Jump to content

Infected, DDS won't work


nachum
 Share

Recommended Posts

Here are the results:

Combifix:

ComboFix 13-09-17.01 - Nachum 09/17/2013  12:09:52.4.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8074.5737 [GMT -4:00]
Running from: c:\users\Nachum\Desktop\nk.exe
Command switches used :: c:\users\Nachum\Desktop\CFScript.txt
AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\2d9
c:\2d9\2828
c:\2d9\2c2c2
c:\2d9\3082
c:\2d9\3b873
c:\2d9\3b97
c:\program files\338
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-17 to 2013-09-17  )))))))))))))))))))))))))))))))
.
.
2013-09-17 16:14 . 2013-09-17 16:14    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-09-16 13:56 . 2013-09-16 13:56    --------    d-----w-    C:\FRST
2013-09-16 03:00 . 2013-09-16 03:01    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-09-16 03:00 . 2013-09-16 03:00    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2013-09-16 02:30 . 2013-09-16 02:30    --------    d-----w-    c:\windows\system32\MpEngineStore
2013-09-16 00:55 . 2013-09-16 00:55    --------    d-----w-    c:\program files (x86)\ESET
2013-09-16 00:18 . 2013-09-16 15:13    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2013-09-16 00:18 . 2009-01-25 17:14    17272    ----a-w-    c:\windows\system32\sdnclean64.exe
2013-09-16 00:17 . 2013-09-16 00:19    --------    d-----w-    c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-16 00:06 . 2013-09-16 00:06    --------    d-----w-    c:\programdata\Malwarebytes
2013-09-16 00:06 . 2013-09-16 00:06    --------    d-----w-    c:\program files (x86)\Malwarebytes' Anti-Malware
2013-09-16 00:06 . 2013-04-04 18:50    25928    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-09-13 08:47 . 2013-08-20 04:46    9515512    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll
2013-09-12 23:19 . 2013-09-12 23:19    --------    d-----w-    c:\program files\Common Files\Lenovo
2013-09-12 23:19 . 2013-09-12 23:19    --------    d-----w-    c:\program files (x86)\Common Files\Lenovo
2013-09-12 23:08 . 2013-09-12 23:08    --------    d-----w-    c:\windows\Downloaded Installations
2013-09-12 23:08 . 2013-09-12 23:08    --------    d-----w-    c:\program files\Common Files\SPBA
2013-09-12 23:08 . 2013-09-12 23:08    --------    d-----w-    c:\program files\ThinkVantage Fingerprint Software
2013-09-12 23:08 . 2013-09-12 23:08    --------    d-----w-    c:\program files (x86)\Common Files\SPBA
2013-09-12 22:54 . 2013-09-12 22:54    --------    d-----w-    c:\program files (x86)\Common Files\InstallShield
2013-09-12 22:54 . 2013-09-12 22:54    --------    d-----w-    C:\DRIVERS
2013-09-12 11:54 . 2013-08-05 02:25    155584    ----a-w-    c:\windows\system32\drivers\ataport.sys
2013-09-05 15:41 . 2013-09-05 15:41    --------    d-----w-    c:\program files (x86)\Common Files\ResearchSoft
2013-09-05 15:38 . 2013-09-05 15:38    --------    d-----w-    c:\program files (x86)\Common Files\Risxtd
2013-09-05 15:38 . 2013-09-05 15:41    --------    d-----w-    c:\program files (x86)\EndNote X7
2013-09-05 15:37 . 2013-09-05 15:41    --------    d-----w-    c:\programdata\Thomson.ResearchSoft.Installers
2013-09-05 15:12 . 2013-09-05 15:12    66344    ----a-w-    c:\windows\system32\ibmpmsvc.exe
2013-09-05 15:12 . 2013-09-05 15:12    60712    ----a-w-    c:\windows\system32\ibmpmctl.exe
2013-09-05 15:12 . 2013-09-05 15:12    54528    ----a-w-    c:\windows\system32\drivers\ibmpmdrv.sys
2013-09-05 15:12 . 2013-09-05 15:12    40232    ----a-w-    c:\windows\system32\tpinspm.dll
2013-09-05 14:47 . 2013-09-17 09:59    --------    d-----w-    C:\Temp
2013-09-03 19:52 . 2013-09-03 19:52    --------    d-----w-    c:\program files (x86)\MSXML 4.0
2013-09-03 19:52 . 2013-09-03 19:52    --------    d-----w-    c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2013-09-03 17:39 . 2013-09-03 17:39    --------    d-----w-    c:\program files (x86)\Common Files\Skype
2013-09-03 17:39 . 2013-09-03 17:39    --------    d-----r-    c:\program files (x86)\Skype
2013-09-03 17:39 . 2013-09-03 17:39    --------    d-----w-    c:\programdata\Skype
2013-09-03 17:36 . 2013-09-03 17:36    --------    d-----w-    c:\program files\7-Zip
2013-09-03 17:23 . 2013-09-03 17:23    --------    d-----w-    c:\windows\SysWow64\MSMAPI
2013-09-03 17:23 . 2013-09-03 17:23    --------    d-----w-    c:\windows\SysWow64\MAPI
2013-09-03 17:23 . 2013-09-03 17:23    --------    d-----w-    c:\program files (x86)\IPBLUE
2013-09-03 17:23 . 2013-09-03 17:23    --------    d-----w-    c:\programdata\IPBLUE
2013-09-03 16:05 . 2013-09-03 16:05    --------    d-----w-    c:\windows\system32\appmgmt
2013-09-02 22:08 . 2013-09-02 22:08    --------    d-----w-    c:\program files (x86)\Mozilla Thunderbird
2013-09-02 21:59 . 2013-09-02 21:59    --------    d-----w-    c:\program files (x86)\TeamViewer
2013-09-02 21:39 . 2009-08-20 03:50    24416    ----a-r-    c:\windows\system32\AdobePDFUI.dll
2013-09-02 20:33 . 2013-09-02 20:33    --------    d-----w-    c:\programdata\GraphPad Software
2013-09-02 20:32 . 2013-09-02 20:33    --------    d-----w-    c:\program files (x86)\GraphPad
2013-09-02 20:21 . 2013-09-02 20:21    --------    d-----w-    c:\programdata\CambridgeSoft
2013-09-02 20:21 . 2013-09-02 20:21    --------    d-----w-    c:\program files (x86)\CambridgeSoft
2013-09-02 20:05 . 2009-08-20 03:50    52568    ----a-w-    c:\windows\system32\AdobePDF.dll
2013-09-02 20:01 . 2013-09-02 20:02    --------    d-----w-    c:\programdata\FLEXnet
2013-09-02 20:00 . 2013-09-02 20:00    --------    d-----w-    c:\program files (x86)\Common Files\Macrovision Shared
2013-09-02 19:59 . 2013-09-02 20:04    --------    d-----w-    c:\program files (x86)\Common Files\Adobe
2013-09-02 19:26 . 2013-09-02 19:26    --------    d-----w-    c:\programdata\WEBREG
2013-09-02 19:25 . 2010-05-14 19:04    253440    ----a-w-    c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll
2013-09-02 19:24 . 2013-09-02 19:24    --------    d-----w-    c:\windows\SysWow64\spool
2013-09-02 16:50 . 2013-09-02 16:50    --------    d-----w-    c:\program files (x86)\Common Files\HP
2013-09-02 16:50 . 2013-09-02 16:50    --------    d-----w-    c:\program files (x86)\Common Files\Hewlett-Packard
2013-09-02 16:50 . 2010-05-14 19:04    138752    ----a-w-    c:\windows\system32\hpf3l02t.dll
2013-09-02 16:48 . 2010-05-13 10:29    553472    ----a-w-    c:\windows\system32\hppldcoi.dll
2013-09-02 16:48 . 2010-05-13 10:25    906240    ----a-w-    c:\windows\system32\hpwwiax5.dll
2013-09-02 16:48 . 2010-05-13 10:25    1422848    ----a-w-    c:\windows\system32\hpwtiop4.dll
2013-09-02 16:48 . 2010-04-26 08:52    644456    ----a-w-    c:\windows\system32\hpzids40.dll
2013-09-02 16:48 . 2010-02-01 06:54    488960    ----a-w-    c:\windows\system32\hpovst11.dll
2013-09-02 16:47 . 2013-09-02 19:24    --------    d-----w-    c:\programdata\HP
2013-09-02 16:47 . 2013-09-02 19:24    --------    d-----w-    c:\program files (x86)\HP
2013-09-02 16:33 . 2013-09-02 16:33    --------    d-----w-    C:\Phoenix.JPS
2013-09-02 16:32 . 2013-09-02 16:32    --------    d-----w-    c:\windows\system32\APSystem
2013-09-02 16:30 . 2013-09-02 16:30    --------    d-----w-    c:\programdata\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30    --------    d-----w-    c:\programdata\SafeNet Sentinel
2013-09-02 16:30 . 2013-09-02 16:35    --------    d-----w-    c:\program files (x86)\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30    --------    d-----w-    C:\PHSTMinGW
2013-09-02 16:30 . 2013-09-02 16:30    --------    d-----w-    c:\program files (x86)\Common Files\Pharsight
