View Full Version : win32.palevo
This malware shows up on every spybot scan even though spybot says it has fixed the problem. It was redirecting IE to wierd ad sites and then would not allow me to go to any site not https: It did not seem to effect google chrome nor IE 9 that I just installed. I could not figure out how to zip up the dds file. The other one and the spybot report is below. I ran ERUNT.
--- Search result list ---
Win32.Palevo: [SBI $E243B4FE] User settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1190624232-1164676516-3757976289-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=...C:\Users\John\AppData\Roaming\dwm.exe...
Win32.Palevo: [SBI $98023662] Executable (File, nothing done)
C:\Users\John\AppData\Roaming\dwm.exe
Properties.size=181760
Properties.md5=1C218C6217F05C846B46CB25F37BA8BE
Properties.filedate=1311444193
Properties.filedatetext=2011-07-23 14:03:12
DoubleClick: Tracking cookie (Internet Explorer: John) (Cookie, nothing done)
Zedo: Tracking cookie (Internet Explorer: John) (Cookie, nothing done)
Right Media: Tracking cookie (Internet Explorer: John) (Cookie, nothing done)
Excite: Tracking cookie (Internet Explorer: John) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by John at 14:21:58 on 2011-07-23
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8174.6560 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackgroundService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\runonce.exe
C:\Windows\SysWOW64\runonce.exe
C:\Users\John\AppData\Roaming\Microsoft\conhost.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe
C:\Users\John\AppData\Local\Temp\csrss.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\ehome\mcupdate.EXE
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\John\AppData\Roaming\dwm.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.excite.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:51354
mWinlogon: Userinit=userinit.exe
uWinlogon: Shell=explorer.exe,C:\Users\John\AppData\Roaming\dwm.exe
uWindows: Load=C:\Users\John\AppData\Local\Temp\csrss.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110722204121.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Memeo Backup Premium] C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoLauncher2.exe --silent --no_ui
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [conhost] C:\Users\John\AppData\Roaming\Microsoft\conhost.exe
mRunOnce: [Spybot - Search & Destroy] "C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\ERUNT\AUTOBACK.EXE
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://myhrweb.tmhs.org/+CSCOL+/relayp.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://sslvpn.tmhs.org/CACHE/stc/1/binaries/vpnweb.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{17BFF10D-B5AE-4F7B-B03E-0F9A6F6934D2} : DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{5E5302EF-B650-45F8-BE1B-58C8ABFB5465} : DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{9A35D416-AEAE-41A3-820D-44F16FB2DD82} : DhcpNameServer = 192.168.1.1 71.252.0.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110722204121.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun-x64: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun-x64: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun-x64: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun-x64: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [(Default)]
mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Memeo Backup Premium] C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoLauncher2.exe --silent --no_ui
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun-x64: [conhost] C:\Users\John\AppData\Roaming\Microsoft\conhost.exe
mRunOnce-x64: [Spybot - Search & Destroy] "C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-1-19 13336]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-25 355440]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-25 355440]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-25 355440]
R2 McShield;McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2011-1-19 200056]
R2 MemeoBackgroundService;MemeoBackgroundService;C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackgroundService.exe [2010-7-28 25824]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2011-1-19 245352]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Program Files\Common Files\mcafee\systemcore\mfevtps.exe [2011-1-19 149032]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-10 1153368]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-6-17 434864]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys --> C:\Windows\system32\drivers\HCW85BDA.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2010-7-30 25072]
R3 t3;Sound Blaster X-Fi Xtreme Audio;C:\Windows\system32\drivers\t3.sys --> C:\Windows\system32\drivers\t3.sys [?]
S2 CLKMSVC10_9EC60124;CyberLink Product - 2011/01/19 20:27:08;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-26 236016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-9-4 219632]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-1-19 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-19 79360]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-9-4 1116656]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-25 355440]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-07-23 18:20:39 -------- d-----w- C:\ERUNT
2011-07-23 18:03:12 181760 ----a-w- C:\Users\John\AppData\Roaming\dwm.exe
2011-07-22 23:20:43 170496 ----a-w- C:\Users\John\AppData\Roaming\Microsoft\conhost.exe
2011-07-19 23:15:12 -------- d-----w- C:\Users\John\AppData\Roaming\Fingertapps
2011-07-19 17:49:27 -------- d-----w- C:\FIND_EULA_PATH
2011-07-18 12:20:37 -------- d-----w- C:\Windows\System32\SPReview
2011-07-18 12:19:26 -------- d-----w- C:\Windows\System32\EventProviders
2011-06-29 08:20:19 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
.
==================== Find3M ====================
.
2011-07-18 12:26:35 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-07-18 12:26:34 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
2011-06-10 20:07:08 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-03 06:57:45 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-06-03 06:57:45 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-06-03 06:57:45 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-06-03 06:57:44 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-03 06:57:38 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-06-03 06:56:38 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-06-03 06:53:33 338944 ----a-w- C:\Windows\System32\conhost.exe
2011-06-03 06:00:53 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-06-03 05:57:52 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-06-03 05:57:33 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-06-03 05:56:12 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-06-03 05:56:11 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-06-03 03:53:31 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-06-03 03:53:31 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-06-03 03:48:32 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-06-03 03:48:31 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-06-03 03:48:31 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-03 03:48:31 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
2011-05-14 18:12:50 103784 ----a-w- C:\Users\John\GoToAssistDownloadHelper.exe
2011-05-04 19:22:32 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-05-04 19:22:32 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-05-04 19:22:32 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-05-04 19:22:32 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-05-04 05:25:03 2315776 ----a-w- C:\Windows\System32\tquery.dll
2011-05-04 05:22:25 778752 ----a-w- C:\Windows\System32\mssvp.dll
2011-05-04 05:22:25 2223616 ----a-w- C:\Windows\System32\mssrch.dll
2011-05-04 05:22:24 75264 ----a-w- C:\Windows\System32\msscntrs.dll
2011-05-04 05:22:24 491520 ----a-w- C:\Windows\System32\mssph.dll
2011-05-04 05:22:24 288256 ----a-w- C:\Windows\System32\mssphtb.dll
2011-05-04 05:19:28 591872 ----a-w- C:\Windows\System32\SearchIndexer.exe
2011-05-04 05:19:28 249856 ----a-w- C:\Windows\System32\SearchProtocolHost.exe
2011-05-04 05:19:28 113664 ----a-w- C:\Windows\System32\SearchFilterHost.exe
2011-05-04 04:34:43 1549312 ----a-w- C:\Windows\SysWow64\tquery.dll
2011-05-04 04:32:02 666624 ----a-w- C:\Windows\SysWow64\mssvp.dll
2011-05-04 04:32:01 337408 ----a-w- C:\Windows\SysWow64\mssph.dll
2011-05-04 04:32:01 197120 ----a-w- C:\Windows\SysWow64\mssphtb.dll
2011-05-04 04:32:01 1401344 ----a-w- C:\Windows\SysWow64\mssrch.dll
2011-05-04 04:32:00 59392 ----a-w- C:\Windows\SysWow64\msscntrs.dll
2011-05-04 04:28:31 86528 ----a-w- C:\Windows\SysWow64\SearchFilterHost.exe
2011-05-04 04:28:31 427520 ----a-w- C:\Windows\SysWow64\SearchIndexer.exe
2011-05-04 04:28:31 164352 ----a-w- C:\Windows\SysWow64\SearchProtocolHost.exe
2011-05-03 05:29:29 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-05-03 04:30:02 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-04-29 03:06:10 467456 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-04-29 03:05:49 410112 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-04-29 03:05:37 168448 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-04-27 02:40:40 158208 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-04-27 02:39:40 289280 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-04-27 02:39:37 128000 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-04-25 05:33:51 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-04-25 02:34:03 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 14:22:29.96 ===============
Here is the attach.txt zip file.
It does effect IE9 as I can not open my hotmail in it, but can in chrome.
Hello Samwise and :welcome:
My name is JonTom
Malware Logs can sometimes take a lot of time to research and interpret.
Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
PLEASE NOTE: If you do not reply after 5 days your thread will be closed.
Before we begin I would like to see the log produced from the following tool:
aswMBR
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.
Right click aswMBR.exe and select "Run as Administrator" to run it.
Click the "Scan" button to start scan.
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply.
http://public.avast.com/~gmerek/aswMBR2.png
Please post the log created in your next reply.
Thank you very much for your assistance and I apologize for the delay in responding to your post.
Hello Samwise
Thank you for the log.
I apologize for the delay in responding to your post Absolutely no problem at all :)
Important!!!
It is very likely that the malware we are dealing with has password stealing capabilities. For this reason you are Strongly Advised to disconnect the infected computer from the internet and from any networked computers until it can be cleaned. If you have networked compters, these must be checked, as they may also be infected.
It is Essential that you use a Clean (uninfected) computer to change ALL of your passwords for the online services (banking etc) that you use. Do not use the infected computer to change your passwords or to perform any financial transactions, as doing so will give the attacker access to the new password that you create.
Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216).
Right click on ComboFix.exe and select "Run as Administrator" to run the program. Follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Should there be issues with internet afterward:
In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings -> uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox: Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.
1) I really need to change everything?
2) How do I even log on to this site without being tracked?
3)I copied files from a laptop onto an external hard drive used by this computer, after disconnecting it from this computer. Would that have effected my laptop?
4) The process did not track as you indicated, instead of the Recovery Console and Congratulations Window prompts, a message came up saying "...Windows cannot find nircmdB.exe:thanks:
5)Here is the text:
ComboFix 11-07-28.06 - John 07/28/2011 18:41:03.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8174.6563 [GMT -4:00]
Running from: c:\users\John\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\John\AppData\Roaming\dwm.exe
c:\users\John\AppData\Roaming\Microsoft\conhost.exe
c:\users\John\AppData\Roaming\Microsoft\Windows\Recent\Amazon.com - Bestsellers.url
c:\users\John\AppData\Roaming\Microsoft\Windows\Recent\Bible Gateway - Search the Bible in Nine Languages and Multiple Bible Versions.url
c:\users\John\AppData\Roaming\Microsoft\Windows\Recent\Woodlake United Methodist Church.url
c:\users\John\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-28 )))))))))))))))))))))))))))))))
.
.
2011-07-28 22:45 . 2011-07-28 22:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-23 18:20 . 2011-07-23 18:20 -------- d-----w- C:\ERUNT
2011-07-19 23:15 . 2011-07-19 23:15 -------- d-----w- c:\users\John\AppData\Roaming\Fingertapps
2011-07-19 17:49 . 2011-07-19 17:49 -------- d-----w- C:\FIND_EULA_PATH
2011-07-18 12:20 . 2011-07-19 13:44 -------- d-----w- c:\windows\system32\SPReview
2011-07-18 12:19 . 2011-07-19 13:44 -------- d-----w- c:\windows\system32\EventProviders
2011-06-29 08:20 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-28 22:21 . 2010-06-24 17:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-07-23 20:37 . 2011-01-20 02:15 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-18 12:26 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-07-18 12:26 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-06-10 20:07 . 2011-05-17 01:43 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-06 07:36 . 2011-02-10 20:28 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-06-03 05:57 . 2011-07-14 11:59 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-05-04 19:22 . 2011-05-04 19:22 466456 ----a-w- c:\windows\system32\wrap_oal.dll
2011-05-04 19:22 . 2011-05-04 19:22 444952 ----a-w- c:\windows\SysWow64\wrap_oal.dll
2011-05-04 19:22 . 2011-05-04 19:22 122904 ----a-w- c:\windows\system32\OpenAL32.dll
2011-05-04 19:22 . 2011-05-04 19:22 109080 ----a-w- c:\windows\SysWow64\OpenAL32.dll
2011-05-03 05:29 . 2011-06-15 20:24 976896 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-03 04:30 . 2011-06-15 20:24 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-01 23:17 1487240 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-02-01 39408]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2009-02-03 237693]
"SPIRunE"="SPIRunE.dll" [2009-07-27 18432]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-17 98304]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2010-03-10 237568]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1486392]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-18 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2010-10-27 75048]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-09-04 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-02 522736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Memeo Backup Premium"="c:\program files (x86)\Memeo\AutoBackupPro\MemeoLauncher2.exe" [2010-07-28 136416]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2011-05-30 885760]
.
c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\erunt\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 CLKMSVC10_9EC60124;CyberLink Product - 2011/01/19 20:27;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-27 236016]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-01 136176]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-09-04 219632]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-01-20 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-01-20 79360]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-01 136176]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-09-04 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2010-03-10 355440]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2010-03-10 355440]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files (x86)\Memeo\AutoBackupPro\MemeoBackgroundService.exe [2010-07-28 25824]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 245352]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-04-14 149032]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-06-17 434864]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2010-07-30 25072]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
*Deregistered* - CLKMDRV10_9EC60124
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-01 22:43]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-01 22:43]
.
