tonymorri10
2010-06-05, 15:42
Hello all,
Usually I can fix/remove any viruses I get, but this one is stubborn. Spybot detects it, and removes it but it comes back after every reboot and I can not find a way to nuke it permanently. Here is what I have done.
Spybot always finds the following entry located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin\Taskman
C:\Users\tmorris.CORP\AppData\Roaming\vlyvcj.exe
I have run Spybot's newest version and removed it.
I have run Mcafee version 8.7i and detected nothing.
I have run Ad-Aware and detected nothing.
I have run Malware Bytes and removed it.
As always, after a reboot, it it back. It is currently being blocked in ZoneAlarm, so it is crippled, but I just can't get rid of it. Attached are the 2 DDS reports.
Any ideas you guys can give would be greatly appreciated.
As always, after a reboot, it it back. It is currently being blocked in ZoneAlarm, so it is crippled, but I just can't get rid of it. Attached are the 2 DDS reports.
Any ideas you guys can give would be greatly appreciated.
Update. I noticed that, when I ask Spybot to remove this entry, it IMMEDIATELY reappears. So there is something running in the background that constantly checks and re-adds the entry.
Update. I noticed that, when I ask Spybot to remove this entry, it IMMEDIATELY reappears. So there is something running in the background that constantly checks and re-adds the entry.
Another minor update. I find this file in the c:/windows/prefetch directory:
VLYVCJ.EXE-93F1BAC4.pf
If I delete it, it comes back upon reboot. I have NOT seen it reappear immediately like the registry entry.
Also, as a side note, I blocked the registry entry via TeaTimer and it constantly reappears and is blocked by TeaTimer. Still no idea of the root cause though.
Also, as a side note, I blocked the registry entry via TeaTimer and it constantly reappears and is blocked by TeaTimer. Still no idea of the root cause though.
It seems like this is somehow integrated into explorer.exe.
If I run process explorer, it finds the file (see attached screenshot), but I do not see how to alter explorer.exe in order to delete this entry.
DDS (Ver_10-03-17.01) - NTFSx86
Run by TMorris at 8:30:23.23 on Sat 06/05/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2042.625 [GMT -4:00]
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\ifxtcs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\IfxPsdSv.exe
C:\Windows\system32\PGPserv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\rpcnet.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Users\tmorris.CORP\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\regedit.exe
C:\Users\tmorris.CORP\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://atwork.intraweb.lpl.com/Pages/Default.aspx
uDefault_Page_URL = hxxp://atwork.intraweb.lpl.com/Pages/Default.aspx
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
mURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
mWinlogon: Taskman=c:\users\tmorris.corp\appdata\roaming\vlyvcj.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - No File
TB: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [IFXSPMGT] "c:\program files\hewlett-packard\embedded security software\ifxspmgt.exe" /NotifyLogon
mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
StartupFolder: c:\users\tmorri~1.cor\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\tmorris.corp\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{97a996cf-fc9d-4676-a1bf-a55ac497e854}\Icon6560581611.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\Icon3E5562ED7.ico
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel
IE: Se&nd to OneNote
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: lpl.com\vncsblwebprd.ncprod
DPF: {2203BFCF-9541-41B6-931D-CEB34F81DB0D}
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566}
DPF: {60CD4076-F4B6-4F8B-AF3E-61B200346DD9}
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F}
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: DeviceNP - DeviceNP.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
LSA: Notification Packages = scecli PGPpwflt PGPpwflt