2013-09-02 16:28 . 2013-09-05 15:36    --------    d-----w-    c:\program files (x86)\Common Files\Wise Installation Wizard
2013-09-02 16:13 . 2013-09-02 16:13    --------    d-----w-    c:\program files (x86)\TIBCO
2013-09-01 21:40 . 2013-09-01 21:40    --------    d-----w-    c:\program files (x86)\Egnyte Local Cloud
2013-09-01 20:39 . 2013-09-01 20:39    --------    d-----w-    c:\program files (x86)\EaseUS
2013-09-01 19:55 . 2013-09-01 19:55    --------    d-----w-    c:\users\Default\AppData\Local\Microsoft Help
2013-09-01 19:50 . 2013-09-01 16:04    --------    d-----w-    c:\windows\Panther
2013-09-01 19:38 . 2010-09-07 18:09    15472    ----a-w-    c:\windows\system32\drivers\smiifx64.sys
2013-09-01 19:10 . 2013-09-01 19:10    --------    d-----w-    c:\windows\PCHEALTH
2013-09-01 19:06 . 2013-09-01 19:06    --------    d-----w-    c:\program files\Microsoft Office
2013-09-01 19:06 . 2013-09-01 19:06    --------    d-----w-    c:\program files (x86)\Microsoft Analysis Services
2013-09-01 19:06 . 2013-09-12 12:03    --------    d-----w-    c:\programdata\Microsoft Help
2013-09-01 19:05 . 2013-09-01 19:05    --------    d-----r-    C:\MSOCache
2013-09-01 19:00 . 2013-09-12 11:37    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-01 19:00 . 2013-09-12 11:37    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-01 19:00 . 2013-09-01 19:00    --------    d-----w-    c:\windows\SysWow64\Macromed
2013-09-01 19:00 . 2013-09-01 19:00    --------    d-----w-    c:\windows\system32\Macromed
2013-09-01 18:31 . 2013-09-03 03:05    --------    d-----w-    c:\program files (x86)\Mozilla Maintenance Service
2013-09-01 18:25 . 2013-09-01 19:10    --------    d-----w-    c:\program files (x86)\Microsoft.NET
2013-09-01 18:21 . 2013-09-01 18:21    9842040    ----a-w-    c:\program files (x86)\Common Files\wruninstall.exe
2013-09-01 18:11 . 2013-09-01 18:11    150160    ----a-w-    c:\windows\SysWow64\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11    113152    ----a-w-    c:\windows\system32\drivers\WRkrn.sys
2013-09-01 18:11 . 2013-09-01 18:11    102792    ----a-w-    c:\windows\system32\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11    --------    d-----w-    c:\program files\Webroot
2013-09-01 18:11 . 2013-09-16 16:55    --------    d-----w-    c:\programdata\WRData
2013-09-01 18:11 . 2013-04-09 23:34    1247744    ----a-w-    c:\windows\SysWow64\DWrite.dll
2013-09-01 18:11 . 2013-04-02 22:51    1643520    ----a-w-    c:\windows\system32\DWrite.dll
2013-09-01 17:59 . 2013-09-01 17:59    --------    d-----w-    c:\windows\SysWow64\Wat
2013-09-01 17:59 . 2013-09-01 17:59    --------    d-----w-    c:\windows\system32\Wat
2013-09-01 17:42 . 2012-07-26 04:55    785512    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-09-01 17:42 . 2012-07-26 04:55    54376    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-09-01 17:42 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-09-01 17:42 . 2012-07-26 02:36    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-09-01 17:34 . 2013-09-12 12:04    --------    d-----w-    c:\windows\system32\MRT
2013-09-01 17:24 . 2013-01-13 19:53    187392    ----a-w-    c:\windows\SysWow64\UIAnimation.dll
2013-09-01 17:23 . 2012-03-01 06:46    23408    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-09-01 17:23 . 2012-03-01 06:33    81408    ----a-w-    c:\windows\system32\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 06:28    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-09-01 17:23 . 2012-03-01 05:33    159232    ----a-w-    c:\windows\SysWow64\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\SysWow64\wmi.dll
2013-09-01 17:20 . 2013-09-01 17:20    --------    d-----w-    c:\program files\AuthenTec
2013-09-01 17:19 . 2012-05-04 11:00    366592    ----a-w-    c:\windows\system32\qdvd.dll
2013-09-01 17:19 . 2012-05-04 09:59    514560    ----a-w-    c:\windows\SysWow64\qdvd.dll
2013-09-01 17:19 . 2012-08-24 18:13    154480    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2013-09-01 17:19 . 2012-08-24 18:09    458712    ----a-w-    c:\windows\system32\drivers\cng.sys
2013-09-01 17:19 . 2012-08-24 18:05    340992    ----a-w-    c:\windows\system32\schannel.dll
2013-09-01 17:19 . 2012-08-24 18:03    1448448    ----a-w-    c:\windows\system32\lsasrv.dll
2013-09-01 17:19 . 2012-08-24 16:57    247808    ----a-w-    c:\windows\SysWow64\schannel.dll
2013-09-01 17:19 . 2012-08-24 16:57    22016    ----a-w-    c:\windows\SysWow64\secur32.dll
2013-09-01 17:19 . 2012-08-24 16:53    96768    ----a-w-    c:\windows\SysWow64\sspicli.dll
2013-09-01 17:17 . 2013-05-27 05:50    1011712    ----a-w-    c:\program files\Windows Defender\MpSvc.dll
2013-09-01 17:16 . 2012-01-04 10:44    509952    ----a-w-    c:\windows\system32\ntshrui.dll
2013-09-01 17:15 . 2013-02-27 06:02    111448    ----a-w-    c:\windows\system32\consent.exe
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-07 08:22 . 2010-11-21 03:27    278800    ------w-    c:\windows\system32\MpSigStub.exe
2013-08-02 01:48 . 2013-09-12 11:54    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2013-06-20 21:43 . 2013-06-20 21:43    382248    ----a-w-    c:\windows\system32\TpShocks.exe
2013-06-20 21:43 . 2013-06-20 21:43    280872    ----a-w-    c:\windows\system32\TpShEvUI.exe
2013-06-20 21:43 . 2013-06-20 21:43    107816    ----a-w-    c:\windows\system32\TpShCTL.exe
2013-06-20 21:43 . 2013-06-20 21:43    484648    ----a-w-    c:\windows\system32\TpShCPL.dll
2013-06-20 21:43 . 2013-06-20 21:43    419624    ----a-w-    c:\windows\system32\TpShCPL.cpl
2013-06-20 20:49 . 2013-06-20 20:49    49920    ----a-w-    c:\windows\system32\TPHDEXLG64.exe
2013-06-20 20:49 . 2013-06-20 20:49    25856    ----a-w-    c:\windows\system32\drivers\ApsHM64.sys
2013-06-20 20:49 . 2013-06-20 20:49    24056    ----a-w-    c:\windows\system32\Sensor64.DLL
2013-06-20 20:49 . 2013-06-20 20:49    22520    ----a-w-    c:\windows\SysWow64\Sensor.DLL
2013-06-20 20:49 . 2013-06-20 20:49    150272    ----a-w-    c:\windows\system32\drivers\ApsX64.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760]
"Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    REG_MULTI_SZ       scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]
S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]
S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x]
S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x]
S2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x]
S2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk]
@="{3A87EE91-AED7-46E9-B8A3-5360628BA718}"
[HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}]
2013-06-20 15:53    919656    ----a-w-    c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending]
@="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}"
[HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}]
2013-06-20 15:53    919656    ----a-w-    c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError]
@="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}"
[HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}]
2013-06-20 15:53    919656    ----a-w-    c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]
2013-09-01 18:11    102792    ----a-w-    c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]
2013-09-01 18:11    102792    ----a-w-    c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]
2013-09-01 18:11    102792    ----a-w-    c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]
2013-09-01 18:11    102792    ----a-w-    c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2013-06-20 382248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]
"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\

FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com
FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com
FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exe
c:\windows\SysWOW64\SAsrv.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\progra~1\Lenovo\Zoom\TPSCREX.EXE
c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
.
**************************************************************************
.
Completion time: 2013-09-17  12:47:02 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-17 16:47
ComboFix2.txt  2013-09-17 15:16
ComboFix3.txt  2013-09-16 15:08
ComboFix4.txt  2013-09-16 14:41
.
Pre-Run: 98,892,083,200 bytes free
Post-Run: 98,833,932,288 bytes free
.
- - End Of File - - 6D37093ECF421444409600BB70FA507C

MBAM:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.17.08

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 10.0.9200.16686
Nachum :: NACHUM-OFFICE [administrator]

9/17/2013 1:03:03 PM
MBAM-log-2013-09-17 (16-38-02).txt

Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 2162436
Time elapsed: 3 hour(s), 20 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel|HomePage (PUM.Hijack.HomePageControl) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

ESET:

H:\2c2c\g3d9f.js    JS/Kryptik.AKG trojan
H:\2c2c\i31313.js    JS/Kryptik.AKG trojan
I:\2c2c\g3d9f.js    JS/Kryptik.AKG trojan
I:\2c2c\i31313.js    JS/Kryptik.AKG trojan
J:\Install_files\epm.exe    Win32/OpenCandy application
 

Link to post
Share on other sites

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

CFScript.txt

Link to post
Share on other sites

Here is the combifix with script log:

 

