PDA

View Full Version : Google (& other) re-direct malware



jchirch
2012-08-22, 05:55
Problem has plagued me for 6 days now. Spybot S&D clears it for a short time, then it reappears. The only other program I've tried was Hitman Pro--which did no good. (That was before I found this forum).

Registry is now backed up w/erunt.

DDS Log:

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by jack at 13:16:58 on 2012-08-21
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3319.1229 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\HitmanPro\hmpsched.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\NTI\NTI Backup Now EZ\BackupNowEZtray.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_TATIHVA.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Common Files\Triple Doppler Weather Warn\TrueWeather.exe
C:\Users\jack\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\jack\Documents\Desktop\aswMBR.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: LastPass Vault: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPLTarget\P0000000000000001] c:\windows\system32\spool\drivers\w32x86\3\e_tatihva.exe /ept "epltarget\P0000000000000001" /M "WorkForce 645"
uRun: [Help] rundll32.exe "c:\users\jack\appdata\local\hewlett-packard\help\ssmqu.dll",CreateInstance
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_3_300_270_Plugin.exe -update plugin
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [BackupNowEZtray] "c:\program files\nti\nti backup now ez\BackupNowEZtray.exe" -k
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRunOnce: [PCDrProfiler] "c:\program files\pc-doctor for windows\RunProfiler.exe" -r
dRun: [Help] rundll32.exe "c:\users\jack\appdata\local\hewlett-packard\help\ssmqu.dll",CreateInstance
StartupFolder: c:\users\jack\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jack\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\jack\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\triple~1.lnk - c:\program files\common files\triple doppler weather warn\TrueWeather.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\users\jack\appdata\locallow\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\users\jack\appdata\locallow\lastpass\context.html?cmd=fillforms
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: sagepub.com\online
Trusted Zone: taxactonline.com\www
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/mhebooks/support/plugins/ebraryRdr.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.caminova.net/en/downloads/getmodule.aspx?lang=en
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/e/38.09/f-6tcHDGwoY/uploader2.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://pfaff.webex.com/client/T27LD/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{93724569-BC9A-43B9-978E-303B500EC209} : DhcpNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jack\appdata\roaming\mozilla\firefox\profiles\rxw5wzzl.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?hl=en&tab=wn
FF - prefs.js: network.proxy.type - 0
FF - component: c:\users\jack\appdata\roaming\mozilla\firefox\profiles\rxw5wzzl.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - component: c:\users\jack\appdata\roaming\mozilla\firefox\profiles\rxw5wzzl.default\extensions\zoterowinwordintegration@zotero.org\components\zoteroWinWordIntegration.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-12 64160]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2012-6-12 16064]
R2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\common files\epson\epw!3 ssrp\E_JT50RP.EXE [2012-3-14 130944]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-8-14 105832]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\nti\nti backup now ez\BackupNowEZSvr.exe [2011-9-23 45592]
R2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\opendns updater\opendns updater.exe --run --> c:\program files\opendns updater\OpenDNS Updater.exe --run [?]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S2 CFUACProxy_boxsoftware;CFUACProxy_boxsoftware;"c:\programdata\clickfree\boxsoftware\uacproxy.exe" -s "-pc:\programdata\clickfree\boxsoftware" --> c:\programdata\clickfree\boxsoftware\UACProxy.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-25 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-7-14 250056]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-25 136176]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-6-18 19968]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-4-1 23424]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-6-18 23936]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-1-25 9472]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 113120]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 rsvcdwdr;rsvcdwdr;c:\windows\system32\drivers\rsvcdwdr.sys [2012-4-2 35944]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-24 52224]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S4 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
S4 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2011-6-9 521600]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
.
=============== Created Last 30 ================
.
2012-08-20 21:51:11 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{8664f8fd-464a-4543-a7b2-9f9162f75e03}\mpengine.dll
2012-08-18 21:44:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-08-18 21:44:06 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-08-17 03:22:00 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-08-15 01:16:53 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-08-14 23:56:46 -------- d-----w- c:\program files\HitmanPro
2012-08-14 23:54:17 -------- d-----w- c:\programdata\HitmanPro
2012-08-14 23:44:24 -------- d-----w- C:\!KillBox
2012-08-14 12:34:40 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4390017a-4e1e-4c5c-8c70-e589c9f2ba9d}\gapaengine.dll
2012-08-14 11:58:13 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-13 05:45:13 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-08 11:34:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-31 11:56:17 -------- d-----w- C:\Removable Disk
.
==================== Find3M ====================
.
2012-08-14 11:39:46 259072 ----a-w- c:\windows\system32\services.exe
2012-08-08 02:42:06 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-08 02:42:06 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-12 10:19:18 12992 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2012-06-12 10:19:07 16064 ----a-w- c:\windows\system32\drivers\pssnap.sys
2012-06-12 10:19:01 53952 ----a-w- c:\windows\system32\drivers\psmounter.sys
2012-06-12 02:40:48 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 13:19:17.38 ==============