2011-07-27 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:09]
.
2011-07-28 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-05-30 2055816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.excite.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:51354
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://sslvpn.tmhs.org/CACHE/stc/1/binaries/vpnweb.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1190624232-1164676516-3757976289-1000\Software\SecuROM\License information*]
"datasecu"=hex:19,0b,5e,84,4c,64,31,ab,cd,93,b4,52,9c,45,69,80,05,df,a0,cf,79,
15,34,07,8f,de,b4,a5,f7,aa,f9,60,07,27,17,90,c8,73,69,35,6a,eb,11,53,32,09,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-07-28 18:47:44
ComboFix-quarantined-files.txt 2011-07-28 22:47
.
Pre-Run: 921,122,254,848 bytes free
Post-Run: 921,139,519,488 bytes free
.
- - End Of File - - 54D437384996439824A7DA81A4B01F55
Hello Samwise
Thank you for the log.
I really need to change everything? If you do any kind of financial transactions online I would say definitely. I would be doing you a disservice if I said there was absolutely nothing to worry about. Backdoor Trojans are bad news. Why take the risk?
How do I even log on to this site without being tracked? You can always change your password for this forum once we have cleaned your machine. The most important thing to change right now is anything to do with financial passwords.
I copied files from a laptop onto an external hard drive used by this computer, after disconnecting it from this computer. Would that have effected my laptop? Possibly. Does your laptop display any of the symptoms exhibited by the infected machine?
The process did not track as you indicated Thanks for letting me know.
Please uninstall "Ask Toolbar" from your machine.
Do you recognise this proxy? Is it something that you set yourself?
uInternet Settings,ProxyServer = http=127.0.0.1:51354
Please let me know in your next reply :)
I will do as you suggest.
I have uninstalled the Ask Toolbar, what's next?
I do not recognize the Proxy and really even don't know how to set a proxy.
I screened my laptop with Windows security and it came up clean. I also scanned it with Spybot and it should found some tracking cookies. It seems to be running fine. I disconnected the 1tb Buffalo hard drive from the desktop we are working on.
Other points to note on this computer: McAfee cannot connect to the internet and keeps putting up an Update Problem box. And I get a warning at start up that the Intelipoint software is not installed correctly. This is a mouse program.
:thanks:
Hello Samwise
I do not recognize the Proxy and really even don't know how to set a proxy Thanks for letting me know.
It seems to be running fine Thats good news, but please refrain from running any more tools until we are finished.
And I get a warning at start up that the Intelipoint software is not installed correctly You could try uninstalling and then re-installing the software.
Lets move on:
Reset your browser proxies
For Internet Explorer:
Click on "Tools" and then select "Internet Options".
Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
Uncheck "Use a Proxy server for your LAN".
Click Ok to close the Local Area Network (LAN) Settings window.
Click Ok to close the Internet Options window.
Temporary File Cleaner
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Close any open windows.
Right click the TFC icon and select "Run as Administrator" to run the program.
TFC will close all open programs itself in order to run.
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish.
Once complete it should automatically reboot your machine.
If your machine does not reboot automatically, manually reboot to ensure a complete clean.
Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.
Please perform the following scan:
Please download MalwareBytes AntiMalware by clicking here (http://www.besttechie.net/tools/mbam-setup.exe) and save the file (called mbam-setup.exe) to your desktop.
Right click on the mbam-setup.exe icon and select "Run as Administrator" to install the program.
Follow the prompts during installation and have the Installation Wizzard create a desktop icon.
Once installed, double click on the MalwareBytes AntiMalware icon to launch the program.
Click on the "Update" tab and then on "Check for Updates".
The program will now install the latest Malware definition files.
Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
Once the program has scanned your computer, a log file will be created in Notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
Come back here to this thread and Paste the log in your next reply.
Please run the following scan
Note: You will need to use Internet Explorer for this scan.
Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
Please disable your real time security programs before performing the scan.
Scan your system with Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use.
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option to "Remove Found Threats" is UN checked.
Push the "Start" button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please post the MBAM and ESET log along with a fresh DDS.txt scan log in your next reply.
Be advised that the Lan setting was already unclicked in both IE and google chrome. Also the Malware bytes found: Pum.Bad.Proxy
I am proceeding to step 4
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7326
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
7/30/2011 12:54:49 PM
mbam-log-2011-07-30 (12-54-49).txt
Scan type: Quick scan
Objects scanned: 175985
Time elapsed: 2 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Here is step four. Please be reminded that I had disconnected my external harddrive prior to these steps. Will it need to be scanned also?
Also, some of the malware seem to be associated with spybot, is this possible? Thanks again.
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by John at 14:29:11 on 2011-07-30
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8174.6043 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackgroundService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
C:\Program Files\mcafee.com\agent\mcagent.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\stage_secondary.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackup.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\ehome\ehRecvr.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.excite.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110722204121.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Memeo Backup Premium] C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoLauncher2.exe --silent --no_ui
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\ERUNT\AUTOBACK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://myhrweb.tmhs.org/+CSCOL+/relayp.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://sslvpn.tmhs.org/CACHE/stc/1/binaries/vpnweb.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{17BFF10D-B5AE-4F7B-B03E-0F9A6F6934D2} : DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{5E5302EF-B650-45F8-BE1B-58C8ABFB5465} : DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{9A35D416-AEAE-41A3-820D-44F16FB2DD82} : DhcpNameServer = 192.168.1.1 71.252.0.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110722204121.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun-x64: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun-x64: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun-x64: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun-x64: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Memeo Backup Premium] C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoLauncher2.exe --silent --no_ui
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-1-19 13336]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-25 355440]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-25 355440]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-25 355440]
R2 McShield;McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2011-1-19 200056]
R2 MemeoBackgroundService;MemeoBackgroundService;C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackgroundService.exe [2010-7-28 25824]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2011-1-19 245352]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Program Files\Common Files\mcafee\systemcore\mfevtps.exe [2011-1-19 149032]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-10 1153368]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-6-17 434864]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys --> C:\Windows\system32\drivers\HCW85BDA.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2010-7-30 25072]
R3 t3;Sound Blaster X-Fi Xtreme Audio;C:\Windows\system32\drivers\t3.sys --> C:\Windows\system32\drivers\t3.sys [?]
S2 CLKMSVC10_9EC60124;CyberLink Product - 2011/01/19 20:27:08;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-26 236016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-9-4 219632]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-1-19 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-19 79360]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-9-4 1116656]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-25 355440]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-07-30 17:00:17 -------- d-----w- C:\Program Files (x86)\ESET
2011-07-30 16:51:12 -------- d-----w- C:\Users\John\AppData\Roaming\Malwarebytes
2011-07-30 16:51:02 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-30 16:51:02 -------- d-----w- C:\ProgramData\Malwarebytes
2011-07-30 16:50:58 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-07-30 16:50:58 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-07-29 11:15:24 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-28 22:40:36 98816 ----a-w- C:\Windows\sed.exe
2011-07-28 22:40:36 518144 ----a-w- C:\Windows\SWREG.exe
2011-07-28 22:40:36 256000 ----a-w- C:\Windows\PEV.exe
2011-07-28 22:40:36 208896 ----a-w- C:\Windows\MBR.exe
2011-07-23 20:54:13 118784 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL
2011-07-23 20:54:13 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2011-07-23 20:52:50 -------- d-----w- C:\Users\John\AppData\Roaming\Sammsoft
2011-07-23 20:52:41 -------- d-----w- C:\Program Files (x86)\ARO 2011
2011-07-23 18:20:39 -------- d-----w- C:\ERUNT
2011-07-19 23:15:12 -------- d-----w- C:\Users\John\AppData\Roaming\Fingertapps
2011-07-19 17:49:27 -------- d-----w- C:\FIND_EULA_PATH
2011-07-18 12:20:37 -------- d-----w- C:\Windows\System32\SPReview
2011-07-18 12:19:26 -------- d-----w- C:\Windows\System32\EventProviders
.
==================== Find3M ====================
.
2011-07-23 20:37:39 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-07-18 12:26:35 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-07-18 12:26:34 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
2011-06-10 20:07:08 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-03 06:57:45 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-06-03 06:57:45 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-06-03 06:57:45 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-06-03 06:57:44 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-03 06:57:38 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-06-03 06:56:38 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-06-03 06:53:33 338944 ----a-w- C:\Windows\System32\conhost.exe
2011-06-03 06:00:53 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-06-03 05:57:52 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-06-03 05:57:33 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-06-03 05:56:12 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-06-03 05:56:11 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-06-03 03:53:31 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-06-03 03:53:31 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-06-03 03:48:32 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-06-03 03:48:31 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-06-03 03:48:31 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-03 03:48:31 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
2011-05-04 19:22:32 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
2011-05-04 19:22:32 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2011-05-04 19:22:32 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
2011-05-04 19:22:32 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2011-05-04 05:25:03 2315776 ----a-w- C:\Windows\System32\tquery.dll
2011-05-04 05:22:25 778752 ----a-w- C:\Windows\System32\mssvp.dll
2011-05-04 05:22:25 2223616 ----a-w- C:\Windows\System32\mssrch.dll
2011-05-04 05:22:24 75264 ----a-w- C:\Windows\System32\msscntrs.dll
2011-05-04 05:22:24 491520 ----a-w- C:\Windows\System32\mssph.dll
2011-05-04 05:22:24 288256 ----a-w- C:\Windows\System32\mssphtb.dll
2011-05-04 05:19:28 591872 ----a-w- C:\Windows\System32\SearchIndexer.exe
2011-05-04 05:19:28 249856 ----a-w- C:\Windows\System32\SearchProtocolHost.exe
2011-05-04 05:19:28 113664 ----a-w- C:\Windows\System32\SearchFilterHost.exe
2011-05-04 04:34:43 1549312 ----a-w- C:\Windows\SysWow64\tquery.dll
2011-05-04 04:32:02 666624 ----a-w- C:\Windows\SysWow64\mssvp.dll
2011-05-04 04:32:01 337408 ----a-w- C:\Windows\SysWow64\mssph.dll
2011-05-04 04:32:01 197120 ----a-w- C:\Windows\SysWow64\mssphtb.dll
2011-05-04 04:32:01 1401344 ----a-w- C:\Windows\SysWow64\mssrch.dll
2011-05-04 04:32:00 59392 ----a-w- C:\Windows\SysWow64\msscntrs.dll
2011-05-04 04:28:31 86528 ----a-w- C:\Windows\SysWow64\SearchFilterHost.exe
2011-05-04 04:28:31 427520 ----a-w- C:\Windows\SysWow64\SearchIndexer.exe
2011-05-04 04:28:31 164352 ----a-w- C:\Windows\SysWow64\SearchProtocolHost.exe
2011-05-03 05:29:29 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-05-03 04:30:02 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
.
============= FINISH: 14:29:43.32 ===============
Hello Samwise
Thank you for the logs.
Be advised that the Lan setting was already unclicked in both IE and google chrome No problem, MBAM has taken care of it :)
Also, some of the malware seem to be associated with spybot, is this possible? That malware has been quarantined by Spybot and is being held in Spybot's Recovery Directory. Malware is held in the Recovery directory in case of a false positive identification, giving you the option to restore the quarantined items if there are indeed required. In this case those items definitely need to go:
Please empty your Spybot Recovery Folder
One of the infections detected by the ESET Online Scan is located in your Spybot Recovery Folder.
To empty this folder, please do the following:
Open Spybot Search & Destroy, click on "Recovery", select all of the quarantined items, then click on "purge selected items".
Close Spybot.
You also have an infected Java cache. Lets take care of that now:
Please download OTM
Please download OTM by OldTimer by clicking here. (http://oldtimer.geekstogo.com/OTM.exe)
Save the file (called OTM.exe) to your desktop.
Double click on the OTM.exe icon to run the program. (Note: If you are running on Vista/Windows 7, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Files
C:\Users\John\Documents\John Salay\Application Data\Sun\Java\Deployment\cache\6.0\24\bae1618-56791b9a
C:\Users\John\Documents\John Salay\Application Data\Sun\Java\Deployment\cache\6.0\43\11753b6b-6879d3cd
C:\Users\John\Documents\John Salay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfge.class-65499117-75a3fb43.class
C:\Users\John\Documents\John Salay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfgn.class-2a829977-7686554f.class
:Commands
[Purity]
[EmptyTemp]
[Emptyflash]
[Reboot]
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File -> Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Will it need to be scanned also? Open MBAM and update it. Once MBAM has updated plug in your remote drive. If you have autorun enabled, a text box will open asking you what you want to do with the drive you just plugged. DO NOT select anything, just close the autorun window.