ComboFix 13-09-17.01 - Nachum 09/18/2013   8:19.5.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8074.5887 [GMT -4:00]
Running from: c:\users\Nachum\Desktop\nk.exe
Command switches used :: c:\users\Nachum\Desktop\CFScript.txt
AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Webroot SecureAnywhere *Disabled/Updated* {27678718-4A47-3119-06F0-3719487B3EBC}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
FILE ::
"h:\2c2c\g3d9f.js"
"h:\2c2c\i31313.js"
"i:\2c2c\g3d9f.js"
"i:\2c2c\i31313.js"
"j:\install_files\epm.exe"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
h:\2c2c\g3d9f.js
h:\2c2c\i31313.js
i:\2c2c\g3d9f.js
i:\2c2c\i31313.js
j:\install_files\epm.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-18 to 2013-09-18  )))))))))))))))))))))))))))))))
.
.
2013-09-18 12:24 . 2013-09-18 12:24    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-09-16 13:56 . 2013-09-16 13:56    --------    d-----w-    C:\FRST
2013-09-16 03:00 . 2013-09-16 03:01    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-09-16 03:00 . 2013-09-16 03:00    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2013-09-16 02:30 . 2013-09-16 02:30    --------    d-----w-    c:\windows\system32\MpEngineStore
2013-09-16 00:55 . 2013-09-16 00:55    --------    d-----w-    c:\program files (x86)\ESET
2013-09-16 00:18 . 2013-09-16 15:13    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2013-09-16 00:18 . 2009-01-25 17:14    17272    ----a-w-    c:\windows\system32\sdnclean64.exe
2013-09-16 00:17 . 2013-09-16 00:19    --------    d-----w-    c:\program files (x86)\Spybot - Search & Destroy 2
2013-09-16 00:06 . 2013-09-16 00:06    --------    d-----w-    c:\programdata\Malwarebytes
2013-09-16 00:06 . 2013-09-16 00:06    --------    d-----w-    c:\program files (x86)\Malwarebytes' Anti-Malware
2013-09-16 00:06 . 2013-04-04 18:50    25928    ----a-w-    c:\windows\system32\drivers\mbam.sys
2013-09-13 08:47 . 2013-08-20 04:46    9515512    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{66079D03-DCD2-45B1-8321-1DB78F55B881}\mpengine.dll
2013-09-12 23:19 . 2013-09-12 23:19    --------    d-----w-    c:\program files\Common Files\Lenovo
2013-09-12 23:19 . 2013-09-12 23:19    --------    d-----w-    c:\program files (x86)\Common Files\Lenovo
2013-09-12 23:08 . 2013-09-12 23:08    --------    d-----w-    c:\windows\Downloaded Installations
2013-09-12 23:08 . 2013-09-12 23:08    --------    d-----w-    c:\program files\Common Files\SPBA
2013-09-12 23:08 . 2013-09-12 23:08    --------    d-----w-    c:\program files\ThinkVantage Fingerprint Software
2013-09-12 23:08 . 2013-09-12 23:08    --------    d-----w-    c:\program files (x86)\Common Files\SPBA
2013-09-12 22:54 . 2013-09-12 22:54    --------    d-----w-    c:\program files (x86)\Common Files\InstallShield
2013-09-12 22:54 . 2013-09-12 22:54    --------    d-----w-    C:\DRIVERS
2013-09-12 11:54 . 2013-08-05 02:25    155584    ----a-w-    c:\windows\system32\drivers\ataport.sys
2013-09-05 15:41 . 2013-09-05 15:41    --------    d-----w-    c:\program files (x86)\Common Files\ResearchSoft
2013-09-05 15:38 . 2013-09-05 15:38    --------    d-----w-    c:\program files (x86)\Common Files\Risxtd
2013-09-05 15:38 . 2013-09-05 15:41    --------    d-----w-    c:\program files (x86)\EndNote X7
2013-09-05 15:37 . 2013-09-05 15:41    --------    d-----w-    c:\programdata\Thomson.ResearchSoft.Installers
2013-09-05 15:12 . 2013-09-05 15:12    66344    ----a-w-    c:\windows\system32\ibmpmsvc.exe
2013-09-05 15:12 . 2013-09-05 15:12    60712    ----a-w-    c:\windows\system32\ibmpmctl.exe
2013-09-05 15:12 . 2013-09-05 15:12    54528    ----a-w-    c:\windows\system32\drivers\ibmpmdrv.sys
2013-09-05 15:12 . 2013-09-05 15:12    40232    ----a-w-    c:\windows\system32\tpinspm.dll
2013-09-05 14:47 . 2013-09-17 20:42    --------    d-----w-    C:\Temp
2013-09-03 19:52 . 2013-09-03 19:52    --------    d-----w-    c:\program files (x86)\MSXML 4.0
2013-09-03 19:52 . 2013-09-03 19:52    --------    d-----w-    c:\program files (x86)\Microsoft CAPICOM 2.1.0.2
2013-09-03 17:39 . 2013-09-03 17:39    --------    d-----w-    c:\program files (x86)\Common Files\Skype
2013-09-03 17:39 . 2013-09-03 17:39    --------    d-----r-    c:\program files (x86)\Skype
2013-09-03 17:39 . 2013-09-03 17:39    --------    d-----w-    c:\programdata\Skype
2013-09-03 17:36 . 2013-09-03 17:36    --------    d-----w-    c:\program files\7-Zip
2013-09-03 17:23 . 2013-09-03 17:23    --------    d-----w-    c:\windows\SysWow64\MSMAPI
2013-09-03 17:23 . 2013-09-03 17:23    --------    d-----w-    c:\windows\SysWow64\MAPI
2013-09-03 17:23 . 2013-09-03 17:23    --------    d-----w-    c:\program files (x86)\IPBLUE
2013-09-03 17:23 . 2013-09-03 17:23    --------    d-----w-    c:\programdata\IPBLUE
2013-09-03 16:05 . 2013-09-03 16:05    --------    d-----w-    c:\windows\system32\appmgmt
2013-09-02 22:08 . 2013-09-02 22:08    --------    d-----w-    c:\program files (x86)\Mozilla Thunderbird
2013-09-02 21:59 . 2013-09-02 21:59    --------    d-----w-    c:\program files (x86)\TeamViewer
2013-09-02 21:39 . 2009-08-20 03:50    24416    ----a-r-    c:\windows\system32\AdobePDFUI.dll
2013-09-02 20:33 . 2013-09-02 20:33    --------    d-----w-    c:\programdata\GraphPad Software
2013-09-02 20:32 . 2013-09-02 20:33    --------    d-----w-    c:\program files (x86)\GraphPad
2013-09-02 20:21 . 2013-09-02 20:21    --------    d-----w-    c:\programdata\CambridgeSoft
2013-09-02 20:21 . 2013-09-02 20:21    --------    d-----w-    c:\program files (x86)\CambridgeSoft
2013-09-02 20:05 . 2009-08-20 03:50    52568    ----a-w-    c:\windows\system32\AdobePDF.dll
2013-09-02 20:01 . 2013-09-02 20:02    --------    d-----w-    c:\programdata\FLEXnet
2013-09-02 20:00 . 2013-09-02 20:00    --------    d-----w-    c:\program files (x86)\Common Files\Macrovision Shared
2013-09-02 19:59 . 2013-09-02 20:04    --------    d-----w-    c:\program files (x86)\Common Files\Adobe
2013-09-02 19:26 . 2013-09-02 19:26    --------    d-----w-    c:\programdata\WEBREG
2013-09-02 19:25 . 2010-05-14 19:04    253440    ----a-w-    c:\windows\system32\Spool\prtprocs\x64\hpfpp02t.dll
2013-09-02 19:24 . 2013-09-02 19:24    --------    d-----w-    c:\windows\SysWow64\spool
2013-09-02 16:50 . 2013-09-02 16:50    --------    d-----w-    c:\program files (x86)\Common Files\HP
2013-09-02 16:50 . 2013-09-02 16:50    --------    d-----w-    c:\program files (x86)\Common Files\Hewlett-Packard
2013-09-02 16:50 . 2010-05-14 19:04    138752    ----a-w-    c:\windows\system32\hpf3l02t.dll
2013-09-02 16:48 . 2010-05-13 10:29    553472    ----a-w-    c:\windows\system32\hppldcoi.dll