asw MBR log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-18 19:46:03
-----------------------------
19:46:03.809 OS Version: Windows 6.1.7601 Service Pack 1
19:46:03.810 Number of processors: 2 586 0xF0B
19:46:03.812 ComputerName: ISHTAR UserName: jack
19:46:05.390 Initialize success
19:52:20.624 AVAST engine defs: 12081801
19:53:43.583 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
19:53:43.587 Disk 0 Vendor: SAMSUNG_HD250HJ FH100-05 Size: 238475MB BusType: 3
19:53:43.662 Disk 0 MBR read successfully
19:53:43.665 Disk 0 MBR scan
19:53:43.764 Disk 0 Windows 7 default MBR code
19:53:43.770 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 228918 MB offset 63
19:53:43.854 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 9554 MB offset 468824895
19:53:43.876 Disk 0 scanning sectors +488392065
19:53:43.973 Disk 0 scanning C:\Windows\system32\drivers
19:54:07.039 Service scanning
19:54:30.832 Service MpKslce660a33 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C84E4C51-9A00-4863-8BC6-88AB31DDD7D0}\MpKslce660a33.sys **LOCKED** 32
19:54:54.951 Modules scanning
19:55:02.055 Disk 0 trace - called modules:
19:55:02.085 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys dxgkrnl.sys igdkmd32.sys dxgmms1.sys
19:55:02.095 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8631b030]
19:55:02.103 3 CLASSPNP.SYS[8bdc859e] -> nt!IofCallDriver -> [0x85e77408]
19:55:02.112 5 ACPI.sys[8bac73d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x85e78030]
19:55:02.819 AVAST engine scan C:\Windows
19:55:08.343 AVAST engine scan C:\Windows\system32
20:00:30.583 AVAST engine scan C:\Windows\system32\drivers
20:00:58.726 AVAST engine scan C:\Users\jack
20:07:06.013 Disk 0 MBR has been saved successfully to "C:\Users\jack\Documents\Desktop\MBR.dat"
20:07:06.128 The log file has been saved successfully to "C:\Users\jack\Documents\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-18 19:46:03
-----------------------------
19:46:03.809 OS Version: Windows 6.1.7601 Service Pack 1
19:46:03.810 Number of processors: 2 586 0xF0B
19:46:03.812 ComputerName: ISHTAR UserName: jack
19:46:05.390 Initialize success
19:52:20.624 AVAST engine defs: 12081801
19:53:43.583 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
19:53:43.587 Disk 0 Vendor: SAMSUNG_HD250HJ FH100-05 Size: 238475MB BusType: 3
19:53:43.662 Disk 0 MBR read successfully
19:53:43.665 Disk 0 MBR scan
19:53:43.764 Disk 0 Windows 7 default MBR code
19:53:43.770 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 228918 MB offset 63
19:53:43.854 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 9554 MB offset 468824895
19:53:43.876 Disk 0 scanning sectors +488392065
19:53:43.973 Disk 0 scanning C:\Windows\system32\drivers
19:54:07.039 Service scanning
19:54:30.832 Service MpKslce660a33 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C84E4C51-9A00-4863-8BC6-88AB31DDD7D0}\MpKslce660a33.sys **LOCKED** 32
19:54:54.951 Modules scanning
19:55:02.055 Disk 0 trace - called modules:
19:55:02.085 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys dxgkrnl.sys igdkmd32.sys dxgmms1.sys
19:55:02.095 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8631b030]
19:55:02.103 3 CLASSPNP.SYS[8bdc859e] -> nt!IofCallDriver -> [0x85e77408]
19:55:02.112 5 ACPI.sys[8bac73d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x85e78030]
19:55:02.819 AVAST engine scan C:\Windows
19:55:08.343 AVAST engine scan C:\Windows\system32
20:00:30.583 AVAST engine scan C:\Windows\system32\drivers
20:00:58.726 AVAST engine scan C:\Users\jack
20:07:06.013 Disk 0 MBR has been saved successfully to "C:\Users\jack\Documents\Desktop\MBR.dat"
20:07:06.128 The log file has been saved successfully to "C:\Users\jack\Documents\Desktop\aswMBR.txt"
20:51:18.646 AVAST engine scan C:\ProgramData
20:54:04.982 Scan finished successfully
22:46:06.024 Disk 0 MBR has been saved successfully to "C:\Users\jack\Documents\Desktop\MBR.dat"
22:46:06.131 The log file has been saved successfully to "C:\Users\jack\Documents\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-18 19:46:03
-----------------------------
19:46:03.809 OS Version: Windows 6.1.7601 Service Pack 1
19:46:03.810 Number of processors: 2 586 0xF0B
19:46:03.812 ComputerName: ISHTAR UserName: jack
19:46:05.390 Initialize success
19:52:20.624 AVAST engine defs: 12081801
19:53:43.583 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
19:53:43.587 Disk 0 Vendor: SAMSUNG_HD250HJ FH100-05 Size: 238475MB BusType: 3
19:53:43.662 Disk 0 MBR read successfully
19:53:43.665 Disk 0 MBR scan
19:53:43.764 Disk 0 Windows 7 default MBR code
19:53:43.770 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 228918 MB offset 63
19:53:43.854 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 9554 MB offset 468824895
19:53:43.876 Disk 0 scanning sectors +488392065
19:53:43.973 Disk 0 scanning C:\Windows\system32\drivers
19:54:07.039 Service scanning
19:54:30.832 Service MpKslce660a33 C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C84E4C51-9A00-4863-8BC6-88AB31DDD7D0}\MpKslce660a33.sys **LOCKED** 32
19:54:54.951 Modules scanning
19:55:02.055 Disk 0 trace - called modules:
19:55:02.085 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys dxgkrnl.sys igdkmd32.sys dxgmms1.sys
19:55:02.095 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8631b030]
19:55:02.103 3 CLASSPNP.SYS[8bdc859e] -> nt!IofCallDriver -> [0x85e77408]
19:55:02.112 5 ACPI.sys[8bac73d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x85e78030]
19:55:02.819 AVAST engine scan C:\Windows
19:55:08.343 AVAST engine scan C:\Windows\system32
20:00:30.583 AVAST engine scan C:\Windows\system32\drivers
20:00:58.726 AVAST engine scan C:\Users\jack
20:07:06.013 Disk 0 MBR has been saved successfully to "C:\Users\jack\Documents\Desktop\MBR.dat"
20:07:06.128 The log file has been saved successfully to "C:\Users\jack\Documents\Desktop\aswMBR.txt"
20:51:18.646 AVAST engine scan C:\ProgramData
20:54:04.982 Scan finished successfully
22:46:06.024 Disk 0 MBR has been saved successfully to "C:\Users\jack\Documents\Desktop\MBR.dat"
22:46:06.131 The log file has been saved successfully to "C:\Users\jack\Documents\Desktop\aswMBR.txt"
22:44:49.056 Disk 0 MBR has been saved successfully to "C:\Users\jack\Documents\Desktop\MBR.dat"
22:44:49.385 The log file has been saved successfully to "C:\Users\jack\Documents\Desktop\aswMBR.txt"

