on other sites More sharing options...
Psychotic Posted September 17, 2013 ID:731235 Share Posted September 17, 2013 Scan with ESET Online ScanPlease go to here to run the online scannner from ESET. Turn off the real time scanner of any existing antivirus program while performing the online scanTick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the activex control to installClick StartMake sure that the option Remove found threats is unticked Click on Advanced Settings and ensure these options are ticked:Scan for potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth Technology[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic. S Link to post Share on other sites More sharing options...
nachum Posted September 17, 2013 Author ID:731237 Share Posted September 17, 2013 Thanks! Will do, currently in the middle of the MBAM scan, will have all the logs for you tomorrow morning (my time). Link to post Share on other sites More sharing options...
Recommended Posts