Once closed, scan the drive with MBAM and let me know if anything is detected.
Post the OTM log and let me know how the machine is running in your next reply while I check through your DDS log.
The OTM utility went right to two columns with yellow paste it on the left and green move it on the right with three buttons. The columns were empty. The MoveIt button did not result in any thing, so I clicked the Clean button. It resulted in a registry in the right column, longer than the one below and asked for the reboot. Upon start up I was not able to find the file per your instructions or even with a system search. I redid the process and was able to copy this list, but did not reboot.
File/Folder avenger.* not found.
File/Folder Avenger not found.
File/Folder bfu.zip not found.
File/Folder BFU not found.
C:\Users\John\Downloads\ComboFix.exe deleted successfully.
Error: No service named catchme was found to stop!
Service\Driver key catchme not found.
Error: No service named gmer was found to stop!
Service\Driver key gmer not found.
C:\Users\John\Downloads\OTM.exe deleted successfully.
File delete failed. C:\Users\John\Downloads\OTM (1).exe scheduled to be deleted on reboot.
I am moving forward with the scan of the external hard drive. The OTM window is still open.
:oops:
I re-re-reread the instructions and realized I messed up. Here is the log:
All processes killed
========== FILES ==========
C:\Users\John\Documents\John Salay\Application Data\Sun\Java\Deployment\cache\6.0\24\bae1618-56791b9a moved successfully.
C:\Users\John\Documents\John Salay\Application Data\Sun\Java\Deployment\cache\6.0\43\11753b6b-6879d3cd moved successfully.
C:\Users\John\Documents\John Salay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfge.class-65499117-75a3fb43.class moved successfully.
C:\Users\John\Documents\John Salay\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfgn.class-2a829977-7686554f.class moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: John
->Temp folder emptied: 478691 bytes
->Temporary Internet Files folder emptied: 12668772 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 671 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 608 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32969 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 13.00 mb
OTM by OldTimer - Version 3.1.18.0 log created on 07302011_163709
Files moved on Reboot...
C:\Users\John\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
Registry entries deleted on Reboot...
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7329
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421
7/30/2011 5:41:28 PM
mbam-log-2011-07-30 (17-41-28).txt
Scan type: Full scan (E:\|F:\|)
Objects scanned: 405391
Time elapsed: 57 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
To answer your other question; simple browsing seems to be working fine now. However, many of my problems occurred with sites requiring logging on and I am not going to try that without your approval. I spent all morning (est) changing all of my passwords (on a clean computer) and don't want that undone!
I am on Eastern Standard Time and will be retiring for the night. Hopefully, we will re-engage tomorrow.
Have a good night!
Hello Samwise
Just saw your latest replies - good job with OTM. The second log you posted was what I expected to see.
OTM looks good, DDS looks good and your storage drive appears to be okay. I believe it should be okay to accesss the sites that required your newly created passwords.
Provided you are no longer experiencing any problems I believe we are almost done. Lets take care of the tools we used during your fix:
Please Uninstall Combofix
Please check that you still have the ComboFix icon on your desktop. If it is not there, you may need to re-download the tool using one of the links I provided earlier.
Hold down the Windows key (has the Windows symbol on it) and press the "R" key.
A Run box will open.
Type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
Please perform the following cleanup procedure
Double click on the OTM.exe icon on your desktop to run the program. (Note: If you are running Vista/Windows 7, right-click on the file and choose Run As Administrator).
Once OTM has opened, click on the "CleanUp!" button.
Follow any prompts that you receive.
Removal of Tools
You no longer need aswMBR. Please delete it from your machine.
TFC and MBAM are yours to keep.
Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.
Finally, please take the time to read through the information provided below:
Enhance your System Security
For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here. (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)
IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
Once complete, remember to re-engage your resident security before going online.
Web Browsers and Browser Security
Firefox
Firefox is generally considered to have greater browsing security in comparison to other popular programs. You can download Firefox 3.0 from here. (http://www.mozilla.com/en-US/firefox/)
No-Script
If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
You can download No-Script by clicking here. (https://addons.mozilla.org/en-US/firefox/addon/722)
Internet Explorer
The newest version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)
SpywareBlaster
If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
You can download SpywareBlaster by clicking here. (http://www.javacoolsoftware.com/sbdownload.html)
Web of Trust
When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
You can download Web of Trust by clicking here. (http://www.mywot.com/)
Keep your Software Updated
Outdated software can sometimes have vulnerabilities that are exploitable by malware.
Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here. (http://secunia.com/vulnerability_scanning/online/)
Passwords
Learn how to create strong passwords by clicking here (http://www.microsoft.com/protect/yourself/password/create.mspx) and test the strength of the passwords you already use by clicking here. (http://www.microsoft.com/protect/yourself/password/checker.mspx)
General Reading
PC Safety and Security - What do I need? (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)
How to prevent Malware (by Miekiemoes) (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Learn How To Combat Malware
Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here. (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)
:thanks:
I am making the changes as you suggested. I have installed Firefox as my default browser with Web of Trust and No-Script. It is taking some getting used to. I had trouble updating both Windows and Adobe (both identified by Secunia as needing updates). I think it has something to do with the No-Script. The Free virus software site did not work, I think because the Adobe and Java were not updated, I will go back and try again. The McAfee software that I paid for with the computer obviously does not work very well or I would not have had all of these problems. I will let you know if any other problems occur.
Is there any information in my posts that need to be hidden for security reasons? (i.e. my name)
Thanks again for all of your help!
One of the sites had me download Registry Booster, which kept showing a script error warning that would not go away regardless of clicking yes or no, so I uninstalled it. Does it mean anything?:
"An error has occurred in the script on this page.
Line 3382
Char 4
Error Automation server cannot create object
Code 0
Url http://localhost:10435/jquery.js
Do you wish to continue running scripts on this page?
Yes No
When I go to the control panel in Windows I am not able to access: Status, Firewall, Updates, Password changes, Security, etc. I did see that there were many Windows updates dated today. An error comes up many times saying Windows cannot find...and it lists a long string of numbers and characters.
I tried downloading the windows security essentials, after uninstalling McAfee and the exe file would not run after clicking on the run button. So right now I don't have a security program, fire wall, or antivirus program. :sad:
Hello Samwise
Please note that the links I supplied for security programs etc are suggestions only. They are not compulsory.
One of the sites had me download Registry Booster I am a little confused. Why did you have to download it?
If you presently have no antivirus installed, please do not connect to the net except to download the required tools and to post replies back here.
Lets take a look with security check:
Security Check
Please download Security Check by screen317 from here (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or here (http://screen317.changelog.fr/SecurityCheck.exe) and save the file (called securitycheck.exe) to your desktop.
Right click SecurityCheck.exe and select "Run as Administrator". Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document in your next reply.
I think I was directed to down load the registry check at the no-script site. Sorry about that.
Another problem is my unfamiliarity with the download process. It seems to have been newly created recently, maybe when I first tried to upgrade IE, before contacting you.
I get a box in the upper left corner that I double click on the exe file. I don't always get the opportunity to do a save as to desktop or run as admin. This time I was able to see a bunch of recent downloads, created a shortcut for security check and ran as admin.
Results of screen317's Security Check version 0.99.18
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 26
Adobe Flash Player 10.3.181.34
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````
Hello Samwise
Thank you for the security check log.
I'm not sure about the download procedure with IE (I only ever use Firefox) but it has most likely changed with the newer installation on the Microsoft browser. I believe download are saved automatically to desktop by default with Firefox. The following may help with IE:
Save downloaded files to desktop
Open Internet Explorer and click on Tools and then Internet Options.
Click on the security tab and uncheck the box next to "Enable Protected Mode".
Close all Internet Explorer 8 (IE 8) windows and then open IE 8.
Click on Tools and then Internet Options again.
Click on the button for Custom Level.
Scroll down to the Downloads section.
Under File Download click on the bubble next to Enable then click on OK to close the Security Settings window and OK again to close the Internet Options Window.
After you click Download File, a File Download dialog box will open asking if you want to open or save the file.
To save the file on your PC, click Save.
IE will open the "Save As" dialog box; here you will choose a location for the file, such as My Documents or your Desktop.
You mentioned uninstalling McAfee and then having problems installing a different AV program. Remnants of a program can sometimes be left over from an uninstall and this can prevent subsequent applications from installing correctly.
Lets give the following a try:
Download and run the McAfee Removal Tool
Download the McAfee Removal Tool by clicking here (http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe) and save the file (called MCPR.exe) to your desktop.
Double click on MCPR.exe to run the removal tool.
Once you receive the "Cleanup Successful" message, restart your computer.
For more information about this removal tool please click here. (http://service.mcafee.com/FAQDocument.aspx?id=TS100507)
I have provided some links to MSE, Avast and avira below (just choose one AV to install).
Security programs
I have provided links to three trusted programs (just choose one).
Avast! (http://www.avast.com/free-antivirus-download)
Avira AntiVir (http://www.free-av.com/)
MicroSoft Security Essentials (http://www.microsoft.com/security_essentials/)
Let me know if the installation goes okay in your next reply.
I am using firefox, so will try steps 2 and 3 without worrying about step 1 for now.
Firefox does not seem to create a desktop icon automatically. I did discover if I right click on the file in the download box and then click "Open containing folder" and then right click the file I am trying to download, then I have many options including "run as admin" or "send to desktop". This worked with the McAfee removal program and seemed to work with the MS Security Essentials program (which I prefer). I actually saw the previous MS S.E. download attempts in this download box. However, the MS program seemed to download in a split second and now I cannot find it anywhere to run it or activate it or whatever.
Hello JonTom,
I went ahead and did step 3 for IE and tried to download MS S.E. and it seemed download but, I still cannot find it or activate it. Thanks,
Hello Samwise
I have never heard of a download causing so much trouble before!
Have you tried clicking on Start, and then pasting each of the following search terms the following into the Start Search box:
microsoft security client
msseces.exe
If they are present they should appear in the top menu, allowing you to Right click on them (which will allow you to note their location).
Alternatively, you may have to click on start, then on Computer and then check the directories on the left hand pane (such as documents,
Please download SystemLook by JPShortstuff
Please download SystemLook by JPShortstuff by clicking here (http://jpshortstuff.247fixes.com/SystemLook_x64.exe) and save the file (called SystemLook_x64.exe) to your desktop.
Right click on SystemLook.exe and select "Run as Administrator" to run the program.
Copy the content of the following codebox into the main textfield:
:filefind
msseces.exe
:folderfind
microsoft security client
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Post the log in your next reply and let me know of you have any luck with the manual searches.
I share your frustration as it has never been an issue for me either. I have already been using the search function you describe. The Microsoft security client search eventually brings me to
Computer/OS(C:)/users/John/Downloads/MSE Install
Which does the same microsecond run when you click on it to run. This is where it is dumping all of my downloads today. There are three versions of the mse install there.
The msseces.exe search does not find any file.
SystemLook 30.07.11 by jpshortstuff
Log created at 16:52 on 31/07/2011 by John
Administrator - Elevation successful
========== filefind ==========
Searching for "msseces.exe"
No files found.
========== folderfind ==========
Searching for "microsoft security client"
C:\ProgramData\Microsoft\Microsoft Security Client d------ [15:26 31/07/2011]
C:\Users\All Users\Microsoft\Microsoft Security Client d------ [15:26 31/07/2011]
-= EOF =-
Hello Samwise
I share your frustration We'll get there :) We have the directory path, now we'll look for the installer:
Open systemLook as you did before and Copy the content of the following codebox into the main textfield:
:dir
C:\users\John\Downloads\MSE Install /s
C:\ProgramData\Microsoft\Microsoft Security Client /s
C:\Users\All Users\Microsoft\Microsoft Security Client /s
Click on the Look button to start the scan as you did before and post the log in your next reply.
SystemLook 30.07.11 by jpshortstuff
Log created at 17:44 on 31/07/2011 by John
Administrator - Elevation successful
========== dir ==========
C:\users\John\Downloads\MSE Install - Unable to find folder.
C:\ProgramData\Microsoft\Microsoft Security Client - Parameters: "/s"
---Files---
None found.
C:\ProgramData\Microsoft\Microsoft Security Client\Support d------ [15:26 31/07/2011]
EppSetup.etl --a---- 2424832 bytes [15:26 31/07/2011] [20:49 31/07/2011]
EppSetup.log --a---- 40146 bytes [15:26 31/07/2011] [20:49 31/07/2011]
EppSetupResult.ini --a---- 228 bytes [15:26 31/07/2011] [20:49 31/07/2011]
C:\Users\All Users\Microsoft\Microsoft Security Client - Parameters: "/s"
---Files---
None found.