Attach.zip is attached.

Thanks for any help you can give me. I'm a teacher, and I can't imagine working without Google searches.

Jack Chirch
Gloucester, VA

Blade81
2012-08-28, 12:25
Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

jchirch
2012-08-29, 20:48
Sorry -

Downloaded & ran Combofix per instructions (I thought), but apparently didn't get Windows firewall turned off. ComboFix is now hung (for two hours) at the "Preparing log report" screen.

What can I do now?

jchirch

jchirch
2012-08-29, 21:29
It took nearly 2.5 hours, but ComboFix just produced the following log:

omboFix 12-08-28.03 - jack 08/29/2012 11:23:59.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3319.2559 [GMT -4:00]
Running from: c:\users\jack\Documents\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\LOG17D8.tmp
C:\LOG1DC1.tmp
C:\LOG4007.tmp
C:\LOG4674.tmp
C:\LOG4A5.tmp
C:\LOG4E72.tmp
C:\LOG8566.tmp
C:\LOG8813.tmp
C:\LOG8E1B.tmp
C:\LOG8E3F.tmp
C:\LOG9DA7.tmp
C:\LOGAEC.tmp
C:\LOGC494.tmp
C:\LOGC8ED.tmp
C:\LOGCB.tmp
c:\users\jack\AppData\Local\assembly\tmp
c:\users\jack\Documents\DPE.DUS
c:\users\jack\videos\Windows7UpgradeAdvisorSetup.exe
c:\windows\$NtUninstallKB60654$
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-29 )))))))))))))))))))))))))))))))
.
.
2012-08-29 14:58 . 2012-08-29 14:58 -------- d-----w- C:\ProcAlyzer Dumps
2012-08-29 14:51 . 2012-08-29 15:20 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-08-29 03:10 . 2012-08-29 03:10 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-08-26 18:42 . 2012-08-01 22:51 7023536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{70F79471-CC1E-4A36-9FC5-9D1A62AB0DF6}\mpengine.dll
2012-08-20 21:51 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-18 23:35 . 2012-08-18 23:36 -------- d-----w- c:\program files\ERUNT
2012-08-15 01:16 . 2012-08-15 01:16 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-08-14 23:56 . 2012-08-14 23:56 -------- d-----w- c:\program files\HitmanPro
2012-08-14 23:54 . 2012-08-15 01:16 -------- d-----w- c:\programdata\HitmanPro
2012-08-14 23:44 . 2012-08-14 23:44 -------- d-----w- C:\!KillBox
2012-08-14 12:34 . 2012-02-09 18:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4390017A-4E1E-4C5C-8C70-E589C9F2BA9D}\gapaengine.dll
2012-08-14 11:58 . 2012-08-14 11:58 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-13 05:45 . 2012-08-13 05:45 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-08 11:34 . 2012-08-14 16:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-31 11:56 . 2012-07-31 12:13 -------- d-----w- C:\Removable Disk
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-26 22:03 . 2012-07-14 11:08 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-26 22:03 . 2011-05-27 02:57 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-14 11:39 . 2009-07-13 23:11 259072 ----a-w- c:\windows\system32\services.exe
2012-06-12 10:19 . 2012-06-12 11:17 12992 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2012-06-12 10:19 . 2012-06-12 11:17 16064 ----a-w- c:\windows\system32\drivers\pssnap.sys
2012-06-12 10:19 . 2012-06-12 11:17 53952 ----a-w- c:\windows\system32\drivers\psmounter.sys
2012-06-12 02:40 . 2012-07-14 11:27 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:05 . 2012-07-14 11:17 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-14 11:17 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-14 11:17 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:19 . 2012-06-18 22:06 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-18 22:06 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-18 22:06 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-18 22:06 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-18 22:06 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-18 22:06 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-18 22:06 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-18 22:05 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-18 22:05 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-14 11:29 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-14 11:29 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-14 11:29 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-14 11:29 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-14 11:29 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45 . 2012-07-14 11:17 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45 . 2012-07-14 11:17 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40 . 2012-07-14 11:17 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40 . 2012-07-14 11:17 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39 . 2012-07-14 11:17 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-08-29 03:10 . 2011-03-23 03:31 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\jack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\jack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\jack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