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\users\tmorri~1.cor\appdata\roaming\mozilla\firefox\profiles\6kvzqo0x.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\users\tmorris.corp\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\tmorris.corp\appdata\local\huludesktop\instances\0.9.10.1\nphdplg.dll
FF - plugin: c:\users\tmorris.corp\appdata\roaming\mozilla\firefox\profiles\6kvzqo0x.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-7-29 482176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-4-30 29472]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
=============== Created Last 30 ================
2010-06-05 04:04:30 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\Malwarebytes
2010-06-05 04:03:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-05 04:03:31 0 d-----w- c:\programdata\Malwarebytes
2010-06-05 04:03:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-05 04:03:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-05 03:28:11 0 d-----w- c:\program files\Trend Micro
2010-06-02 21:28:43 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\Safer Networking
2010-06-02 21:25:06 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2010-06-02 21:24:21 242992 ----a-w- c:\windows\system32\drivers\SynTP.sys
2010-06-02 21:24:21 210216 ----a-w- c:\windows\system32\SynCtrl.dll
2010-06-02 21:24:21 173352 ----a-w- c:\windows\system32\SynCOM.dll
2010-06-02 21:24:21 165160 ----a-w- c:\windows\system32\SynTPAPI.dll
2010-06-02 21:24:21 120104 ----a-w- c:\windows\system32\SynTPCo4.dll
2010-06-02 21:23:03 0 d-----w- c:\programdata\Intel
2010-06-02 21:21:51 0 d-----w- c:\program files\common files\Intel
2010-06-02 21:17:00 6758912 ----a-w- c:\windows\system32\drivers\NETw5s32.sys
2010-06-02 21:13:29 0 d-----w- c:\programdata\CyberLink
2010-06-02 21:13:06 0 d-----w- c:\program files\common files\CyberLink
2010-06-02 21:09:16 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-06-02 21:09:03 0 d-----w- c:\programdata\Temp
2010-06-02 21:04:36 0 d-----w- c:\program files\Safer Networking
2010-06-01 15:34:30 0 d-----w- c:\windows\IswTmp
2010-06-01 15:25:59 0 d-----w- c:\program files\Network and Security Manager
2010-06-01 15:25:58 0 d--h--w- c:\program files\Zero G Registry
2010-06-01 15:25:03 0 d--h--w- c:\users\tmorris.corp\InstallAnywhere
2010-05-28 23:45:47 0 d-----w- c:\program files\Conduit
2010-05-28 23:45:46 0 d-----w- c:\program files\ZoneAlarm
2010-05-27 17:08:46 0 d-----w- c:\program files\VideoLAN
2010-05-27 14:25:18 808240 ----a-w- c:\windows\system32\imagxra7.dll
2010-05-27 14:25:18 497296 ----a-r- c:\windows\system32\imagxpr7.dll
2010-05-27 14:25:18 263472 ----a-w- c:\windows\system32\imagxr7.dll
2010-05-27 14:25:18 1762608 ----a-w- c:\windows\system32\imagx7.dll
2010-05-27 14:24:09 0 d-----w- c:\program files\Nero
2010-05-27 14:21:08 39693246 ----a-w- c:\windows\file_3.exe
2010-05-25 17:37:17 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-16 23:51:23 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\runic games
2010-05-16 23:38:52 0 d-----w- c:\program files\Runic Games
2010-05-13 18:56:54 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\Scooter Software
2010-05-13 18:56:43 0 d-----w- c:\program files\Beyond Compare 2
2010-05-13 14:09:40 284967462 ----a-w- c:\windows\MEMORY.DMP
2010-05-12 14:15:21 0 d-----w- c:\program files\PingPlotter Pro
2010-05-12 13:05:56 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-07 12:52:11 0 d-----w- C:\Intel
2010-05-07 04:08:07 7680 ----a-w- c:\windows\RemoveAuditing.exe
==================== Find3M ====================
2010-06-05 11:50:51 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-06-05 11:50:49 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-05-28 23:46:37 421441 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-05-26 17:03:22 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-05-15 20:30:50 461400 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2010-05-07 12:53:49 0 --sha-r- c:\windows\system32\drivers\103C_HP_bNB_EliteBook 8730w_Y5336AN_0U_QCNU931DNQB_EU_4A_I30EC_SHP_V91.23_68PAD F.11_T100126_WU4-0_L409_M2043_J250_7Intel_867A_92.40_#100222_N808610F5;80864236_(FM873UT#ABA)_XMOBILE_CN10_Z_2F.11_G10DE063A.MRK
2010-04-30 18:34:51 18344 ----a-w- c:\windows\system32\drivers\btwrchid.sys