C:\Users\All Users\Microsoft\Microsoft Security Client\Support d------ [15:26 31/07/2011]
EppSetup.etl --a---- 2424832 bytes [15:26 31/07/2011] [20:49 31/07/2011]
EppSetup.log --a---- 40146 bytes [15:26 31/07/2011] [20:49 31/07/2011]
EppSetupResult.ini --a---- 228 bytes [15:26 31/07/2011] [20:49 31/07/2011]
-= EOF =-
I'll be available again in about 1.5 hours.
thanks
We will have to continue tommorrow then, as it will be after midnight by that time here (I have work tommorrow).
Please let me know what version of Firefox you are running.
Hello JonTom,
It's version 5.01
It looks like I will not have direct access to this computer until Friday p.m. eastern standard time. It will be shut down until then. I will be able to check logs on my laptop in the meantime.
Once again, Thank you for all of your help. I am confident we will figure it out.
Hello Samwise
According to SystemLook it does not look as though the MSE installation file is present in any of those directories.
Just to test the procedure, I configured my Firefox browser to download directly to desktop and then downloaded the MSE installation file.
Lets see if we can repeat the procedure on your system (you will have to disable any script blocking software you have installed prior to attempting the download).
Open firefox and click on the orange firefox tab (top left hand corner of the screen).
In the drop down menu that appears, mouse over Options and click on the Options tab.
A window will open. Click on the "General" tab.
Under the downloads section, place a checkmark next to "Show the downloads window when downloading a file".
Select the radio button next to "Save files to" then click on Browse, and select "Desktop".
Click on OK and then close the window.
Next, copy and paste the following link directly into your firefox browser then hit Enter:
http://www.microsoft.com/security_essentials/
You will be taken to the MSE download site.
Click on the arrow in the orange bubble next to "Download it for free today".
Select your locale/prefered language and then click on "Windows Vista/ Windows 7 64-bit".
A dialogue box will open.
Click on "Save file".
The download will begin and when complete, close the download windows. You should now have an icon on your desktop called "mseinstall".
This is the MSE installation file. Right click on it and select "Run as Administrator" and allow the program to install. Follow any prompts you receive.
Once installed, open MSE, update it and run a full system scan.
If you encounter any problems with the above just let me know.
It looks like I will not have direct access to this computer until Friday p.m. eastern standard time Thanks for letting me know. We will continue when we can :)
Hi JonTom,
Thank you for going through all of those steps and noting them for me. I will try them as soon as I can get back to my desktop.
What about the rest of my concerns (pasted below from previous log)? Will the security eseentials take care of them?
"When I go to the control panel in Windows I am not able to access: Status, Firewall, Updates, Password changes, Security, etc. I did see that there were many Windows updates dated today. An error comes up many times saying Windows cannot find...and it lists a long string of numbers and characters."
Hello Samwise
What about the rest of my concerns One step at a time my friend :)
The most important thing right now is to get a functional AV installed.
Once we have done that we'll see how the machine is running and then try to address the remaining issues.
Hi JonTom,
I followed your steps exactly. The only thing that needed changed was changing the download location from a download file to the desktop.
The program, once again did a one second "download" which I cannot find anywhere.
Other notes: The computer came back on today with a black screen asking for safe mode. So I started in safe mode and rebooted. It then came on with a message: Unable to create C/Windows/ERDUT/autobackup/8-6-11/erdnt.inf
SystemLook 30.07.11 by jpshortstuff
Log created at 08:30 on 06/08/2011 by John
Administrator - Elevation successful
========== dir ==========
C:\users\John\Downloads\MSE Install - Unable to find folder.
C:\ProgramData\Microsoft\Microsoft Security Client - Parameters: "/s"
---Files---
None found.
C:\ProgramData\Microsoft\Microsoft Security Client\Support d------ [15:26 31/07/2011]
EppSetup.etl --a---- 2818048 bytes [15:26 31/07/2011] [12:16 06/08/2011]
EppSetup.log --a---- 46786 bytes [15:26 31/07/2011] [12:16 06/08/2011]
EppSetupResult.ini --a---- 232 bytes [15:26 31/07/2011] [12:16 06/08/2011]
C:\Users\All Users\Microsoft\Microsoft Security Client - Parameters: "/s"
---Files---
None found.
C:\Users\All Users\Microsoft\Microsoft Security Client\Support d------ [15:26 31/07/2011]
EppSetup.etl --a---- 2818048 bytes [15:26 31/07/2011] [12:16 06/08/2011]
EppSetup.log --a---- 46786 bytes [15:26 31/07/2011] [12:16 06/08/2011]
EppSetupResult.ini --a---- 232 bytes [15:26 31/07/2011] [12:16 06/08/2011]
-= EOF =-
Could Spybot be blocking it? I am not sure if the teatimer is turned off or not. I tried to do it in advanced mode and it said I needed to run as administrator which I am unable to do.
Hello Samwise
Does the same problem arise when you try to install a different AV?
As a test, see if you are able to download and install Avira:
Security programs
Avira AntiVir (http://www.free-av.com/)
In the meantime, I am going to confer with some of my colleagues for a second opinion on what could be causing this issue.
I will get back to you as soon as I can.
Avira immediately detected 'Windows Defender' and asked that it be disabled.
Message was something like this:
"Windows Defender is active and will interfere with the download. Go to Tools, Options, and disable real time protection and use windows defender functions"
I did this and Avira downloaded and is doing its first scan right now.
I do not believe I have ever heard of Windows defender.
Avira AntiVir Personal
Report file date: Saturday, August 06, 2011 16:14
Scanning for 3337992 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 x64
Windows version : (Service Pack 1) [6.1.7601]
Boot mode : Normally booted
Username : John
Computer name : SAMIAM-PC
Version information:
BUILD.DAT : 10.0.0.652 31824 Bytes 7/20/2011 16:49:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 7/20/2011 15:30:06
AVSCAN.DLL : 10.0.3.0 46440 Bytes 7/20/2011 15:30:45
LUKE.DLL : 10.0.3.2 104296 Bytes 7/20/2011 15:30:32
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 11:53:55
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 11:53:56
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 15:30:38
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 15:30:40
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 15:30:41
VBASE006.VDF : 7.11.10.252 2048 Bytes 7/7/2011 15:30:41
VBASE007.VDF : 7.11.10.253 2048 Bytes 7/7/2011 15:30:41
VBASE008.VDF : 7.11.10.254 2048 Bytes 7/7/2011 15:30:41
VBASE009.VDF : 7.11.10.255 2048 Bytes 7/7/2011 15:30:41
VBASE010.VDF : 7.11.11.0 2048 Bytes 7/7/2011 15:30:41
VBASE011.VDF : 7.11.11.1 2048 Bytes 7/7/2011 15:30:41
VBASE012.VDF : 7.11.11.2 2048 Bytes 7/7/2011 15:30:41
VBASE013.VDF : 7.11.11.75 688128 Bytes 7/12/2011 15:30:41
VBASE014.VDF : 7.11.11.104 978944 Bytes 7/13/2011 15:30:42
VBASE015.VDF : 7.11.11.137 655360 Bytes 7/14/2011 15:30:42
VBASE016.VDF : 7.11.11.184 699392 Bytes 7/18/2011 20:13:58
VBASE017.VDF : 7.11.11.214 414208 Bytes 7/19/2011 20:13:59
VBASE018.VDF : 7.11.11.242 772096 Bytes 7/20/2011 20:13:59
VBASE019.VDF : 7.11.12.3 1291776 Bytes 7/20/2011 20:14:00
VBASE020.VDF : 7.11.12.30 844288 Bytes 7/21/2011 20:14:00
VBASE021.VDF : 7.11.12.67 149504 Bytes 7/24/2011 20:14:01
VBASE022.VDF : 7.11.12.93 195072 Bytes 7/25/2011 20:14:01
VBASE023.VDF : 7.11.12.113 150528 Bytes 7/26/2011 20:14:01
VBASE024.VDF : 7.11.12.152 182784 Bytes 7/28/2011 20:14:01
VBASE025.VDF : 7.11.12.181 117760 Bytes 8/1/2011 20:14:01
VBASE026.VDF : 7.11.12.205 148480 Bytes 8/3/2011 20:14:01
VBASE027.VDF : 7.11.12.229 252928 Bytes 8/5/2011 20:14:01
VBASE028.VDF : 7.11.12.230 2048 Bytes 8/5/2011 20:14:02
VBASE029.VDF : 7.11.12.231 2048 Bytes 8/5/2011 20:14:02
VBASE030.VDF : 7.11.12.232 2048 Bytes 8/5/2011 20:14:02
VBASE031.VDF : 7.11.12.233 2048 Bytes 8/5/2011 20:14:02
Engineversion : 8.2.6.28
AEVDF.DLL : 8.1.2.1 106868 Bytes 4/21/2011 11:53:28
AESCRIPT.DLL : 8.1.3.74 1622393 Bytes 8/6/2011 20:14:04
AESCN.DLL : 8.1.7.2 127349 Bytes 4/21/2011 11:53:27
AESBX.DLL : 8.2.1.34 323957 Bytes 7/20/2011 15:29:54
AERDL.DLL : 8.1.9.13 639349 Bytes 7/20/2011 15:29:53
AEPACK.DLL : 8.2.9.5 676214 Bytes 7/20/2011 15:29:53
AEOFFICE.DLL : 8.1.2.13 201083 Bytes 8/6/2011 20:14:04
AEHEUR.DLL : 8.1.2.151 3584374 Bytes 8/6/2011 20:14:03
AEHELP.DLL : 8.1.17.7 254327 Bytes 8/6/2011 20:14:02
AEGEN.DLL : 8.1.5.7 401778 Bytes 8/6/2011 20:14:02
AEEMU.DLL : 8.1.3.0 393589 Bytes 4/21/2011 11:53:14
AECORE.DLL : 8.1.22.4 196983 Bytes 7/20/2011 15:29:42
AEBB.DLL : 8.1.1.0 53618 Bytes 4/21/2011 11:53:14
AVWINLL.DLL : 10.0.0.0 19304 Bytes 4/21/2011 11:53:36
AVPREF.DLL : 10.0.0.0 44904 Bytes 7/20/2011 15:30:04
AVREP.DLL : 10.0.0.8 62209 Bytes 7/20/2011 15:30:04
AVREG.DLL : 10.0.3.2 53096 Bytes 7/20/2011 15:30:04
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 7/20/2011 15:30:06
AVARKT.DLL : 10.0.22.6 231784 Bytes 7/20/2011 15:29:58
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 7/20/2011 15:30:03
SQLITE3.DLL : 3.6.19.0 355688 Bytes 7/20/2011 20:40:24
AVSMTP.DLL : 10.0.0.17 63848 Bytes 4/21/2011 11:53:36
NETNT.DLL : 10.0.0.0 11624 Bytes 4/21/2011 11:53:46
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 7/20/2011 15:30:48
RCTEXT.DLL : 10.0.58.0 97128 Bytes 7/20/2011 15:30:48
Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files (x86)\avira\antivir desktop\setupprf.dat
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Saturday, August 06, 2011 16:14
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process 'presetup.exe' - '1' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '1' Module(s) have been scanned
Scan process 'IAStorDataMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'plugin-container.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'MemeoBackup.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'accuweather.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'RoxioBurnLauncher.exe' - '1' Module(s) have been scanned
Scan process 'brs.exe' - '1' Module(s) have been scanned
Scan process 'stage_secondary.exe' - '1' Module(s) have been scanned
Scan process 'PDVD9Serv.exe' - '1' Module(s) have been scanned
Scan process 'ShwiconXP9106.exe' - '1' Module(s) have been scanned
Scan process 'IAStorIcon.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'VolPanlu.exe' - '1' Module(s) have been scanned
Scan process 'MSOSYNC.EXE' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'stage_primary.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'SDWinSec.exe' - '1' Module(s) have been scanned
Scan process 'SeaPort.EXE' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'vpnagent.exe' - '1' Module(s) have been scanned
Scan process 'CTAudSvc.exe' - '1' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!
Master boot sector HD6
[INFO] No virus was found!
Start scanning boot sectors:
Starting to scan executable files (registry).
The registry was scanned ( '939' files ).
End of the scan: Saturday, August 06, 2011 16:15
Used time: 00:42 Minute(s)
The scan has been done completely.
0 Scanned directories
1533 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1533 Files not concerned
6 Archives were scanned
0 Warnings
0 Notes
I pretty much unclicked everything in Windows defender so let me know if that is okay.
Hello Samwise
Phew! I'm glad we finally managed to get an AV installed :)
The Avira scan appears to be clean.
I do not believe I have ever heard of Windows defender Its a legit application that comes pre-installed with Vista/Win7.
I believe that it can be left running alongside avira (chances are you only had to disable it for the download). It would cause no harm to re-enable it and see how the machine runs - if there are any problems with it engaged you can always disable it again, but it is not malicious.