"EPLTarget\P0000000000000001"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHVA.EXE" [2011-04-24 219008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-11 150552]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2012-07-04 3527176]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"BackupNowEZtray"="c:\program files\NTI\NTI Backup Now EZ\BackupNowEZtray.exe" [2011-09-24 580632]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-07-04 3921432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PCDrProfiler"="c:\program files\PC-Doctor for Windows\RunProfiler.exe" [2009-06-26 106992]
.
c:\users\jack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\jack\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
Triple Doppler Weather Warn.lnk - c:\program files\Common Files\Triple Doppler Weather Warn\TrueWeather.exe [2009-1-8 6108672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Triple Doppler Weather Warn.lnk]
backup=c:\windows\pss\Triple Doppler Weather Warn.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Triple Doppler Weather Warn.lnk
.
[HKLM\~\startupfolder\C:^Users^jack^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
path=c:\users\jack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-09-11 04:43 67488 ----a-w- c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNowEZtray]
2011-09-24 01:51 580632 ----a-w- c:\program files\NTI\NTI Backup Now EZ\BackupNowEZtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXRCV]
2011-03-09 04:00 495616 ----a-w- c:\program files\Epson Software\FAX Utility\FUFAXRCV.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]
2011-03-09 04:00 856064 ----a-w- c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-11 21:15 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-11 21:15 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-03-29 19:41 222128 ----a-w- c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2011-08-10 20:39 1313640 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 11:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-11 21:15 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinterShare]
2011-09-08 16:12 1124352 ----a-w- c:\program files\PrinterShare\paConsole.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 15:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
2007-04-07 10:56 54936 ----a-w- c:\windows\System32\jureg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-07-29 14:16 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 14:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe
.
R2 CFUACProxy_boxsoftware;CFUACProxy_boxsoftware;c:\programdata\Clickfree\BoxSoftware\UACProxy.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [x]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [x]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 rsvcdwdr;rsvcdwdr;c:\windows\system32\DRIVERS\rsvcdwdr.sys [x]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [x]
R4 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [x]
S2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE [x]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [x]
S2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe [x]
S2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\OpenDNS Updater\OpenDNS Updater.exe [x]
S2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswFsBlk
*Deregistered* - aswMonFlt
*Deregistered* - aswRdr
*Deregistered* - aswSP
*Deregistered* - aswTdi
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 03:31]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 03:31]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: LastPass - file://c:\users\jack\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\users\jack\AppData\LocalLow\LastPass\context.html?cmd=fillforms
Trusted Zone: sagepub.com\online
Trusted Zone: taxactonline.com\www
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\jack\AppData\Roaming\Mozilla\Firefox\Profiles\rxw5wzzl.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?hl=en&tab=wn
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-33423507.sys
SafeBoot-42090596.sys
SafeBoot-63491059.sys
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-HistoryKill - c:\program files\HistoryKill 2008\histkill.exe
MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
MSConfigStartUp-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-PowerPanel Personal Edition User Interaction - c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe
MSConfigStartUp-SpeedUpMyPC - c:\program files\Uniblue\SpeedUpMyPC\launcher.exe
MSConfigStartUp-Update - c:\users\jack\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\kmzkybj.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]
"v5Licence0"="15-VNZ3-E979-NAE4-ZZ1P-3HMN-4TCBW2W"
"Activated"="Y"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2116)
c:\users\jack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\NTI\NTI Backup Now EZ\Pehook.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\schtasks.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\windows defender\MpCmdRun.exe
.
**************************************************************************
.
Completion time: 2012-08-29 14:21:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-29 18:21
.
Pre-Run: 57,318,105,088 bytes free
Post-Run: 57,918,021,632 bytes free
.
- - End Of File - - 3912B08BB15994E35761A9BCD0B1270F