2013-09-02 16:48 . 2010-05-13 10:25    906240    ----a-w-    c:\windows\system32\hpwwiax5.dll
2013-09-02 16:48 . 2010-05-13 10:25    1422848    ----a-w-    c:\windows\system32\hpwtiop4.dll
2013-09-02 16:48 . 2010-04-26 08:52    644456    ----a-w-    c:\windows\system32\hpzids40.dll
2013-09-02 16:48 . 2010-02-01 06:54    488960    ----a-w-    c:\windows\system32\hpovst11.dll
2013-09-02 16:47 . 2013-09-02 19:24    --------    d-----w-    c:\programdata\HP
2013-09-02 16:47 . 2013-09-02 19:24    --------    d-----w-    c:\program files (x86)\HP
2013-09-02 16:33 . 2013-09-02 16:33    --------    d-----w-    C:\Phoenix.JPS
2013-09-02 16:32 . 2013-09-02 16:32    --------    d-----w-    c:\windows\system32\APSystem
2013-09-02 16:30 . 2013-09-02 16:30    --------    d-----w-    c:\programdata\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30    --------    d-----w-    c:\programdata\SafeNet Sentinel
2013-09-02 16:30 . 2013-09-02 16:35    --------    d-----w-    c:\program files (x86)\Pharsight
2013-09-02 16:30 . 2013-09-02 16:30    --------    d-----w-    C:\PHSTMinGW
2013-09-02 16:30 . 2013-09-02 16:30    --------    d-----w-    c:\program files (x86)\Common Files\Pharsight
2013-09-02 16:28 . 2013-09-05 15:36    --------    d-----w-    c:\program files (x86)\Common Files\Wise Installation Wizard
2013-09-02 16:13 . 2013-09-02 16:13    --------    d-----w-    c:\program files (x86)\TIBCO
2013-09-01 21:40 . 2013-09-01 21:40    --------    d-----w-    c:\program files (x86)\Egnyte Local Cloud
2013-09-01 20:39 . 2013-09-01 20:39    --------    d-----w-    c:\program files (x86)\EaseUS
2013-09-01 19:55 . 2013-09-01 19:55    --------    d-----w-    c:\users\Default\AppData\Local\Microsoft Help
2013-09-01 19:50 . 2013-09-01 16:04    --------    d-----w-    c:\windows\Panther
2013-09-01 19:38 . 2010-09-07 18:09    15472    ----a-w-    c:\windows\system32\drivers\smiifx64.sys
2013-09-01 19:10 . 2013-09-01 19:10    --------    d-----w-    c:\windows\PCHEALTH
2013-09-01 19:06 . 2013-09-01 19:06    --------    d-----w-    c:\program files\Microsoft Office
2013-09-01 19:06 . 2013-09-01 19:06    --------    d-----w-    c:\program files (x86)\Microsoft Analysis Services
2013-09-01 19:06 . 2013-09-12 12:03    --------    d-----w-    c:\programdata\Microsoft Help
2013-09-01 19:05 . 2013-09-01 19:05    --------    d-----r-    C:\MSOCache
2013-09-01 19:00 . 2013-09-12 11:37    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-01 19:00 . 2013-09-12 11:37    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-01 19:00 . 2013-09-01 19:00    --------    d-----w-    c:\windows\SysWow64\Macromed
2013-09-01 19:00 . 2013-09-01 19:00    --------    d-----w-    c:\windows\system32\Macromed
2013-09-01 18:31 . 2013-09-03 03:05    --------    d-----w-    c:\program files (x86)\Mozilla Maintenance Service
2013-09-01 18:25 . 2013-09-01 19:10    --------    d-----w-    c:\program files (x86)\Microsoft.NET
2013-09-01 18:21 . 2013-09-01 18:21    9842040    ----a-w-    c:\program files (x86)\Common Files\wruninstall.exe
2013-09-01 18:11 . 2013-09-01 18:11    150160    ----a-w-    c:\windows\SysWow64\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11    113152    ----a-w-    c:\windows\system32\drivers\WRkrn.sys
2013-09-01 18:11 . 2013-09-01 18:11    102792    ----a-w-    c:\windows\system32\WRusr.dll
2013-09-01 18:11 . 2013-09-01 18:11    --------    d-----w-    c:\program files\Webroot
2013-09-01 18:11 . 2013-09-16 16:55    --------    d-----w-    c:\programdata\WRData
2013-09-01 18:11 . 2013-04-09 23:34    1247744    ----a-w-    c:\windows\SysWow64\DWrite.dll
2013-09-01 18:11 . 2013-04-02 22:51    1643520    ----a-w-    c:\windows\system32\DWrite.dll
2013-09-01 17:59 . 2013-09-01 17:59    --------    d-----w-    c:\windows\SysWow64\Wat
2013-09-01 17:59 . 2013-09-01 17:59    --------    d-----w-    c:\windows\system32\Wat
2013-09-01 17:42 . 2012-07-26 04:55    785512    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2013-09-01 17:42 . 2012-07-26 04:55    54376    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2013-09-01 17:42 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2013-09-01 17:42 . 2012-07-26 02:36    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2013-09-01 17:34 . 2013-09-12 12:04    --------    d-----w-    c:\windows\system32\MRT
2013-09-01 17:24 . 2013-01-13 19:53    187392    ----a-w-    c:\windows\SysWow64\UIAnimation.dll
2013-09-01 17:23 . 2012-03-01 06:46    23408    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2013-09-01 17:23 . 2012-03-01 06:33    81408    ----a-w-    c:\windows\system32\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 06:28    5120    ----a-w-    c:\windows\system32\wmi.dll
2013-09-01 17:23 . 2012-03-01 05:33    159232    ----a-w-    c:\windows\SysWow64\imagehlp.dll
2013-09-01 17:23 . 2012-03-01 05:29    5120    ----a-w-    c:\windows\SysWow64\wmi.dll
2013-09-01 17:20 . 2013-09-01 17:20    --------    d-----w-    c:\program files\AuthenTec
2013-09-01 17:19 . 2012-05-04 11:00    366592    ----a-w-    c:\windows\system32\qdvd.dll
2013-09-01 17:19 . 2012-05-04 09:59    514560    ----a-w-    c:\windows\SysWow64\qdvd.dll
2013-09-01 17:19 . 2012-08-24 18:13    154480    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2013-09-01 17:19 . 2012-08-24 18:09    458712    ----a-w-    c:\windows\system32\drivers\cng.sys
2013-09-01 17:19 . 2012-08-24 18:05    340992    ----a-w-    c:\windows\system32\schannel.dll
2013-09-01 17:19 . 2012-08-24 18:03    1448448    ----a-w-    c:\windows\system32\lsasrv.dll
2013-09-01 17:19 . 2012-08-24 16:57    247808    ----a-w-    c:\windows\SysWow64\schannel.dll
2013-09-01 17:19 . 2012-08-24 16:57    22016    ----a-w-    c:\windows\SysWow64\secur32.dll
2013-09-01 17:19 . 2012-08-24 16:53    96768    ----a-w-    c:\windows\SysWow64\sspicli.dll
2013-09-01 17:17 . 2013-05-27 05:50    1011712    ----a-w-    c:\program files\Windows Defender\MpSvc.dll
2013-09-01 17:16 . 2012-01-04 10:44    509952    ----a-w-    c:\windows\system32\ntshrui.dll
2013-09-01 17:15 . 2013-02-27 06:02    111448    ----a-w-    c:\windows\system32\consent.exe
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-07 08:22 . 2010-11-21 03:27    278800    ------w-    c:\windows\system32\MpSigStub.exe
2013-08-02 01:48 . 2013-09-12 11:54    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2013-06-20 21:43 . 2013-06-20 21:43    382248    ----a-w-    c:\windows\system32\TpShocks.exe
2013-06-20 21:43 . 2013-06-20 21:43    280872    ----a-w-    c:\windows\system32\TpShEvUI.exe