2010-04-30 18:34:50 86056 ----a-w- c:\windows\system32\drivers\btwaudio.sys
2010-04-30 18:34:50 29472 ----a-w- c:\windows\system32\drivers\btwl2cap.sys
2010-04-30 18:34:50 108072 ----a-w- c:\windows\system32\drivers\btwavdt.sys
2010-04-30 18:30:40 39712 ----a-w- c:\windows\system32\drivers\psd.sys
2010-04-30 18:30:40 271648 ----a-w- c:\windows\system32\IfxTpmKsp.dll
2010-04-22 16:43:58 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-04-12 16:29:11 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-12 16:29:07 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-06 15:23:16 249856 --sh--r- c:\users\tmorri~1.cor\appdata\roaming\vlyvcj.exe
2010-03-17 00:46:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-03-17 00:46:00 1515624 ----a-w- c:\windows\system32\nvsvcr.dll
2010-03-17 00:46:00 13684328 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-17 00:46:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-03-17 00:46:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-17 00:45:52 95994 ----a-w- c:\windows\system32\nvcoproc.bin
2010-03-17 00:45:00 82024 ----a-w- c:\windows\system32\nv3dappshextr.dll
2010-03-17 00:45:00 149608 ----a-w- c:\windows\system32\nv3dappshext.dll
2010-03-12 15:26:36 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-03-08 21:33:56 427520 ----a-w- c:\windows\system32\vbscript.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-02-23 00:52:38 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-02-22 23:29:18 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-02-22 23:29:18 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-02-22 23:29:18 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-02-22 23:29:18 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-02-22 18:06:48 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-02-22 18:06:48 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-02-22 18:06:48 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
============= FINISH: 8:33:07.41 ===============
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Usually I can fix/remove any viruses I get, but this one is stubborn. Spybot detects it, and removes it but it comes back after every reboot and I can not find a way to nuke it permanently. Here is what I have done.
Spybot always finds the following entry located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin\Taskman
C:\Users\tmorris.CORP\AppData\Roaming\vlyvcj.exe
I have run Spybot's newest version and removed it.
I have run Mcafee version 8.7i and detected nothing.
I have run Ad-Aware and detected nothing.
I have run Malware Bytes and removed it.
As always, after a reboot, it it back. It is currently being blocked in ZoneAlarm, so it is crippled, but I just can't get rid of it. Attached are the 2 DDS reports.
Any ideas you guys can give would be greatly appreciated.
As always, after a reboot, it it back. It is currently being blocked in ZoneAlarm, so it is crippled, but I just can't get rid of it. Attached are the 2 DDS reports.
Any ideas you guys can give would be greatly appreciated.
Update. I noticed that, when I ask Spybot to remove this entry, it IMMEDIATELY reappears. So there is something running in the background that constantly checks and re-adds the entry.
Update. I noticed that, when I ask Spybot to remove this entry, it IMMEDIATELY reappears. So there is something running in the background that constantly checks and re-adds the entry.
Another minor update. I find this file in the c:/windows/prefetch directory:
VLYVCJ.EXE-93F1BAC4.pf
If I delete it, it comes back upon reboot. I have NOT seen it reappear immediately like the registry entry.
Also, as a side note, I blocked the registry entry via TeaTimer and it constantly reappears and is blocked by TeaTimer. Still no idea of the root cause though.
Also, as a side note, I blocked the registry entry via TeaTimer and it constantly reappears and is blocked by TeaTimer. Still no idea of the root cause though.
It seems like this is somehow integrated into explorer.exe.
If I run process explorer, it finds the file (see attached screenshot), but I do not see how to alter explorer.exe in order to delete this entry.