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_30
Run by jack at 14:26:28 on 2012-08-29
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3319.2013 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\HitmanPro\hmpsched.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe
C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\schtasks.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\NTI\NTI Backup Now EZ\BackupNowEZtray.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_TATIHVA.EXE
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Common Files\Triple Doppler Weather Warn\TrueWeather.exe
C:\Users\jack\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: LastPass Vault: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPLTarget\P0000000000000001] c:\windows\system32\spool\drivers\w32x86\3\e_tatihva.exe /ept "epltarget\P0000000000000001" /M "WorkForce 645"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [BackupNowEZtray] "c:\program files\nti\nti backup now ez\BackupNowEZtray.exe" -k
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRunOnce: [PCDrProfiler] "c:\program files\pc-doctor for windows\RunProfiler.exe" -r
StartupFolder: c:\users\jack\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jack\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\jack\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\triple~1.lnk - c:\program files\common files\triple doppler weather warn\TrueWeather.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\users\jack\appdata\locallow\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\users\jack\appdata\locallow\lastpass\context.html?cmd=fillforms
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
Trusted Zone: sagepub.com\online
Trusted Zone: taxactonline.com\www
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/mhebooks/support/plugins/ebraryRdr.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.caminova.net/en/downloads/getmodule.aspx?lang=en
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/e/38.09/f-6tcHDGwoY/uploader2.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://pfaff.webex.com/client/T27LD/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{93724569-BC9A-43B9-978E-303B500EC209} : DhcpNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jack\appdata\roaming\mozilla\firefox\profiles\rxw5wzzl.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?hl=en&tab=wn
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-12 64160]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2012-6-12 16064]
R2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\common files\epson\epw!3 ssrp\E_JT50RP.EXE [2012-3-14 130944]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-8-14 105832]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\nti\nti backup now ez\BackupNowEZSvr.exe [2011-9-23 45592]
R2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\opendns updater\opendns updater.exe --run --> c:\program files\opendns updater\OpenDNS Updater.exe --run [?]
R2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2012-6-12 224960]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S2 CFUACProxy_boxsoftware;CFUACProxy_boxsoftware;"c:\programdata\clickfree\boxsoftware\uacproxy.exe" -s "-pc:\programdata\clickfree\boxsoftware" --> c:\programdata\clickfree\boxsoftware\UACProxy.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-25 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-25 136176]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-6-18 19968]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-4-1 23424]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-6-18 23936]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-1-25 9472]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 114144]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 rsvcdwdr;rsvcdwdr;c:\windows\system32\drivers\rsvcdwdr.sys [2012-4-2 35944]
S3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-8-29 1188896]
S3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-8-29 1395736]
S3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2012-8-29 166528]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-24 52224]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-30 1343400]
S4 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
S4 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2011-6-9 521600]
.
=============== Created Last 30 ================
.
2012-08-29 15:39:41 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-29 15:36:05 -------- d-----w- c:\users\jack\appdata\local\temp
2012-08-29 15:06:48 98816 ----a-w- c:\windows\sed.exe
2012-08-29 15:06:48 518144 ----a-w- c:\windows\SWREG.exe
2012-08-29 15:06:48 256000 ----a-w- c:\windows\PEV.exe
2012-08-29 15:06:48 208896 ----a-w- c:\windows\MBR.exe
2012-08-29 14:58:16 -------- d-----w- C:\ProcAlyzer Dumps
2012-08-29 14:51:13 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-08-29 14:51:07 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-08-29 03:10:54 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2012-08-26 18:42:14 7023536 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{70f79471-cc1e-4a36-9fc5-9d1a62ab0df6}\mpengine.dll
2012-08-20 21:51:11 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-08-15 01:16:53 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-08-14 23:56:46 -------- d-----w- c:\program files\HitmanPro
2012-08-14 23:54:17 -------- d-----w- c:\programdata\HitmanPro
2012-08-14 23:44:24 -------- d-----w- C:\!KillBox
2012-08-14 12:34:40 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4390017a-4e1e-4c5c-8c70-e589c9f2ba9d}\gapaengine.dll
2012-08-14 11:58:13 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-13 05:45:13 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-08 11:34:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-31 11:56:17 -------- d-----w- C:\Removable Disk
.
==================== Find3M ====================
.
2012-08-26 22:03:53 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-26 22:03:53 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-14 11:39:46 259072 ----a-w- c:\windows\system32\services.exe
2012-06-12 10:19:18 12992 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2012-06-12 10:19:07 16064 ----a-w- c:\windows\system32\drivers\pssnap.sys
2012-06-12 10:19:01 53952 ----a-w- c:\windows\system32\drivers\psmounter.sys
2012-06-12 02:40:48 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 14:27:07.17 ===============

Blade81
2012-08-29, 22:12
Hi again,


Open notepad and copy/paste the text in the quotebox below into it:



DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version... Note: even the latest version has a

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 34 (http://www.oracle.com/technetwork/java/javase/downloads/index.html).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u34-windows-i586.exe to install the newest version.


* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.



Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

jchirch
2012-08-30, 06:01
I've run the new CF scan (after running the script), I've updated Java (to J7 u6), then an ESET online scan (no log, as it found no threats), and a fresh dds scan (log pasted below).