2013-06-20 21:43 . 2013-06-20 21:43    107816    ----a-w-    c:\windows\system32\TpShCTL.exe
2013-06-20 21:43 . 2013-06-20 21:43    484648    ----a-w-    c:\windows\system32\TpShCPL.dll
2013-06-20 21:43 . 2013-06-20 21:43    419624    ----a-w-    c:\windows\system32\TpShCPL.cpl
2013-06-20 20:49 . 2013-06-20 20:49    49920    ----a-w-    c:\windows\system32\TPHDEXLG64.exe
2013-06-20 20:49 . 2013-06-20 20:49    25856    ----a-w-    c:\windows\system32\drivers\ApsHM64.sys
2013-06-20 20:49 . 2013-06-20 20:49    24056    ----a-w-    c:\windows\system32\Sensor64.DLL
2013-06-20 20:49 . 2013-06-20 20:49    22520    ----a-w-    c:\windows\SysWow64\Sensor.DLL
2013-06-20 20:49 . 2013-06-20 20:49    150272    ----a-w-    c:\windows\system32\drivers\ApsX64.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RotateImage"="c:\program files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe" [2008-10-30 55808]
"Dolby Home Theater v4"="c:\program files (x86)\Dolby Home Theater v4\pcee4.exe" [2011-02-03 506712]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-09-16 115048]
"WRSVC"="c:\program files\Webroot\WRSA.exe" [2013-09-01 754760]
"Egnyte Local Cloud Systray App"="c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_systray.exe" [2013-06-20 24168]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2013-05-08 44128]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2013-05-08 642664]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
Install Webroot FF RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -q -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
Install Webroot IE RunOnce.lnk - c:\program files (x86)\Common Files\wruninstall.exe -p -name=webroot -ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --disablenotes --disableidentities --disablevault --disablecontext [2013-9-1 9842040]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAutorun"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\SysWOW64\nvinit.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    REG_MULTI_SZ       scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 JobProcessingService;Phoenix Job Processing Service;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe;c:\program files (x86)\Pharsight\Phoenix\application\jps.exe [x]
R2 JobQueueService;Phoenix Job Queue Service;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe;c:\program files (x86)\Pharsight\Phoenix\application\jqs.exe [x]
R2 risdxc;risdxc;c:\windows\system32\DRIVERS\risdxc64.sys;c:\windows\SYSNATIVE\DRIVERS\risdxc64.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM64.sys;c:\windows\SYSNATIVE\DRIVERS\ApsHM64.sys [x]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys;c:\windows\SYSNATIVE\drivers\WRkrn.sys [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiifx64.sys;c:\windows\SYSNATIVE\DRIVERS\smiifx64.sys [x]
S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 CxAudMsg;Conexant Audio Message Service;c:\windows\system32\CxAudMsg64.exe;c:\windows\SYSNATIVE\CxAudMsg64.exe [x]
S2 egnyteMon;Egnyte Drive Monitor Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudDriveMonitor.exe [x]
S2 egnyteSync;Egnyte Synchronizer Service;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe;c:\program files (x86)\Egnyte Local Cloud\EgnyteLocalCloudSynchronizer.exe [x]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [x]
S2 mpich2_smpd;MPICH2 Process Manager, Argonne National Lab;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe;c:\program files (x86)\Pharsight\MPICH2\bin\smpd.exe [x]
S2 SAService;Conexant SmartAudio service;c:\windows\system32\SAsrv.exe;c:\windows\SYSNATIVE\SAsrv.exe [x]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TPHKLOAD;Lenovo Hotkey Client Loader;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe;c:\program files\LENOVO\HOTKEY\TPHKLOAD.exe [x]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [x]
S2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe;c:\program files\Webroot\WRSA.exe [x]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys;c:\windows\SYSNATIVE\DRIVERS\5U877.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 SmbDrvI;SmbDrvI;c:\windows\system32\DRIVERS\Smb_driver_Intel.sys;c:\windows\SYSNATIVE\DRIVERS\Smb_driver_Intel.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-01 11:37]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _001EgnyteOk]
@="{3A87EE91-AED7-46E9-B8A3-5360628BA718}"
[HKEY_CLASSES_ROOT\CLSID\{3A87EE91-AED7-46E9-B8A3-5360628BA718}]
2013-06-20 15:53    919656    ----a-w-    c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _002EgnytePending]
@="{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}"
[HKEY_CLASSES_ROOT\CLSID\{32C0A1F2-A6AA-41FB-906A-C8FB4436B2B3}]
2013-06-20 15:53    919656    ----a-w-    c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ _003EgnyteError]
@="{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}"
[HKEY_CLASSES_ROOT\CLSID\{6C86A3CE-0F44-4C8A-8A3E-34B68ECD30A7}]
2013-06-20 15:53    919656    ----a-w-    c:\program files (x86)\Egnyte Local Cloud\Extensions\EgnyteExtensions.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncExcl]
@="{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}"
[HKEY_CLASSES_ROOT\CLSID\{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}]
2013-09-01 18:11    102792    ----a-w-    c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncGreen]
@="{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}"
[HKEY_CLASSES_ROOT\CLSID\{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}]
2013-09-01 18:11    102792    ----a-w-    c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncRed]
@="{1914B27A-33C8-46F8-A1C2-F993268D4564}"
[HKEY_CLASSES_ROOT\CLSID\{1914B27A-33C8-46F8-A1C2-F993268D4564}]
2013-09-01 18:11    102792    ----a-w-    c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\_WrSyncYellow]
@="{C14874EA-ACE4-4A47-8A81-18C4D1C40868}"
[HKEY_CLASSES_ROOT\CLSID\{C14874EA-ACE4-4A47-8A81-18C4D1C40868}]
2013-09-01 18:11    102792    ----a-w-    c:\windows\System32\WRusr.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TpShocks"="TpShocks.exe" [2013-06-20 382248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-14 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-14 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-14 416024]
"ForteConfig"="c:\program files\Conexant\ForteConfig\fmapp.exe" [2010-10-26 49056]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-12-14 316032]
"PSQLLauncher"="c:\program files\ThinkVantage Fingerprint Software\launcher.exe" [2013-03-05 86312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\nvinitx.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\