Are you still having trouble accessing "Status" etc?
An error comes up many times saying Windows cannot find...and it lists a long string of numbers and characters. Please try to copy the whole error message the next time it appears and post it here please.
I too, am glad to have an security program running. However, the other issue persists. Most of the available buttons in the control panel seem to be non responsive to right or left clicking. It's not until you click on:
Windows Update: Turn automatic updating on or off
that you get this big X in a red circle with this message:
Windows cannot find
1::{26EE0668-A00A-44D7-9371-BEB064C98683}\5\::}36EEF7DB-88AD-4E81-AD4...\page settings: Make sure you typed the name correctly and then try again
Be advised I was not able to cut and paste the error message so I hope it is accurately transcribed.
Do you think I need to reinstall windows?
Hello Samwise
Do you think I need to reinstall windows? That is always an option but I think it would be a little rash to do so just now.
As your scans are coming back clean, the remaining issue does not appear to be associated with malware, but we can try the following to see if it helps:
System File Checker
Click on Start and then on All Programs.
Click on Accessories then right click on Command Prompt and select Run as Administrator.
If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
Type the following command, and then press ENTER
sfc /scannow
Let the system file checker run unhindered.
Note: The program may (or it may not) ask you for your installation CD - please insert it at the prompt. If it doesn't ask you for the CD this means that it wasn't necessary to replace any files.
You may have to exit the scan should you be notified that an installation disk is required and you do not have one.
Once complete let me know if the problem is resolved.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some of th
em.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log
C:\Windows\system32>
I was trying to post again and got Knocked off somehow and the command screen disappeared. Here is what I was saying:
1. I am very sorry I could not respond sooner to your last post.
2. The process ran, as you can see, but I was never asked to insert a cd. For future reference, the software came pre-installed on this Dell 8300 and I am not sure which of the three unopened CD's I should use if prompted (drivers and utilities, drivers and documentation, and reinstallation dvd[which says: Use this only to reinstall the operating system]).
3. I searched and looked in the directory path for the CBS log and at one point got a message "access denied".
Based on what you have said before about your time zone, I suspect you have retired for the night. Hopefully you have time to check this in the morning. Thanks!!!
I checked control panel as you asked and lo and behold it seems to be working!:thanks:
I did not think anything would have changed since it did not ask for a disc and said there were corrupt files it could not repair.
As I was clicking through the control panel, I clicked a button in Windows update to repair any problems and it stated that it had found and fixed a problem.
The firewall section states that the firewall and virus program are on.
Hello Samwise
It may be possible that NoScript was interfering with the MSE download issue you had previously.
I checked control panel as you asked and lo and behold it seems to be working! Yes!
As everything appears to be running okay now I think we are just about done.
Please feel free to delete SystemLook from your machine as you no longer need it.
Enjoy the rest of your weekend :)
JonTom
I noticed Avira said it had not run a full scan. It looks like it found some stuff. Is there anything else I need to turn on or off?
Avira AntiVir Personal
Report file date: Sunday, August 07, 2011 07:58
Scanning for 3337992 virus strains and unwanted programs.
The program is running as an unrestricted full version.
Online services are available:
Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 x64
Windows version : (Service Pack 1) [6.1.7601]
Boot mode : Normally booted
Username : SYSTEM
Computer name : SAMIAM-PC
Version information:
BUILD.DAT : 10.0.0.652 31824 Bytes 7/20/2011 16:49:00
AVSCAN.EXE : 10.0.4.2 442024 Bytes 7/20/2011 15:30:06
AVSCAN.DLL : 10.0.3.0 46440 Bytes 7/20/2011 15:30:45
LUKE.DLL : 10.0.3.2 104296 Bytes 7/20/2011 15:30:32
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 04:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 14:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 11:53:55
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 11:53:56
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 15:30:38
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 15:30:40
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 15:30:41
VBASE006.VDF : 7.11.10.252 2048 Bytes 7/7/2011 15:30:41
VBASE007.VDF : 7.11.10.253 2048 Bytes 7/7/2011 15:30:41
VBASE008.VDF : 7.11.10.254 2048 Bytes 7/7/2011 15:30:41
VBASE009.VDF : 7.11.10.255 2048 Bytes 7/7/2011 15:30:41
VBASE010.VDF : 7.11.11.0 2048 Bytes 7/7/2011 15:30:41
VBASE011.VDF : 7.11.11.1 2048 Bytes 7/7/2011 15:30:41
VBASE012.VDF : 7.11.11.2 2048 Bytes 7/7/2011 15:30:41
VBASE013.VDF : 7.11.11.75 688128 Bytes 7/12/2011 15:30:41
VBASE014.VDF : 7.11.11.104 978944 Bytes 7/13/2011 15:30:42
VBASE015.VDF : 7.11.11.137 655360 Bytes 7/14/2011 15:30:42
VBASE016.VDF : 7.11.11.184 699392 Bytes 7/18/2011 20:13:58
VBASE017.VDF : 7.11.11.214 414208 Bytes 7/19/2011 20:13:59
VBASE018.VDF : 7.11.11.242 772096 Bytes 7/20/2011 20:13:59
VBASE019.VDF : 7.11.12.3 1291776 Bytes 7/20/2011 20:14:00
VBASE020.VDF : 7.11.12.30 844288 Bytes 7/21/2011 20:14:00
VBASE021.VDF : 7.11.12.67 149504 Bytes 7/24/2011 20:14:01
VBASE022.VDF : 7.11.12.93 195072 Bytes 7/25/2011 20:14:01
VBASE023.VDF : 7.11.12.113 150528 Bytes 7/26/2011 20:14:01
VBASE024.VDF : 7.11.12.152 182784 Bytes 7/28/2011 20:14:01
VBASE025.VDF : 7.11.12.181 117760 Bytes 8/1/2011 20:14:01
VBASE026.VDF : 7.11.12.205 148480 Bytes 8/3/2011 20:14:01
VBASE027.VDF : 7.11.12.229 252928 Bytes 8/5/2011 20:14:01
VBASE028.VDF : 7.11.12.230 2048 Bytes 8/5/2011 20:14:02
VBASE029.VDF : 7.11.12.231 2048 Bytes 8/5/2011 20:14:02
VBASE030.VDF : 7.11.12.232 2048 Bytes 8/5/2011 20:14:02
VBASE031.VDF : 7.11.12.233 2048 Bytes 8/5/2011 20:14:02
Engineversion : 8.2.6.28
AEVDF.DLL : 8.1.2.1 106868 Bytes 4/21/2011 11:53:28
AESCRIPT.DLL : 8.1.3.74 1622393 Bytes 8/6/2011 20:14:04
AESCN.DLL : 8.1.7.2 127349 Bytes 4/21/2011 11:53:27
AESBX.DLL : 8.2.1.34 323957 Bytes 7/20/2011 15:29:54
AERDL.DLL : 8.1.9.13 639349 Bytes 7/20/2011 15:29:53
AEPACK.DLL : 8.2.9.5 676214 Bytes 7/20/2011 15:29:53
AEOFFICE.DLL : 8.1.2.13 201083 Bytes 8/6/2011 20:14:04
AEHEUR.DLL : 8.1.2.151 3584374 Bytes 8/6/2011 20:14:03
AEHELP.DLL : 8.1.17.7 254327 Bytes 8/6/2011 20:14:02
AEGEN.DLL : 8.1.5.7 401778 Bytes 8/6/2011 20:14:02
AEEMU.DLL : 8.1.3.0 393589 Bytes 4/21/2011 11:53:14
AECORE.DLL : 8.1.22.4 196983 Bytes 7/20/2011 15:29:42
AEBB.DLL : 8.1.1.0 53618 Bytes 4/21/2011 11:53:14
AVWINLL.DLL : 10.0.0.0 19304 Bytes 4/21/2011 11:53:36
AVPREF.DLL : 10.0.0.0 44904 Bytes 7/20/2011 15:30:04
AVREP.DLL : 10.0.0.8 62209 Bytes 7/20/2011 15:30:04
AVREG.DLL : 10.0.3.2 53096 Bytes 7/20/2011 15:30:04
AVSCPLR.DLL : 10.0.4.2 84840 Bytes 7/20/2011 15:30:06
AVARKT.DLL : 10.0.22.6 231784 Bytes 7/20/2011 15:29:58
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 7/20/2011 15:30:03
SQLITE3.DLL : 3.6.19.0 355688 Bytes 7/20/2011 20:40:24
AVSMTP.DLL : 10.0.0.17 63848 Bytes 4/21/2011 11:53:36
NETNT.DLL : 10.0.0.0 11624 Bytes 4/21/2011 11:53:46
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 7/20/2011 15:30:48
RCTEXT.DLL : 10.0.58.0 97128 Bytes 7/20/2011 15:30:48
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:, F:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Sunday, August 07, 2011 07:58
Starting search for hidden objects.
C:\Program Files\Common Files\Microsoft Shared\Windows Live
C:\Program Files\Common Files\Microsoft Shared\Windows Live
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\compatibility flags
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Media Center\Extensibility\Entry Points\{f5d70db2-0c9b-4a2a-a24e-b06fbe9af19c}\run
[NOTE] The registry entry is invisible.
C:\Users\John\AppData\Local\Temp\{1F4882F7-14DF-46B2-80D5-EF7F28BBFC9D}\{9DF0196F-B6B8-4C3A-8790-DE42AA530101}\spore.png
C:\Users\John\AppData\Local\Temp\{1F4882F7-14DF-46B2-80D5-EF7F28BBFC9D}\{9DF0196F-B6B8-4C3A-8790-DE42AA530101}\spore.png
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Media Center\Settings\VideoSettings\recordingkeepuntil
[NOTE] The registry entry is invisible.
c:\windows\system32\wuauclt.exe
c:\windows\system32\wuauclt.exe
[NOTE] The process is not visible.
The scan of running processes will be started
Scan process 'avscan.exe' - '80' Module(s) have been scanned
Scan process 'avscan.exe' - '30' Module(s) have been scanned
Scan process 'avcenter.exe' - '75' Module(s) have been scanned
Scan process 'plugin-container.exe' - '80' Module(s) have been scanned
Scan process 'firefox.exe' - '98' Module(s) have been scanned
Scan process 'sched.exe' - '50' Module(s) have been scanned
Scan process 'avguard.exe' - '69' Module(s) have been scanned
Scan process 'IAStorDataMgrSvc.exe' - '47' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '75' Module(s) have been scanned
Scan process 'RoxioBurnLauncher.exe' - '66' Module(s) have been scanned
Scan process 'brs.exe' - '22' Module(s) have been scanned
Scan process 'stage_secondary.exe' - '77' Module(s) have been scanned
Scan process 'PDVD9Serv.exe' - '27' Module(s) have been scanned
Scan process 'ShwiconXP9106.exe' - '32' Module(s) have been scanned
Scan process 'IAStorIcon.exe' - '49' Module(s) have been scanned
Scan process 'rundll32.exe' - '49' Module(s) have been scanned
Scan process 'VolPanlu.exe' - '65' Module(s) have been scanned
Scan process 'MSOSYNC.EXE' - '49' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '67' Module(s) have been scanned
Scan process 'stage_primary.exe' - '88' Module(s) have been scanned
Scan process 'SDWinSec.exe' - '48' Module(s) have been scanned
Scan process 'SeaPort.EXE' - '49' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '41' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '50' Module(s) have been scanned
Scan process 'vpnagent.exe' - '57' Module(s) have been scanned
Scan process 'CTAudSvc.exe' - '30' Module(s) have been scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!
Master boot sector HD6
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '735' files ).