ComboFix 12-08-28.03 - jack 08/29/2012 16:36:12.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3319.2034 [GMT -4:00]
Running from: c:\users\jack\Documents\Desktop\ComboFix.exe
Command switches used :: c:\users\jack\Documents\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-28 to 2012-08-29 )))))))))))))))))))))))))))))))
.
.
2012-08-29 20:44 . 2012-08-29 20:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-29 15:36 . 2012-08-29 20:44 -------- d-----w- c:\users\jack\AppData\Local\temp
2012-08-29 14:58 . 2012-08-29 14:58 -------- d-----w- C:\ProcAlyzer Dumps
2012-08-29 14:51 . 2009-01-25 16:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-08-29 14:51 . 2012-08-29 15:20 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-08-29 03:10 . 2012-08-29 03:10 73696 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2012-08-26 18:42 . 2012-08-01 22:51 7023536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{70F79471-CC1E-4A36-9FC5-9D1A62AB0DF6}\mpengine.dll
2012-08-20 21:51 . 2012-07-16 06:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-18 23:35 . 2012-08-18 23:36 -------- d-----w- c:\program files\ERUNT
2012-08-15 01:16 . 2012-08-15 01:16 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-08-14 23:56 . 2012-08-14 23:56 -------- d-----w- c:\program files\HitmanPro
2012-08-14 23:54 . 2012-08-15 01:16 -------- d-----w- c:\programdata\HitmanPro
2012-08-14 23:44 . 2012-08-14 23:44 -------- d-----w- C:\!KillBox
2012-08-14 12:34 . 2012-02-09 18:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4390017A-4E1E-4C5C-8C70-E589C9F2BA9D}\gapaengine.dll
2012-08-14 11:58 . 2012-08-14 11:58 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-13 05:45 . 2012-08-13 05:45 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-08 11:34 . 2012-08-14 16:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-31 11:56 . 2012-07-31 12:13 -------- d-----w- C:\Removable Disk
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-26 22:03 . 2012-07-14 11:08 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-26 22:03 . 2011-05-27 02:57 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-14 11:39 . 2009-07-13 23:11 259072 ----a-w- c:\windows\system32\services.exe
2012-06-12 10:19 . 2012-06-12 11:17 12992 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2012-06-12 10:19 . 2012-06-12 11:17 16064 ----a-w- c:\windows\system32\drivers\pssnap.sys
2012-06-12 10:19 . 2012-06-12 11:17 53952 ----a-w- c:\windows\system32\drivers\psmounter.sys
2012-06-12 02:40 . 2012-07-14 11:27 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:05 . 2012-07-14 11:17 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05 . 2012-07-14 11:17 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03 . 2012-07-14 11:17 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:19 . 2012-06-18 22:06 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-18 22:06 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-18 22:06 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-18 22:06 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-18 22:06 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-18 22:06 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-18 22:06 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-18 22:05 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-18 22:05 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33 . 2012-07-14 11:29 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25 . 2012-07-14 11:29 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25 . 2012-07-14 11:29 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20 . 2012-07-14 11:29 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16 . 2012-07-14 11:29 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45 . 2012-07-14 11:17 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45 . 2012-07-14 11:17 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40 . 2012-07-14 11:17 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40 . 2012-07-14 11:17 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39 . 2012-07-14 11:17 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-08-29 03:10 . 2011-03-23 03:31 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\jack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\jack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\jack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2010-11-20 144384]
"EPLTarget\P0000000000000001"="c:\windows\system32\spool\DRIVERS\W32X86\3\E_TATIHVA.EXE" [2011-04-24 219008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2010-10-12 979328]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-11 150552]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2012-07-04 3527176]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"BackupNowEZtray"="c:\program files\NTI\NTI Backup Now EZ\BackupNowEZtray.exe" [2011-09-24 580632]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-07-04 3921432]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PCDrProfiler"="c:\program files\PC-Doctor for Windows\RunProfiler.exe" [2009-06-26 106992]
.
c:\users\jack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\jack\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
Triple Doppler Weather Warn.lnk - c:\program files\Common Files\Triple Doppler Weather Warn\TrueWeather.exe [2009-1-8 6108672]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Triple Doppler Weather Warn.lnk]
backup=c:\windows\pss\Triple Doppler Weather Warn.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Triple Doppler Weather Warn.lnk
.
[HKLM\~\startupfolder\C:^Users^jack^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
path=c:\users\jack\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-09-11 04:43 67488 ----a-w- c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNowEZtray]
2011-09-24 01:51 580632 ----a-w- c:\program files\NTI\NTI Backup Now EZ\BackupNowEZtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXRCV]
2011-03-09 04:00 495616 ----a-w- c:\program files\Epson Software\FAX Utility\FUFAXRCV.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FUFAXSTM]
2011-03-09 04:00 856064 ----a-w- c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-11 21:15 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
2007-04-18 15:01 65536 ----a-w- c:\hp\support\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-11 21:15 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-03-29 19:41 222128 ----a-w- c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2011-08-10 20:39 1313640 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro]
2007-02-15 11:59 118784 ----a-w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-11 21:15 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinterShare]
2011-09-08 16:12 1124352 ----a-w- c:\program files\PrinterShare\paConsole.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 15:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateReg]
2007-04-07 10:56 54936 ----a-w- c:\windows\System32\jureg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-07-29 14:16 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 14:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe
.
R2 CFUACProxy_boxsoftware;CFUACProxy_boxsoftware;c:\programdata\Clickfree\BoxSoftware\UACProxy.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\Drivers\motoandroid.sys [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [x]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [x]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [x]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [x]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 rsvcdwdr;rsvcdwdr;c:\windows\system32\DRIVERS\rsvcdwdr.sys [x]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [x]
R4 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\DRIVERS\pssnap.sys [x]
S2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE [x]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [x]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [x]
S2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe [x]
S2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\OpenDNS Updater\OpenDNS Updater.exe [x]
S2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswFsBlk
*Deregistered* - aswMonFlt
*Deregistered* - aswRdr
*Deregistered* - aswSP
*Deregistered* - aswTdi
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 03:31]
.
2012-08-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-26 03:31]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: LastPass - file://c:\users\jack\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\users\jack\AppData\LocalLow\LastPass\context.html?cmd=fillforms
Trusted Zone: sagepub.com\online
Trusted Zone: taxactonline.com\www
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\jack\AppData\Roaming\Mozilla\Firefox\Profiles\rxw5wzzl.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?hl=en&tab=wn
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]
"v5Licence0"="15-VNZ3-E979-NAE4-ZZ1P-3HMN-4TCBW2W"
"Activated"="Y"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1720)
c:\users\jack\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\NTI\NTI Backup Now EZ\Pehook.DLL
.
Completion time: 2012-08-29 19:21:48
ComboFix-quarantined-files.txt 2012-08-29 23:21
ComboFix2.txt 2012-08-29 18:21
.
Pre-Run: 58,006,282,240 bytes free
Post-Run: 57,943,535,616 bytes free
.
- - End Of File - - 825271BB4CF6C35000F5E89345D03BAC



DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.6.2
Run by jack at 22:58:06 on 2012-08-29
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3319.1886 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\HitmanPro\hmpsched.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_JT50RP.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe
C:\Program Files\OpenDNS Updater\OpenDNS Updater.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\NTI\NTI Backup Now EZ\BackupNowEZtray.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_TATIHVA.EXE
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: LastPass Vault: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPToolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPLTarget\P0000000000000001] c:\windows\system32\spool\drivers\w32x86\3\e_tatihva.exe /ept "epltarget\P0000000000000001" /M "WorkForce 645"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [BackupNowEZtray] "c:\program files\nti\nti backup now ez\BackupNowEZtray.exe" -k
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [PCDrProfiler] "c:\program files\pc-doctor for windows\RunProfiler.exe" -r
StartupFolder: c:\users\jack\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jack\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\jack\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\triple~1.lnk - c:\program files\common files\triple doppler weather warn\TrueWeather.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: LastPass - file://c:\users\jack\appdata\locallow\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\users\jack\appdata\locallow\lastpass\context.html?cmd=fillforms
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
Trusted Zone: sagepub.com\online
Trusted Zone: taxactonline.com\www
DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} - hxxp://site.ebrary.com/lib/mhebooks/support/plugins/ebraryRdr.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.caminova.net/en/downloads/getmodule.aspx?lang=en
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/e/38.09/f-6tcHDGwoY/uploader2.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://pfaff.webex.com/client/T27LD/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{93724569-BC9A-43B9-978E-303B500EC209} : DhcpNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jack\appdata\roaming\mozilla\firefox\profiles\rxw5wzzl.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?hl=en&tab=wn
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_265.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-12 64160]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2012-6-12 16064]
R2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);c:\program files\common files\epson\epw!3 ssrp\E_JT50RP.EXE [2012-3-14 130944]
R2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-8-14 105832]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\nti\nti backup now ez\BackupNowEZSvr.exe [2011-9-23 45592]
R2 OpenDNS Updater.exe;OpenDNS Updater;c:\program files\opendns updater\opendns updater.exe --run --> c:\program files\opendns updater\OpenDNS Updater.exe --run [?]
R2 ReflectService.exe;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2012-6-12 224960]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]
S2 CFUACProxy_boxsoftware;CFUACProxy_boxsoftware;"c:\programdata\clickfree\boxsoftware\uacproxy.exe" -s "-pc:\programdata\clickfree\boxsoftware" --> c:\programdata\clickfree\boxsoftware\UACProxy.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-25 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [2009-1-29 6016]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-25 136176]
S3 motandroidusb;Mot ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [2009-7-10 25856]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-6-18 19968]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-1-29 8320]
S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [2010-4-1 23424]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-6-18 23936]
S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [2010-1-25 9472]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-3 114144]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 rsvcdwdr;rsvcdwdr;c:\windows\system32\drivers\rsvcdwdr.sys [2012-4-2 35944]
S3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-8-29 1188896]
S3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-8-29 1395736]
S3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2012-8-29 166528]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-24 52224]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-30 1343400]
S4 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
S4 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\epson\epsoncustomerparticipation\EPCP.exe [2011-6-9 521600]
.
=============== Created Last 30 ================
.
2012-08-30 02:18:00 -------- d-----w- c:\program files\ESET
2012-08-30 02:11:32 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-30 02:11:21 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-08-29 20:46:09 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-29 15:36:05 -------- d-----w- c:\users\jack\appdata\local\temp
2012-08-29 15:06:48 98816 ----a-w- c:\windows\sed.exe
2012-08-29 15:06:48 518144 ----a-w- c:\windows\SWREG.exe
2012-08-29 15:06:48 256000 ----a-w- c:\windows\PEV.exe
2012-08-29 15:06:48 208896 ----a-w- c:\windows\MBR.exe
2012-08-29 14:58:16 -------- d-----w- C:\ProcAlyzer Dumps
2012-08-29 14:51:13 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-08-29 14:51:07 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-08-29 03:10:54 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2012-08-26 18:42:14 7023536 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{70f79471-cc1e-4a36-9fc5-9d1a62ab0df6}\mpengine.dll
2012-08-20 21:51:11 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-08-15 01:16:53 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-08-14 23:56:46 -------- d-----w- c:\program files\HitmanPro
2012-08-14 23:54:17 -------- d-----w- c:\programdata\HitmanPro
2012-08-14 23:44:24 -------- d-----w- C:\!KillBox
2012-08-14 12:34:40 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4390017a-4e1e-4c5c-8c70-e589c9f2ba9d}\gapaengine.dll
2012-08-14 11:58:13 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-13 05:45:13 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-08 11:34:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-31 11:56:17 -------- d-----w- C:\Removable Disk
.
==================== Find3M ====================
.
2012-08-30 02:11:10 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-26 22:03:53 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-26 22:03:53 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-14 11:39:46 259072 ----a-w- c:\windows\system32\services.exe
2012-06-12 10:19:18 12992 ----a-w- c:\windows\system32\drivers\PSVolAcc.sys
2012-06-12 10:19:07 16064 ----a-w- c:\windows\system32\drivers\pssnap.sys
2012-06-12 10:19:01 53952 ----a-w- c:\windows\system32\drivers\psmounter.sys
2012-06-12 02:40:48 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 22:59:17.11 ===============