DDS (Ver_10-03-17.01) - NTFSx86
Run by TMorris at 8:30:23.23 on Sat 06/05/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2042.625 [GMT -4:00]
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\ifxtcs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\IfxPsdSv.exe
C:\Windows\system32\PGPserv.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\rpcnet.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Users\tmorris.CORP\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\regedit.exe
C:\Users\tmorris.CORP\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://atwork.intraweb.lpl.com/Pages/Default.aspx
uDefault_Page_URL = hxxp://atwork.intraweb.lpl.com/Pages/Default.aspx
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
mURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
mWinlogon: Taskman=c:\users\tmorris.corp\appdata\roaming\vlyvcj.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - No File
TB: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [IFXSPMGT] "c:\program files\hewlett-packard\embedded security software\ifxspmgt.exe" /NotifyLogon
mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
StartupFolder: c:\users\tmorri~1.cor\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\tmorris.corp\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{97a996cf-fc9d-4676-a1bf-a55ac497e854}\Icon6560581611.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\Icon3E5562ED7.ico
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel
IE: Se&nd to OneNote
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: lpl.com\vncsblwebprd.ncprod
DPF: {2203BFCF-9541-41B6-931D-CEB34F81DB0D}
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566}
DPF: {60CD4076-F4B6-4F8B-AF3E-61B200346DD9}
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C}
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F}
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: DeviceNP - DeviceNP.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
LSA: Notification Packages = scecli PGPpwflt PGPpwflt
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\users\tmorri~1.cor\appdata\roaming\mozilla\firefox\profiles\6kvzqo0x.default\
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\users\tmorris.corp\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\tmorris.corp\appdata\local\huludesktop\instances\0.9.10.1\nphdplg.dll
FF - plugin: c:\users\tmorris.corp\appdata\roaming\mozilla\firefox\profiles\6kvzqo0x.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-7-29 482176]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-4-30 29472]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
=============== Created Last 30 ================
2010-06-05 04:04:30 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\Malwarebytes
2010-06-05 04:03:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-05 04:03:31 0 d-----w- c:\programdata\Malwarebytes
2010-06-05 04:03:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-05 04:03:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-05 03:28:11 0 d-----w- c:\program files\Trend Micro
2010-06-02 21:28:43 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\Safer Networking
2010-06-02 21:25:06 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2010-06-02 21:24:21 242992 ----a-w- c:\windows\system32\drivers\SynTP.sys
2010-06-02 21:24:21 210216 ----a-w- c:\windows\system32\SynCtrl.dll
2010-06-02 21:24:21 173352 ----a-w- c:\windows\system32\SynCOM.dll
2010-06-02 21:24:21 165160 ----a-w- c:\windows\system32\SynTPAPI.dll
2010-06-02 21:24:21 120104 ----a-w- c:\windows\system32\SynTPCo4.dll
2010-06-02 21:23:03 0 d-----w- c:\programdata\Intel
2010-06-02 21:21:51 0 d-----w- c:\program files\common files\Intel
2010-06-02 21:17:00 6758912 ----a-w- c:\windows\system32\drivers\NETw5s32.sys
2010-06-02 21:13:29 0 d-----w- c:\programdata\CyberLink
2010-06-02 21:13:06 0 d-----w- c:\program files\common files\CyberLink
2010-06-02 21:09:16 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-06-02 21:09:03 0 d-----w- c:\programdata\Temp
2010-06-02 21:04:36 0 d-----w- c:\program files\Safer Networking
2010-06-01 15:34:30 0 d-----w- c:\windows\IswTmp
2010-06-01 15:25:59 0 d-----w- c:\program files\Network and Security Manager