Starting the file scan:
Begin scan in 'C:\' <OS>
C:\Users\John\Documents\John Salay\Local Settings\Temporary Internet Files\Content.IE5\W9EN4LAB\www.safetyhomepage[1]
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
Begin scan in 'E:\' <HD-WIU2>
E:\John Salay\Local Settings\Temporary Internet Files\Content.IE5\W9EN4LAB\www.safetyhomepage[1]
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
Begin scan in 'F:\' <HD-WIU2>
F:\JOHN-PC\Backup Set 2011-01-26 200110\Backup Files 2011-01-30 234808\Backup files 3.zip
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
--> C/Users/John/Documents/John Salay/Local Settings/Temporary Internet Files/Content.IE5/W9EN4LAB/www.safetyhomepage[1]
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
F:\SAMIAM-PC\Backup Set 2011-01-26 200110\Backup Files 2011-05-01 190000\Backup files 2.zip
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BL exploit
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/1/68ac45c1-6efd3d03
[1] Archive type: ZIP
--> menu/edit.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BL exploit
--> menu/file.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BW exploit
--> menu/help.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.U exploit
--> pocket/object3.class
[DETECTION] Contains recognition pattern of the JAVA/Formduce.A Java virus
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/27/2e841c9b-59da3fd8
[1] Archive type: ZIP
--> gendalf/fire.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.AG Java virus
--> mordor/bilbo.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.AH Java virus
--> mordor/frodo.class
[DETECTION] Is the TR/Java.Downloader.K.2 Trojan
--> mordor/gorlum.class
[DETECTION] Is the TR/Java.Downloader.K.3 Trojan
--> mordor/saruman.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.AJ Java virus
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/35/57913e23-72b13c65
[1] Archive type: ZIP
--> lort/border.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BN exploit
--> lort/object4.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.D exploit
--> menu/edit.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BL exploit
--> menu/file.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BW exploit
--> menu/help.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.U exploit
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/4/75120c44-457728a7
[1] Archive type: ZIP
--> ClassPol.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.1184 Java virus
--> padle.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.1504 Java virus
--> hubert.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.4794 Java virus
--> CusBen.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.7976 Java virus
--> Trollllllle.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.4653 Java virus
--> Clrepor.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.1113 Java virus
--> Cload.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.3130 Java virus
--> novell.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.838 Java virus
--> huiak.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.10515 Java virus
F:\SAMIAM-PC\Backup Set 2011-05-08 190000\Backup Files 2011-05-08 190000\Backup files 3.zip
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
--> C/Users/John/Documents/John Salay/Local Settings/Temporary Internet Files/Content.IE5/W9EN4LAB/www.safetyhomepage[1]
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
F:\SAMIAM-PC\Backup Set 2011-05-08 190000\Backup Files 2011-05-08 190000\Backup files 6.zip
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BL exploit
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/1/68ac45c1-6efd3d03
[1] Archive type: ZIP
--> menu/edit.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BL exploit
--> menu/file.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BW exploit
--> menu/help.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.U exploit
--> pocket/object3.class
[DETECTION] Contains recognition pattern of the JAVA/Formduce.A Java virus
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/27/2e841c9b-59da3fd8
[1] Archive type: ZIP
--> gendalf/fire.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.AG Java virus
--> mordor/bilbo.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.AH Java virus
--> mordor/frodo.class
[DETECTION] Is the TR/Java.Downloader.K.2 Trojan
--> mordor/gorlum.class
[DETECTION] Is the TR/Java.Downloader.K.3 Trojan
--> mordor/saruman.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.AJ Java virus
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/35/57913e23-72b13c65
[1] Archive type: ZIP
--> lort/border.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BN exploit
--> lort/object4.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.D exploit
--> menu/edit.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BL exploit
--> menu/file.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BW exploit
--> menu/help.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.U exploit
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/4/75120c44-457728a7
[1] Archive type: ZIP
--> ClassPol.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.1184 Java virus
--> padle.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.1504 Java virus
--> hubert.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.4794 Java virus
--> CusBen.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.7976 Java virus
--> Trollllllle.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.4653 Java virus
--> Clrepor.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.1113 Java virus
--> Cload.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.3130 Java virus
--> novell.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.838 Java virus
--> huiak.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.10515 Java virus
F:\SAMIAM-PC\Backup Set 2011-07-17 190000\Backup Files 2011-07-17 190000\Backup files 3.zip
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
--> C/Users/John/Documents/John Salay/Local Settings/Temporary Internet Files/Content.IE5/W9EN4LAB/www.safetyhomepage[1]
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
F:\SAMIAM-PC\Backup Set 2011-07-17 190000\Backup Files 2011-07-17 190000\Backup files 4.zip
[0] Archive type: ZIP
[DETECTION] Is the TR/Crypt.EPACK.Gen2 Trojan
--> C/Users/John/AppData/Roaming/dwm.exe
[DETECTION] Is the TR/Crypt.EPACK.Gen2 Trojan
--> C/Users/John/AppData/Roaming/Microsoft/conhost.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Backdoor.Gen5 back-door program
[WARNING] This file is a mailbox. To avoid damaging your emails this file will not be repaired or deleted.
F:\SAMIAM-PC\Backup Set 2011-07-17 190000\Backup Files 2011-07-17 190000\Backup files 7.zip
[0] Archive type: ZIP
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BL exploit
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/1/68ac45c1-6efd3d03
[1] Archive type: ZIP
--> menu/edit.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BL exploit
--> menu/file.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BW exploit
--> menu/help.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.U exploit
--> pocket/object3.class
[DETECTION] Contains recognition pattern of the JAVA/Formduce.A Java virus
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/27/2e841c9b-59da3fd8
[1] Archive type: ZIP
--> gendalf/fire.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.AG Java virus
--> mordor/bilbo.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.AH Java virus
--> mordor/frodo.class
[DETECTION] Is the TR/Java.Downloader.K.2 Trojan
--> mordor/gorlum.class
[DETECTION] Is the TR/Java.Downloader.K.3 Trojan
--> mordor/saruman.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.AJ Java virus
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/31/7ab66f1f-2b573dad
[1] Archive type: ZIP
--> rotor/zalux$vrkr.class
[DETECTION] Contains recognition pattern of the JAVA/Premarin.B Java virus
--> rotor/zalux.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.DH Java virus
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/35/57913e23-72b13c65
[1] Archive type: ZIP
--> lort/border.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BN exploit
--> lort/object4.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.D exploit
--> menu/edit.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BL exploit
--> menu/file.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.BW exploit
--> menu/help.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0840.U exploit
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/4/75120c44-457728a7
[1] Archive type: ZIP
--> ClassPol.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.1184 Java virus
--> padle.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.1504 Java virus
--> hubert.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.4794 Java virus
--> CusBen.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.7976 Java virus
--> Trollllllle.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.4653 Java virus
--> Clrepor.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.1113 Java virus
--> Cload.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.3130 Java virus
--> novell.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.838 Java virus
--> huiak.class
[DETECTION] Contains recognition pattern of the JAVA/Agent.10515 Java virus
--> C/Users/John/AppData/LocalLow/Sun/Java/Deployment/cache/6.0/9/3ec26009-2fdb40ae
[1] Archive type: ZIP
--> rotor/zalux$vrkr.class
[DETECTION] Contains recognition pattern of the JAVA/Premarin.B Java virus
--> rotor/zalux.class
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.DH Java virus
Beginning disinfection:
F:\SAMIAM-PC\Backup Set 2011-07-17 190000\Backup Files 2011-07-17 190000\Backup files 7.zip
[DETECTION] Contains recognition pattern of the JAVA/Exdoer.DH Java virus
[NOTE] The file was moved to the quarantine directory under the name '4b7a3e78.qua'.
F:\SAMIAM-PC\Backup Set 2011-07-17 190000\Backup Files 2011-07-17 190000\Backup files 4.zip
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Backdoor.Gen5 back-door program
[WARNING] The file was ignored!
F:\SAMIAM-PC\Backup Set 2011-07-17 190000\Backup Files 2011-07-17 190000\Backup files 3.zip
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
[NOTE] The file was moved to the quarantine directory under the name '53ed11d8.qua'.
F:\SAMIAM-PC\Backup Set 2011-05-08 190000\Backup Files 2011-05-08 190000\Backup files 6.zip
[DETECTION] Contains recognition pattern of the JAVA/Agent.10515 Java virus
[NOTE] The file was moved to the quarantine directory under the name '01b24b31.qua'.
F:\SAMIAM-PC\Backup Set 2011-05-08 190000\Backup Files 2011-05-08 190000\Backup files 3.zip
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
[NOTE] The file was moved to the quarantine directory under the name '678504c8.qua'.
F:\SAMIAM-PC\Backup Set 2011-01-26 200110\Backup Files 2011-05-01 190000\Backup files 2.zip
[DETECTION] Contains recognition pattern of the JAVA/Agent.10515 Java virus
[NOTE] The file was moved to the quarantine directory under the name '220129e0.qua'.
F:\JOHN-PC\Backup Set 2011-01-26 200110\Backup Files 2011-01-30 234808\Backup files 3.zip
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
[NOTE] The file was moved to the quarantine directory under the name '5d1a1b88.qua'.
E:\John Salay\Local Settings\Temporary Internet Files\Content.IE5\W9EN4LAB\www.safetyhomepage[1]
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
[NOTE] The file was moved to the quarantine directory under the name '11b63623.qua'.
C:\Users\John\Documents\John Salay\Local Settings\Temporary Internet Files\Content.IE5\W9EN4LAB\www.safetyhomepage[1]
[DETECTION] Contains recognition pattern of the ADSPY/PestTrap adware or spyware
[NOTE] The file was moved to the quarantine directory under the name '6dae7672.qua'.
End of the scan: Sunday, August 07, 2011 10:01
Used time: 1:59:48 Hour(s)
The scan has been done completely.
64731 Scanned directories
1184978 Files were scanned
80 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
8 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1184898 Files not concerned
10580 Archives were scanned
1 Warnings
14 Notes
544839 Objects were scanned with rootkit scan
6 Hidden objects were found
Hello Samwise
Allow avira to quarantine all of those detected items and then follow with ESET:
Please run the following scan
Note: You will need to use Internet Explorer for this scan.
Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
Please disable your real time security programs before performing the scan.
Scan your system with Eset Online Scanner (http://www.eset.com/onlinescan/)
Place a check mark in the box YES, I accept the Terms Of Use.
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Please perform the following scan
Please download DDS from here (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection (How to Disable your Security Programs (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html))
Right click on the DDS icon and select "Run as Administrator" to run the tool (may take up to 3 minutes to run).
When done, DDS.txt will open.
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.
Please post the contents of the DDS.txt and Attach.txt logs in your next reply.
Post the ESET log and a new DDS log in your next reply. Also, please describe exactly how the machine is running now.
Hello JonTom,
I am sorry this has been such a long process and am very grateful for you sticking with me.
I will not have access to my desktop again until next Sunday night at the earliest and will follow your directions at that time. Please do not close the thread.
Thanks again!
Hello Samwise
I will leave your thread open :)
I will not have access to my desktop again until next Sunday night I will be offline for 7 days from Saturday 13th and so will be unable to respond to you when you have access to the machine.
I have asked if another helper would be willing to check on this thread in my absence. Once I hear back from them I will let you know.
Hello Samwise
Blottedisk has very kindly agreed to check on your thread in my absence (many thanks my friend).
You are in very safe hands.
Best wishes
JonTom
I ran Eset last night and it seemed to get stuck on 99% complete, when the computer did an automatic reboot/update. It had found 14 threats that I could see. I ran it again today after some difficulty and it got stuck on 99% complete again with no threats found this time. It was stopped on this file: F:\David S***y\mygames\download microsoft visual studio 2008 professional edition.iso after having scanned 352,343 files in about 90 minutes. There was a list under manage quaratine, but I was not able to cut and paste it nor did I see any other logs as I had to click the stop button since it was stuck.
I have not done much with the computer to see how it is running, but there are error messages coming up when it turns on about unable to find registry files.
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by John at 11:47:06 on 2011-08-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8174.5718 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackgroundService.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\stage_secondary.exe
C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackup.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.excite.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - C:\Program Files (x86)\WOT\WOT.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - C:\Program Files (x86)\WOT\WOT.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Memeo Backup Premium] C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoLauncher2.exe --silent --no_ui
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\ERUNT\AUTOBACK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://myhrweb.tmhs.org/+CSCOL+/relayp.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://sslvpn.tmhs.org/CACHE/stc/1/binaries/vpnweb.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{17BFF10D-B5AE-4F7B-B03E-0F9A6F6934D2} : DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{5E5302EF-B650-45F8-BE1B-58C8ABFB5465} : DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{9A35D416-AEAE-41A3-820D-44F16FB2DD82} : DhcpNameServer = 192.168.1.1 71.252.0.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun-x64: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun-x64: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun-x64: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun-x64: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun-x64: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Memeo Backup Premium] C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoLauncher2.exe --silent --no_ui
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\1w28n1wy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-8-6 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-8-6 269480]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-1-19 13336]
R2 MemeoBackgroundService;MemeoBackgroundService;C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackgroundService.exe [2010-7-28 25824]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-10 1153368]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-6-17 434864]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys --> C:\Windows\system32\drivers\HCW85BDA.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 t3;Sound Blaster X-Fi Xtreme Audio;C:\Windows\system32\drivers\t3.sys --> C:\Windows\system32\drivers\t3.sys [?]