Blade81
2012-08-30, 07:31
I've updated Java (to J7 u6)
There's a known unpatched vulnerability in Java 7 that malware people are actively exploiting. That's why I instructed to install Java 6 Update 34 (latest in Java 6 series and may not have the mentioned vulnerability Java 7 has). Even safer option is to totally uninstall Java unless it's absolutely needed.

jchirch
2012-08-30, 15:10
I've removed Java (all versions) from this machine. Right now, its only apparent problem is an inability to start some SS&D components.
----
"SDCleaner.exe - System Error: The program can't start vbecause DEC150.bpl is missing from your computer. Try reinstalling the program to fix this problem."
----
This is followed by similar error for another SD component

Thanks for your perseverance!

Blade81
2012-08-31, 08:07
Hi,

Please try to reinstall Spybot (uninstall first).

jchirch
2012-08-31, 16:56
removed Spybot S&D .0.7 beta5 and installed 1.6.2. Found two problems, and removed them. No more error mssgs, and no more re-directs.

Do I need to run another scan before declaring victory?

jchirch

PS: I really appreciate your time and effort---and your patience. I've made a donation to say, 'Thanks'

jchirch
2012-08-31, 16:57
removed 2.0.7

jchirch
2012-09-01, 01:00
although everything else seems to work, Windows Update is unable to download the selected updates, and returns the error code:

"Code 80246008 Windows Update encountered and unknown error"

Don't know if this is part of the problem we've been working on, but it's never happened before.

Blade81
2012-09-01, 10:10
Hi,

It's possible the update issue is related to this same problem.

Please download Farbar Service Scanner (http://download.bleepingcomputer.com/farbar/FSS.exe) and run it on the computer with the issue.
Check these boxes:
-Internet Services
-Windows Firewall
-System Restore
-Security Center
-Windows Update
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

jchirch
2012-09-01, 15:12
Farbar Service Scanner Version: 06-08-2012
Ran by jack (administrator) on 01-09-2012 at 08:08:07
Running from "C:\Users\jack\Documents\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Blade81
2012-09-01, 17:26
Hi,

Download this (http://download.bleepingcomputer.com/win-services/7/BITS.reg) file to your desktop. Then run it and allow merging. Reboot and run the service scanner again. Post back the log.

Note: the file is meant to be used in this specific topic case only. Using it elsewhere may render system unbootable.

jchirch
2012-09-02, 05:29
Here's the service scan imediately afterward:
Farbar Service Scanner Version: 06-08-2012
Ran by jack (administrator) on 01-09-2012 at 22:23:00
Running from "C:\Users\jack\Documents\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

Blade81
2012-09-02, 10:58
Hi,

Press window button + r and type services.msc to the run box. Look for Background Intelligent Transfer Service and start it if its status is not running. When done try to run Windows Update again.

jchirch
2012-09-02, 15:57
It doesn't appear in the list of local services. Nothing of similar name, either.

Blade81
2012-09-02, 16:33
Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fetch.bat, change the Save as type to all files and save it to your desktop.

@ECHO OFF
REGEDIT /E "%USERPROFILE%\Desktop\bits.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS"
DEL %0

Right click on fetch.bat file and select "run as administrator" to execute it. bits.txt file should appear to your desktop. Attach the file to your post.

jchirch
2012-09-02, 18:09
Blade81 -

Here are the contents of BITs.txt

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:000007d2
"Last Counter"=dword:000007e2
"First Help"=dword:000007d3
"Last Help"=dword:000007e3
"Object List"="2002"
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
00,20,02,00,00

Thanks,

Jack Chirch

Blade81
2012-09-02, 23:20
Hi Jack,

Please reboot and see if Windows Update still has the same issue.

jchirch
2012-09-03, 00:09
Re-booted & ran Windows Update. It finally connected & downloaded 12 of 14 updates, showed the same "Windows encountered and unkown error" message. Second try produced "Downloaded 1 of 2; Windows encountered an unknown error". When I rebooted & tried a third time, Windows Update found no important updates available.

Kind of odd behavior, but I got my updates, and I don't have any problems with re-directs.

If you're satisfied, I am. Any advice re: anti-malware software?

Jack Chirch

Blade81
2012-09-03, 07:50
Hi,

Since it was now able to download updates from Windows Update that issue should be under control (if there was still a problem with the WU itself then none of the updates couldn't have been downloaded).


Any advice re: anti-malware software?
Together with Spybot you might want to give Malwarebytes' Anti-Malware (http://www.malwarebytes.org/) a try.


Let's see the final steps next :)


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.


Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK




UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.


Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

jchirch
2012-09-04, 05:17
*I have turned off System Restore, re-booted & re-enabled it to reset.
*I've un-installed ComboFix (which is a little scary--the installer/uninstaller displays the 'install' screens until the uninstall finishes) . . . but you probably knew that.
*I've installed Malware Bytes (it found one item)
*I've installed Secunia PSI (found none)
I'm set up for automatic Windows Update.

Thank you, Blade, for devoting the time and effort to cleaning up this machine. Here's to ya!

Jack

Blade81
2012-09-04, 07:30
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.