2010-06-01 15:25:58 0 d--h--w- c:\program files\Zero G Registry
2010-06-01 15:25:03 0 d--h--w- c:\users\tmorris.corp\InstallAnywhere
2010-05-28 23:45:47 0 d-----w- c:\program files\Conduit
2010-05-28 23:45:46 0 d-----w- c:\program files\ZoneAlarm
2010-05-27 17:08:46 0 d-----w- c:\program files\VideoLAN
2010-05-27 14:25:18 808240 ----a-w- c:\windows\system32\imagxra7.dll
2010-05-27 14:25:18 497296 ----a-r- c:\windows\system32\imagxpr7.dll
2010-05-27 14:25:18 263472 ----a-w- c:\windows\system32\imagxr7.dll
2010-05-27 14:25:18 1762608 ----a-w- c:\windows\system32\imagx7.dll
2010-05-27 14:24:09 0 d-----w- c:\program files\Nero
2010-05-27 14:21:08 39693246 ----a-w- c:\windows\file_3.exe
2010-05-25 17:37:17 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-16 23:51:23 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\runic games
2010-05-16 23:38:52 0 d-----w- c:\program files\Runic Games
2010-05-13 18:56:54 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\Scooter Software
2010-05-13 18:56:43 0 d-----w- c:\program files\Beyond Compare 2
2010-05-13 14:09:40 284967462 ----a-w- c:\windows\MEMORY.DMP
2010-05-12 14:15:21 0 d-----w- c:\program files\PingPlotter Pro
2010-05-12 13:05:56 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-07 12:52:11 0 d-----w- C:\Intel
2010-05-07 04:08:07 7680 ----a-w- c:\windows\RemoveAuditing.exe
==================== Find3M ====================
2010-06-05 11:50:51 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2010-06-05 11:50:49 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-05-28 23:46:37 421441 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2010-05-26 17:03:22 1238528 ----a-w- c:\windows\system32\zpeng25.dll
2010-05-15 20:30:50 461400 ----a-w- c:\windows\system32\drivers\vsdatant.sys
2010-05-07 12:53:49 0 --sha-r- c:\windows\system32\drivers\103C_HP_bNB_EliteBook 8730w_Y5336AN_0U_QCNU931DNQB_EU_4A_I30EC_SHP_V91.23_68PAD F.11_T100126_WU4-0_L409_M2043_J250_7Intel_867A_92.40_#100222_N808610F5;80864236_(FM873UT#ABA)_XMOBILE_CN10_Z_2F.11_G10DE063A.MRK
2010-04-30 18:34:51 18344 ----a-w- c:\windows\system32\drivers\btwrchid.sys
2010-04-30 18:34:50 86056 ----a-w- c:\windows\system32\drivers\btwaudio.sys
2010-04-30 18:34:50 29472 ----a-w- c:\windows\system32\drivers\btwl2cap.sys
2010-04-30 18:34:50 108072 ----a-w- c:\windows\system32\drivers\btwavdt.sys
2010-04-30 18:30:40 39712 ----a-w- c:\windows\system32\drivers\psd.sys
2010-04-30 18:30:40 271648 ----a-w- c:\windows\system32\IfxTpmKsp.dll
2010-04-22 16:43:58 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-04-12 16:29:11 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-12 16:29:07 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-06 15:23:16 249856 --sh--r- c:\users\tmorri~1.cor\appdata\roaming\vlyvcj.exe
2010-03-17 00:46:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-03-17 00:46:00 1515624 ----a-w- c:\windows\system32\nvsvcr.dll
2010-03-17 00:46:00 13684328 ----a-w- c:\windows\system32\nvcpl.dll
2010-03-17 00:46:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-03-17 00:46:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-17 00:45:52 95994 ----a-w- c:\windows\system32\nvcoproc.bin
2010-03-17 00:45:00 82024 ----a-w- c:\windows\system32\nv3dappshextr.dll
2010-03-17 00:45:00 149608 ----a-w- c:\windows\system32\nv3dappshext.dll
2010-03-12 15:26:36 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-03-08 21:33:56 427520 ----a-w- c:\windows\system32\vbscript.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-02-23 00:52:38 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-02-22 23:29:18 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-02-22 23:29:18 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-02-22 23:29:18 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-02-22 23:29:18 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-02-22 18:06:48 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-02-22 18:06:48 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-02-22 18:06:48 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
============= FINISH: 8:33:07.41 ===============
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)