S2 CLKMSVC10_9EC60124;CyberLink Product - 2011/01/19 20:27:08;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-26 236016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-9-4 219632]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-1-19 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-19 79360]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2010-7-30 25072]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-9-4 1116656]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-08-13 22:44:35 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{86FC9CF9-3ADA-47F7-9D4D-7467E612EFB1}\mpengine.dll
2011-08-07 11:58:29 -------- d-----w- C:\Users\John\AppData\Roaming\Avira
2011-08-07 03:09:04 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-08-07 03:09:00 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-08-06 20:13:30 88288 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2011-08-06 20:13:29 -------- d-----w- C:\ProgramData\Avira
2011-08-06 20:13:29 -------- d-----w- C:\Program Files (x86)\Avira
2011-07-31 15:12:39 -------- d-----w- C:\ProgramData\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-07-31 14:36:29 -------- d-----w- C:\Users\John\AppData\Local\Solid State Networks
2011-07-31 13:40:05 -------- d-----w- C:\Program Files (x86)\Uniblue
2011-07-31 13:39:56 -------- d-----w- C:\Users\John\AppData\Local\PackageAware
2011-07-31 13:13:32 -------- d-----w- C:\Program Files (x86)\WOT
2011-07-31 12:18:29 -------- d-----w- C:\Users\John\AppData\Local\{5ABD7BB5-F743-4FB9-8B35-C44D714425FE}
2011-07-30 17:00:17 -------- d-----w- C:\Program Files (x86)\ESET
2011-07-30 16:51:12 -------- d-----w- C:\Users\John\AppData\Roaming\Malwarebytes
2011-07-30 16:51:02 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-30 16:51:02 -------- d-----w- C:\ProgramData\Malwarebytes
2011-07-30 16:50:58 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-07-30 16:50:58 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-07-29 11:15:24 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-23 20:54:13 118784 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL
2011-07-23 20:54:13 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2011-07-23 20:52:50 -------- d-----w- C:\Users\John\AppData\Roaming\Sammsoft
2011-07-23 20:52:41 -------- d-----w- C:\Program Files (x86)\ARO 2011
2011-07-23 18:20:39 -------- d-----w- C:\ERUNT
2011-07-19 23:15:12 -------- d-----w- C:\Users\John\AppData\Roaming\Fingertapps
2011-07-19 17:49:27 -------- d-----w- C:\FIND_EULA_PATH
2011-07-18 12:20:37 -------- d-----w- C:\Windows\System32\SPReview
2011-07-18 12:19:26 -------- d-----w- C:\Windows\System32\EventProviders
.
==================== Find3M ====================
.
2011-07-31 14:47:55 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-31 13:55:54 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-07-23 20:37:39 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-18 12:26:35 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-07-18 12:26:34 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-09 02:46:28 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-24 05:25:49 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-06-23 05:43:12 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-06-23 04:33:57 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:33:57 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
.
============= FINISH: 11:47:40.87 ===============
The other text doc was an old one. I had trouble in IE but was able to find the attach.txt on the notepad after performing the procedure with Mozilla.
I realized when I right clicked on the IE icons and selected "run as administrator" nothing really happened. Instead I opened the file location and tried it and it worked, so I am retrying the eset scan now.
The scan seemed to run fine and stated no threats were found.
.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by John at 16:32:31 on 2011-08-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8174.5765 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackgroundService.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files (x86)\CyberLink\Shared files\brs.exe
C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Dell Stage\Dell Stage\stage_secondary.exe
C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackup.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\ehome\ehRecvr.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.excite.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - C:\Program Files (x86)\WOT\WOT.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - C:\Program Files (x86)\WOT\WOT.dll
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [OfficeSyncProcess] "C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE"
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Memeo Backup Premium] C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoLauncher2.exe --silent --no_ui
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
StartupFolder: C:\Users\John\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ERUNTA~1.LNK - C:\ERUNT\AUTOBACK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://oas.support.microsoft.com/ActiveX/MSDcode.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2AB1C516-D654-4D3A-B3D6-2185BBCEB409} - hxxps://myhrweb.tmhs.org/+CSCOL+/relayp.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://sslvpn.tmhs.org/CACHE/stc/1/binaries/vpnweb.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{17BFF10D-B5AE-4F7B-B03E-0F9A6F6934D2} : DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{5E5302EF-B650-45F8-BE1B-58C8ABFB5465} : DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{9A35D416-AEAE-41A3-820D-44F16FB2DD82} : DhcpNameServer = 192.168.1.1 71.252.0.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: WOT Helper: {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: WOT: {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun-x64: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
mRun-x64: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
mRun-x64: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun-x64: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun-x64: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun-x64: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe
mRun-x64: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Memeo Backup Premium] C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoLauncher2.exe --silent --no_ui
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [AccuWeatherWidget] "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj" --startup
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\1w28n1wy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-8-6 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-8-6 269480]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-1-19 13336]
R2 MemeoBackgroundService;MemeoBackgroundService;C:\Program Files (x86)\Memeo\AutoBackupPro\MemeoBackgroundService.exe [2010-7-28 25824]
R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-2-10 1153368]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-6-17 434864]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\system32\drivers\HCW85BDA.sys --> C:\Windows\system32\drivers\HCW85BDA.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\Dell Support Center\pcdsrvc_x64.pkms [2010-7-30 25072]
R3 t3;Sound Blaster X-Fi Xtreme Audio;C:\Windows\system32\drivers\t3.sys --> C:\Windows\system32\drivers\t3.sys [?]
S2 CLKMSVC10_9EC60124;CyberLink Product - 2011/01/19 20:27:08;C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-26 236016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-9-4 219632]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-2-28 183560]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-1-19 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-1-19 79360]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-2-1 136176]
S3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-9-4 1116656]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2011-08-13 22:44:35 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{86FC9CF9-3ADA-47F7-9D4D-7467E612EFB1}\mpengine.dll
2011-08-07 11:58:29 -------- d-----w- C:\Users\John\AppData\Roaming\Avira
2011-08-07 03:09:04 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-08-07 03:09:00 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-08-06 20:13:30 88288 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2011-08-06 20:13:29 -------- d-----w- C:\ProgramData\Avira
2011-08-06 20:13:29 -------- d-----w- C:\Program Files (x86)\Avira
2011-07-31 15:12:39 -------- d-----w- C:\ProgramData\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-07-31 14:36:29 -------- d-----w- C:\Users\John\AppData\Local\Solid State Networks
2011-07-31 13:40:05 -------- d-----w- C:\Program Files (x86)\Uniblue
2011-07-31 13:39:56 -------- d-----w- C:\Users\John\AppData\Local\PackageAware
2011-07-31 13:13:32 -------- d-----w- C:\Program Files (x86)\WOT
2011-07-31 12:18:29 -------- d-----w- C:\Users\John\AppData\Local\{5ABD7BB5-F743-4FB9-8B35-C44D714425FE}
2011-07-30 17:00:17 -------- d-----w- C:\Program Files (x86)\ESET
2011-07-30 16:51:12 -------- d-----w- C:\Users\John\AppData\Roaming\Malwarebytes
2011-07-30 16:51:02 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-30 16:51:02 -------- d-----w- C:\ProgramData\Malwarebytes
2011-07-30 16:50:58 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-07-30 16:50:58 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-07-29 11:15:24 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-23 20:54:13 118784 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL
2011-07-23 20:54:13 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2011-07-23 20:52:50 -------- d-----w- C:\Users\John\AppData\Roaming\Sammsoft
2011-07-23 20:52:41 -------- d-----w- C:\Program Files (x86)\ARO 2011
2011-07-23 18:20:39 -------- d-----w- C:\ERUNT
2011-07-19 23:15:12 -------- d-----w- C:\Users\John\AppData\Roaming\Fingertapps
2011-07-19 17:49:27 -------- d-----w- C:\FIND_EULA_PATH
2011-07-18 12:20:37 -------- d-----w- C:\Windows\System32\SPReview
2011-07-18 12:19:26 -------- d-----w- C:\Windows\System32\EventProviders
.
==================== Find3M ====================
.
2011-07-31 14:47:55 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-07-31 13:55:54 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-07-23 20:37:39 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2011-07-22 05:42:23 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-07-22 05:36:16 1389056 ----a-w- C:\Windows\System32\wininet.dll
2011-07-22 05:32:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 02:54:43 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-18 12:26:35 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-07-18 12:26:34 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-09 02:46:28 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-24 05:25:49 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-06-23 05:43:12 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-06-23 04:33:57 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-06-23 04:33:57 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
.
============= FINISH: 16:32:55.95 ===============
Blottedisk
2011-08-15, 17:09
Hi Samwise,
I'll be helping you with your issues :)
Please download Combofix from either of the links below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html )
--------------------------------------------------------------------
Right-click and choose "Run as administrator" on Combofix.exe & follow the prompts. When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )
:eek:
I am writing this from my non effected laptop.
Just got back to desktop after being away and ran combofix as instructed. It did not ask to install recovery console, but did reboot computer before putting log up. However, I can not click on any desktop icons or even programs without a beeping error message that says (for example when clicking on IE):
C:\Program Files (x86)\Internet Explorer\ieexplore.exe
Illegal operation on a registry key that has been marked for deletion
When you click the OK button it says
Can't open this item...as it has been moved, removed, deleted...Do you want to remove?
I am able to print out the six page registry and will try to find a way to scan and post it using a different computer.
42
Followed instructions link for problems with combo fix and saw "Reboot if unable to log back on" which worked, although I lost the log and still needed to scan it.
However, it came in as a zip file that exceeds the spybot size allotment.
i was able to scan, but windows photo gallery insists on importing it as a picture or tif file and spybot won't let me upload.
Blottedisk
2011-08-18, 03:22
Let's try the following:
Right-click on the log it and choose "Open with..."
Open it with notepad
Copy and paste the contents of the log here. You may need several posts to put the entire log.
So right clicking does not bring up notepad option. I tried opening it with notepad as well and it came up as a lot of machine language. Should I rerun combofix? Are there any key lines I can transcribe here? I see three lines under "Other Deletions" all beginning with c:\programdata\PCDr\5830\Downloads\
then
ae67b364-b69e-471e-b177-2459120b84d4.dll
bbfa36b0-30b0-4e36-8d8c-69df1d87626b.dll
daf30858-49d8-434b-b4b1-068b5dc9267c.dll
Tried many other ways of importing to forum, but was unsuccessful. Managed to same in word as image, but spybot said invalid file (.docx).
Blottedisk
2011-08-19, 15:20
Would you please upload it to MediaFire (http://www.mediafire.com/)?. Then give me the link and I'll download it from there.
Before I saw your last post, I figured out how to convert each page to a pdf on another computer.
Blottedisk
2011-08-20, 14:56
Hi there, thanks for the log.
Are you behind a router? Do you know to whom does the 192.168.1.1 IP belong?
Please do the following:
ComboFix - CFScript
WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
Please open Notepad and copy/paste all the text below... into the window:
KILLALL::
DDS::
uInternet Settings,ProxyOverride = *.local
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif
This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply. If you find any difficult to post the log again, I'd prefer you to try to upload it to Mediafire rather than uploading it as a pdf, as I can handle the information more easily by copying it in order to research.
** Enable your Antivirus and Firewall, before connecting to the Internet again! **
192.168.1.1 comes up on our other computers as our ip address, via Verizon FIOS
ComboFix 11-08-19.02 - John 08/20/2011 13:13:47.4.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8174.6642 [GMT -4:00]
Running from: c:\users\John\Desktop\ComboFix.exe
Command switches used :: c:\users\John\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\John\AppData\Roaming\3904.ABD
.
.
((((((((((((((((((((((((( Files Created from 2011-07-20 to 2011-08-20 )))))))))))))))))))))))))))))))
.
.