FF - ExtSQL: 2013-09-01 14:32; {097d3191-e6fa-4728-9826-b533d755359d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d}.xpi
FF - ExtSQL: 2013-09-01 14:32; support@lastpass.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\support@lastpass.com
FF - ExtSQL: 2013-09-01 14:32; foxmarks@kei.com; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\foxmarks@kei.com
FF - ExtSQL: 2013-09-01 18:27; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Egnyte Local Cloud\egnyte_local_cloud_client.exe
c:\windows\SysWOW64\SAsrv.exe
c:\progra~1\Lenovo\Zoom\TPSCREX.EXE
c:\progra~1\Lenovo\HOTKEY\TPONSCR.EXE
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
.
**************************************************************************
.
Completion time: 2013-09-18  08:30:52 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-18 12:30
ComboFix2.txt  2013-09-17 16:47
ComboFix3.txt  2013-09-17 15:16
ComboFix4.txt  2013-09-16 15:08
ComboFix5.txt  2013-09-18 12:18
.
Pre-Run: 98,760,097,792 bytes free
Post-Run: 98,659,074,048 bytes free
.
- - End Of File - - B91DCACBEA7E3186BACBA284F2351FBC
 

Link to post
Share on other sites

Now THAT looks good! :)

 

 

Let´s cross check!