2011-08-20 17:17 . 2011-08-20 17:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-13 22:44 . 2011-07-20 13:44 8578896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{86FC9CF9-3ADA-47F7-9D4D-7467E612EFB1}\mpengine.dll
2011-08-07 11:58 . 2011-08-07 11:58 -------- d-----w- c:\users\John\AppData\Roaming\Avira
2011-08-07 03:09 . 2011-05-24 23:14 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-08-06 20:13 . 2011-08-13 22:40 88288 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-06 20:13 . 2011-08-13 22:40 123784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-06 20:13 . 2011-08-06 20:13 -------- d-----w- c:\programdata\Avira
2011-08-06 20:13 . 2011-08-06 20:13 -------- d-----w- c:\program files (x86)\Avira
2011-07-31 15:12 . 2011-07-31 15:12 -------- d-----w- c:\programdata\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-07-31 14:36 . 2011-07-31 14:36 -------- d-----w- c:\users\John\AppData\Local\Solid State Networks
2011-07-31 13:56 . 2011-07-31 13:56 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-07-31 13:40 . 2011-07-31 13:40 -------- d-----w- c:\program files (x86)\Uniblue
2011-07-31 13:39 . 2011-07-31 13:39 -------- d-----w- c:\users\John\AppData\Local\PackageAware
2011-07-31 13:22 . 2011-07-31 13:22 -------- d-----w- c:\users\John\AppData\Local\Mozilla
2011-07-31 13:13 . 2011-07-31 13:13 -------- d-----w- c:\program files (x86)\WOT
2011-07-30 17:00 . 2011-07-30 17:00 -------- d-----w- c:\program files (x86)\ESET
2011-07-30 16:51 . 2011-07-30 16:51 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2011-07-30 16:51 . 2011-07-30 16:51 -------- d-----w- c:\programdata\Malwarebytes
2011-07-30 16:51 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-07-30 16:50 . 2011-07-30 16:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-07-30 16:50 . 2011-07-06 23:52 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-23 20:54 . 2011-07-23 20:56 -------- d-----w- c:\program files (x86)\SpywareBlaster
2011-07-23 20:54 . 2010-01-10 23:40 118784 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2011-07-23 20:52 . 2011-07-27 21:42 -------- d-----w- c:\users\John\AppData\Roaming\Sammsoft
2011-07-23 20:52 . 2011-07-27 21:42 -------- d-----w- c:\program files (x86)\ARO 2011
2011-07-23 18:20 . 2011-07-23 18:20 -------- d-----w- C:\ERUNT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-18 20:39 . 2011-05-17 01:43 404640 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-08-06 12:05 . 2010-06-24 17:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-07-31 13:55 . 2011-01-20 02:15 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-07-23 20:37 . 2011-01-20 02:15 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-18 12:26 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-07-18 12:26 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-07-16 04:26 . 2011-08-13 22:44 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-06-11 03:07 . 2011-07-14 11:59 3137536 ----a-w- c:\windows\system32\win32k.sys
2011-06-06 07:36 . 2011-02-10 20:28 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-05-24 11:42 . 2011-06-29 08:20 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-05-24 10:40 . 2011-06-29 08:20 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2011-05-24 10:40 . 2011-06-29 08:20 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2011-05-24 10:39 . 2011-06-29 08:20 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37 . 2011-06-29 08:20 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-17_21.33.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2011-08-17 16:10 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-08-19 22:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-08-17 16:10 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-08-19 22:06 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-08-19 22:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-17 16:10 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-01-20 02:39 . 2011-08-17 22:07 52316 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-08-17 22:07 33102 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-01-25 22:53 . 2011-08-17 22:07 12788 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1190624232-1164676516-3757976289-1000_UserData.bin
- 2011-01-25 22:34 . 2011-08-14 07:58 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-25 22:34 . 2011-08-19 23:39 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-25 22:34 . 2011-08-19 23:39 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-01-25 22:34 . 2011-08-14 07:58 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-14 07:58 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-08-19 23:39 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-20 17:18 . 2011-08-20 17:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-08-17 21:32 . 2011-08-17 21:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-08-20 17:18 . 2011-08-20 17:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-08-17 21:32 . 2011-08-17 21:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-08-18 20:39 . 2011-08-18 20:39 243360 c:\windows\SysWOW64\Macromed\Flash\FlashUtil10v_Plugin.exe
+ 2011-01-26 15:14 . 2011-08-20 16:48 357132 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
- 2009-07-14 02:36 . 2011-08-14 16:14 626844 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-08-17 22:10 626844 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-08-17 22:10 107160 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-08-14 16:14 107160 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2011-08-20 17:17 425684 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-08-17 21:31 425684 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-07-31 14:47 . 2011-08-18 20:39 6277280 c:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
- 2011-01-25 23:11 . 2011-08-17 21:31 3346576 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-01-25 23:11 . 2011-08-20 17:17 3346576 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-01-30 14:48 . 2011-08-20 17:17 2600185 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1190624232-1164676516-3757976289-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-02-01 39408]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2009-02-03 237693]
"SPIRunE"="SPIRunE.dll" [2009-07-27 18432]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-17 98304]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160]
"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2010-03-10 237568]
"RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2010-10-01 87336]
"PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-09-18 50472]
"BDRegion"="c:\program files (x86)\Cyberlink\Shared Files\brs.exe" [2010-10-27 75048]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-09-04 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\oem\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-02 522736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"Memeo Backup Premium"="c:\program files (x86)\Memeo\AutoBackupPro\MemeoLauncher2.exe" [2010-07-28 136416]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2011-05-30 885760]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
.
c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\erunt\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 CLKMSVC10_9EC60124;CyberLink Product - 2011/01/19 20:27;c:\program files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [2010-10-27 236016]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-01 136176]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-09-04 219632]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-02-28 183560]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-01-20 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-01-20 79360]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-01 136176]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2010-07-30 25072]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-09-04 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-11-06 13336]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files (x86)\Memeo\AutoBackupPro\MemeoBackgroundService.exe [2010-07-28 25824]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-06-17 434864]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [x]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - CLKMDRV10_9EC60124
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-01 22:43]
.
2011-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-01 22:43]
.
2011-07-30 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:09]
.
2011-08-20 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-05-30 2055816]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.excite.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://sslvpn.tmhs.org/CACHE/stc/1/binaries/vpnweb.cab
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\1w28n1wy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.excite.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1190624232-1164676516-3757976289-1000\Software\SecuROM\License information*]
"datasecu"=hex:19,0b,5e,84,4c,64,31,ab,cd,93,b4,52,9c,45,69,80,05,df,a0,cf,79,
15,34,07,8f,de,b4,a5,f7,aa,f9,60,07,27,17,90,c8,73,69,35,6a,eb,11,53,32,09,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE
.
**************************************************************************
.
Completion time: 2011-08-20 13:21:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-20 17:21
ComboFix2.txt 2011-08-17 21:35
.
Pre-Run: 904,862,298,112 bytes free
Post-Run: 905,846,497,280 bytes free
.
- - End Of File - - 90D9D4236706B1107E1328454B8D1A81
The ComboFix program asked to be upgraded at the beginning of the scan so I agreed. Upon generation of the log, after it rebooted, I once again could not access any files. This time I saved the log before rebooting again, so I am learning.
Please also be aware that lately I have been getting messages upon reboot, the first one looks like this:
ERU For Windos NT Unable to create file
C:\\Windows\ERDNT\AutoBackup\8-20-2011\FRDNT.INF
It goes on with a longer message about not being able to create a registry back up and then another message comes up asking something which I click no to.
Thanks again for helping me with all of this!
Hello Samwise
I am now back from my trip away (many thanks to Blottedisk for helping out).
I am reviewing your logs and will reply back to you as soon as I can.
Thank you Blottedisk!!!
Welcome back JonTom!
Hello Samwise
Okay, this is where we are at the moment.
I have checked through your recent logs and there does not appear to be anything obvious showing in terms of malware.
Can you tell me if you are receiving any popups or redirects?
How is the machine running besides the error messages you are receiving?
Please answer the above questions and provide the information requested below:
Please download SystemLook by JPShortstuff
Please download SystemLook by JPShortstuff by clicking here (http://jpshortstuff.247fixes.com/SystemLook_x64.exe) and save the file (called SystemLook.exe) to your desktop.
Right click on SystemLook.exe and select "Run as Administrator" to run the program.
Copy the content of the following codebox into the main textfield:
:dir
c:\programdata\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42} /s
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
When you ran system file checker a log may have been saved on your machine. I would like you to search for that log.
Please navigate to the following location and see if a log is present:
C:\Windows\Logs\CBS\CBS.log
If it is, please post it along with the SystemLook log and the answers to my questions :)
I am not really using the computer, until I have your clearance....so I am not seeing a lot of problems. Will proceed with your instructions. So far, rebooting, etc. seems to be working fine (excepting the error message).
SystemLook 30.07.11 by jpshortstuff
Log created at 19:55 on 21/08/2011 by John
Administrator - Elevation successful
========== dir ==========
c:\programdata\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42} - Parameters: "/s"
---Files---
{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA}.native.bitness.log --a---- 693 bytes [15:12 31/07/2011] [15:12 31/07/2011]
{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA}.native.data.log --a---- 8655 bytes [15:12 31/07/2011] [15:12 31/07/2011]
{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA}.native.elements.log --a---- 1367 bytes [15:12 31/07/2011] [15:12 31/07/2011]
{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA}.native.weight.log --a---- 586 bytes [15:12 31/07/2011] [15:12 31/07/2011]
c:\programdata\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} d------ [15:12 31/07/2011]
-= EOF =-
As for the CBS.log, when I put in the navigation string, it comes up (with a chime) "access denied". When I search for CBS.log, nothing comes up.
I am using the computer a bit more now and everything seems to be working fine. The rest of that error message at start up:
Warning
Error Saving File
C:\Windows\ERDNT\Autobackup\8-22-11\BCD!
Continue with next file?
[RegCreate Key Ex:5-Acces is Denied]
Yes
No
Clicking Yes just makes the message reappear, Clicking No makes it go away. I will be away from the computer a day or two but will be checking in.
Thanks again.
Hello Samwise
The error message you are receiving relates to ERUNT (the software you use to automatically back up your registry).
Please uninstall ERUNT and then reinstall it. Once re-installed, configure it to your preferred settings then restart your machine and let me know if you receive the same error message.
Hi, I was able to stay in town. The reboot went fine, no error messages. Is everything okay now?(please?)
Also, please provide guidance on some of the desktop icons I now have:
Erunt Setup
Security Check Shortcut
Q3-PCMCI
X16-32007
Malwarebyte-Anti-Malware
ESET-Scan
MSE Install-Shortcut
MSE Install (2)Shortcut
MSE Install (1)
Attach.txt
combofix
dds(1)-shortcut
dds(1)
dds
log
systemlook
systemlook
NTREGOPT
log001shortcut
page1log
page2
page2docx
Hello Samwise
I'm glad the re-installation solved the problem.
Is everything okay now?(please?) :D:
If everything is running smoothly I believe we are just about done. Lets remove the tools we used in the steps below:
Please Uninstall Combofix
Hold down the Windows key (has the Windows symbol on it) and press the "R" key.
A Run box will open.
Type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
Removal of Tools
You no longer need DDS, Security Check or SystemLook. Please delete them from your machine.
All old scan logs can also be deleted, along with the MSE Installers.
ESET can be deleted/uninstalled if you wish.
MBAM and TFC are yours to keep.
NTREGOPT is a part of ERUNT and should be kept safe.
As for Q3-PCMCI and X16-32007, I never had you use anything by those names (Q3-PCMCI - could possible be related to PCMCIA backup device and X16-32007 related to Office 2010 perhaps)?
Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.
Finally, please take the time to read through the information provided below:
Enhance your System Security
For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here. (http://www.geekstogo.com/forum/Free-Antivirus-Antispyware-Software-t38.html)
IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
Once complete, remember to re-engage your resident security before going online.
Web Browsers and Browser Security
Firefox
You can download Firefox from here. (http://www.mozilla.com/en-US/firefox/)
No-Script
If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
You can download No-Script by clicking here. (https://addons.mozilla.org/en-US/firefox/addon/722)
Internet Explorer
The newest version of Internet Explorer is available from here. (http://www.microsoft.com/windows/internet-explorer/?ocid=ie8_s_94735d11-65d1-4bb8-bf6f-72d7b059a928)
Please Note: IE9 is not configured to run on XP machines.
SpywareBlaster
If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
You can download SpywareBlaster by clicking here. (http://www.javacoolsoftware.com/sbdownload.html)
Web of Trust
When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
You can download Web of Trust by clicking here. (http://www.mywot.com/)
Keep your Software Updated
Outdated software can sometimes have vulnerabilities that are exploitable by malware.
Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here. (http://secunia.com/vulnerability_scanning/online/)
Passwords
Learn how to create strong passwords by clicking here (http://www.microsoft.com/protect/yourself/password/create.mspx) and test the strength of the passwords you already use by clicking here. (http://www.microsoft.com/protect/yourself/password/checker.mspx)
General Reading
PC Safety and Security - What do I need? (http://www.techsupportforum.com/security-center/general-computer-security/115548-pc-safety-security-what-do-i-need.html)
How to prevent Malware (by Miekiemoes) (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
Learn How To Combat Malware
Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here. (http://forums.whatthetech.com/What_Tech_Classroom_t80368.html)
Everything seems fine. I think I went overboard on step 3 last time, so I don't really need to do anything else. I will browse with Mozilla, use Avira, and ms defender, as well as spybot. I will also work on keeping the software updated as I think this thing entered in via a java script. As for the passwords suggested by the site, I have not found anywhere that they would be accepted as they are too complex for most secure websites I use. However, I have strengthened mine considerably.
If everything goes fine for the next couple of weeks, I would like to make a donation in your honor. Thank you for your diligence and perseverance in helping me with this ***p!:crowned:
:thanks:
You are Very Welcome Samwise
Both Blottedisk and myself were happy to help.
Best wishes
JonTom
Since this problem appears to be resolved this topic is now closed.
Glad we could help :)
Best wishes
JonTom