 

 

Full System Scan with Malwarebytes Antimalware


  • If not existing, please download
Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.



If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

MBAM found no malicious items (see below). One remaining issue is that I cannot turn Windows firewall on, need to go to "manual" and when I click "recommended settings" nothing happens. I have also activated the MBAM Pro version. In addition my wife's laptop is infected, same symptoms as I had (we shared one of the external hard drives). Do you want to have a go at it? If so, where should I start (KAV rescure disk?)? Alternatively, will a clean Windows install be effictive?

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.19.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16686
Nachum :: NACHUM-OFFICE [administrator]

Protection: Enabled

9/19/2013 7:32:23 AM
mbam-log-2013-09-19 (07-32-23).txt

Scan type: Full scan (C:\|D:\|F:\|G:\|H:\|I:\|J:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 2163977
Time elapsed: 3 hour(s), 12 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

Link to post
Share on other sites

Wait with your wife´s laptop until we finished your´s. A clean windows install (with format of the whole drive - no quick format!) will do the trick and wipe the malware as well.

 

When finished with ESET, run Farbar´s Service Scanner. Weßll get the remaining issues fixed.

 

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender



    [*]Press "Scan". [*]It will create a log (FSS.txt) in the same directory the tool is run. [*]Please copy and paste the log to your reply.

Link to post
Share on other sites

Here are the results of the latest ESET scan

 

C:\Qoobox\Quarantine\H\2c2c\g3d9f.js.vir    JS/Kryptik.AKG trojan
C:\Qoobox\Quarantine\H\2c2c\i31313.js.vir    JS/Kryptik.AKG trojan
C:\Qoobox\Quarantine\I\2c2c\g3d9f.js.vir    JS/Kryptik.AKG trojan
C:\Qoobox\Quarantine\I\2c2c\i31313.js.vir    JS/Kryptik.AKG trojan
C:\Qoobox\Quarantine\J\Install_files\epm.exe.vir    Win32/OpenCandy application
 

Link to post
Share on other sites

As you can see, we managed to get rid of this threat: All of the files ESET found are inside the Combofix quarantine. :)

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Delete
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[s1].txt also


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Link to post
Share on other sites

Here are the results of the AdwCleaner, Security Check and Farbar.

 

In addition I have decided to do a clean Windows 7 install on my wife's laptop - can you please send me instructions for a full format during installation from a Win 7 DVD?

 

# AdwCleaner v3.004 - Report created 20/09/2013 at 10:26:55
# Updated 15/09/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Nachum - NACHUM-OFFICE
# Running from : C:\Users\Nachum\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\Nachum\AppData\Roaming\Mozilla\Firefox\Profiles\trml7dnw.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [781 octets] - [20/09/2013 10:26:11]
AdwCleaner[s0].txt - [703 octets] - [20/09/2013 10:26:55]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [762 octets] ##########
 

 Results of screen317's Security Check version 0.99.73  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 10  
``````````````Antivirus/Firewall Check:``````````````
Webroot SecureAnywhere   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Adobe Flash Player 11.8.800.168  
 Mozilla Firefox (23.0.1)
 Mozilla Thunderbird (17.0.8)
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

Farbar Service Scanner Version: 13-09-2013
Ran by Nachum (administrator) on 20-09-2013 at 10:33:13
Running from "C:\Users\Nachum\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Link to post
Share on other sites

First of all, find informations on how to do a clean reinstall of windows:

 

http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

 

Then your system is clean! :)

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.

 

 

 

How to protect yourself

  • System Updates
    Beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
    Windows XP | Windows Vista |
    Windows 7 | windows 8
  • Protection
    What you need is one (not more) good virus scanner with backgroud protection. Additionally I recommend a special malwarescanner that you run from time to time.
    Personally I am using the avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer you good protection for free use. But please remember: You get only the full protection if you use the payed versions of your security software.
  • Up to date Software
    Stay up to date with all the programs you use. Some of those really have to have an eye on are: your browser(s) including add-ons and plug-ins, Java, Flash Player, your virus scanner, and basically every software you use often. These link may help you to check:

    [*] Backups
    There are chances for an emergency every day. So be prepared. Back up your data on a regular basis. If you burn it to DVDs from time to time, use a cloud-drive or a professional network backup system is your choice. [*] Brains
    It's no joke! You really need one of those things. :) It is very important not just to click anywhere it is colored or flashing while you surfing on the web. Do not click an OK button on any popping window without reading what it says. While installing software always choose the custom mode, read what those windows says and uncheck adware that will be installed along the software you want.

Link to post
Share on other sites

Marius, thank you. I have uninstalled combifix and run delfix (log below). The remaining issue is windows firewall - i cannot turn it on. Message center cannot turn it on, and when I try manually and click "use recommended settings" nothing happens and the firewall is not turned on.

 

# DelFix v10.4 - Logfile created 21/09/2013 at 08:44:22
# Updated 19/07/2013 by Xplode
# Username : Nachum - NACHUM-OFFICE
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\ComboFix.txt
Deleted : C:\TDSSKiller.2.8.16.0_15.09.2013_22.18.57_log.txt
Deleted : C:\Users\Nachum\Desktop\adwcleaner.exe
Deleted : C:\Users\Nachum\Desktop\aswmbr.exe
Deleted : C:\Users\Nachum\Desktop\aswMBR.txt
Deleted : C:\Users\Nachum\Desktop\FSS.exe
Deleted : C:\Users\Nachum\Desktop\FSS.txt
Deleted : C:\Users\Nachum\Desktop\Log_combifix_script.txt
Deleted : C:\Users\Nachum\Desktop\MBR.dat
Deleted : C:\Users\Nachum\Desktop\SecurityCheck.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #20 [ComboFix created restore point | 09/21/2013 12:40:35]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 

Link to post
Share on other sites

Ran Fubar again, this is the report regarding Windows Firewall (no other findings):

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

 

Any action I should take?

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.