Results 1 to 2 of 2

Thread: Win32.AutoRun.tmp won't go away

  1. #1
    Junior Member
    Join Date
    Jun 2010
    Posts
    1

    Default Win32.AutoRun.tmp won't go away

    Hello all,

    Usually I can fix/remove any viruses I get, but this one is stubborn. Spybot detects it, and removes it but it comes back after every reboot and I can not find a way to nuke it permanently. Here is what I have done.

    Spybot always finds the following entry located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin\Taskman

    C:\Users\tmorris.CORP\AppData\Roaming\vlyvcj.exe

    I have run Spybot's newest version and removed it.
    I have run Mcafee version 8.7i and detected nothing.
    I have run Ad-Aware and detected nothing.
    I have run Malware Bytes and removed it.

    As always, after a reboot, it it back. It is currently being blocked in ZoneAlarm, so it is crippled, but I just can't get rid of it. Attached are the 2 DDS reports.

    Any ideas you guys can give would be greatly appreciated.

    Quote Originally Posted by tonymorri10 View Post

    As always, after a reboot, it it back. It is currently being blocked in ZoneAlarm, so it is crippled, but I just can't get rid of it. Attached are the 2 DDS reports.

    Any ideas you guys can give would be greatly appreciated.
    Update. I noticed that, when I ask Spybot to remove this entry, it IMMEDIATELY reappears. So there is something running in the background that constantly checks and re-adds the entry.

    Quote Originally Posted by tonymorri10 View Post
    Update. I noticed that, when I ask Spybot to remove this entry, it IMMEDIATELY reappears. So there is something running in the background that constantly checks and re-adds the entry.
    Another minor update. I find this file in the c:/windows/prefetch directory:

    VLYVCJ.EXE-93F1BAC4.pf

    If I delete it, it comes back upon reboot. I have NOT seen it reappear immediately like the registry entry.

    Also, as a side note, I blocked the registry entry via TeaTimer and it constantly reappears and is blocked by TeaTimer. Still no idea of the root cause though.

    Quote Originally Posted by tonymorri10 View Post

    Also, as a side note, I blocked the registry entry via TeaTimer and it constantly reappears and is blocked by TeaTimer. Still no idea of the root cause though.
    It seems like this is somehow integrated into explorer.exe.

    If I run process explorer, it finds the file (see attached screenshot), but I do not see how to alter explorer.exe in order to delete this entry.

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by TMorris at 8:30:23.23 on Sat 06/05/2010
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.2042.625 [GMT -4:00]

    AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\ZoneLabs\vsmon.exe
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\AEADISRV.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe
    C:\Program Files\Hewlett-Packard\Embedded Security Software\ifxtcs.exe
    C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Windows\system32\mfevtps.exe
    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
    C:\Program Files\Hewlett-Packard\Embedded Security Software\IfxPsdSv.exe
    C:\Windows\system32\PGPserv.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Windows\system32\rpcnet.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\UI0Detect.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\VolCtrl.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
    C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
    C:\Users\tmorris.CORP\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
    C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
    C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\regedit.exe
    C:\Users\tmorris.CORP\Downloads\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://atwork.intraweb.lpl.com/Pages/Default.aspx
    uDefault_Page_URL = hxxp://atwork.intraweb.lpl.com/Pages/Default.aspx
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
    mURLSearchHooks: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
    mWinlogon: Taskman=c:\users\tmorris.corp\appdata\roaming\vlyvcj.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: File Sanitizer for HP ProtectTools: {3134413b-49b4-425c-98a5-893c1f195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
    BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - No File
    TB: ZoneAlarm Toolbar: {66f2e20d-0da8-4c11-a9c8-dd8477b88acd} - c:\program files\zonealarm\tbZone.dll
    TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
    mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
    mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
    mRun: [IFXSPMGT] "c:\program files\hewlett-packard\embedded security software\ifxspmgt.exe" /NotifyLogon
    mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
    mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
    StartupFolder: c:\users\tmorri~1.cor\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\tmorris.corp\appdata\roaming\dropbox\bin\Dropbox.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{97a996cf-fc9d-4676-a1bf-a55ac497e854}\Icon6560581611.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{21e247d4-5e27-4bea-aa4d-19a81203fe2a}\Icon3E5562ED7.ico
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel
    IE: Se&nd to OneNote
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    LSP: c:\windows\system32\PGPlsp.dll
    Trusted Zone: lpl.com\vncsblwebprd.ncprod
    DPF: {2203BFCF-9541-41B6-931D-CEB34F81DB0D}
    DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566}
    DPF: {60CD4076-F4B6-4F8B-AF3E-61B200346DD9}
    DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
    DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C}
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F}
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: DeviceNP - DeviceNP.dll
    STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\stardock\fences\FencesMenu.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
    LSA: Notification Packages = scecli PGPpwflt PGPpwflt
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\tmorri~1.cor\appdata\roaming\mozilla\firefox\profiles\6kvzqo0x.default\
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\progra~1\micros~1\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~1\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\users\tmorris.corp\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: c:\users\tmorris.corp\appdata\local\huludesktop\instances\0.9.10.1\nphdplg.dll
    FF - plugin: c:\users\tmorris.corp\appdata\roaming\mozilla\firefox\profiles\6kvzqo0x.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============

    R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2009-7-29 482176]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-4-30 29472]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

    =============== Created Last 30 ================

    2010-06-05 04:04:30 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\Malwarebytes
    2010-06-05 04:03:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-05 04:03:31 0 d-----w- c:\programdata\Malwarebytes
    2010-06-05 04:03:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-05 04:03:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-05 03:28:11 0 d-----w- c:\program files\Trend Micro
    2010-06-02 21:28:43 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\Safer Networking
    2010-06-02 21:25:06 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
    2010-06-02 21:24:21 242992 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2010-06-02 21:24:21 210216 ----a-w- c:\windows\system32\SynCtrl.dll
    2010-06-02 21:24:21 173352 ----a-w- c:\windows\system32\SynCOM.dll
    2010-06-02 21:24:21 165160 ----a-w- c:\windows\system32\SynTPAPI.dll
    2010-06-02 21:24:21 120104 ----a-w- c:\windows\system32\SynTPCo4.dll
    2010-06-02 21:23:03 0 d-----w- c:\programdata\Intel
    2010-06-02 21:21:51 0 d-----w- c:\program files\common files\Intel
    2010-06-02 21:17:00 6758912 ----a-w- c:\windows\system32\drivers\NETw5s32.sys
    2010-06-02 21:13:29 0 d-----w- c:\programdata\CyberLink
    2010-06-02 21:13:06 0 d-----w- c:\program files\common files\CyberLink
    2010-06-02 21:09:16 29480 ----a-w- c:\windows\system32\msxml3a.dll
    2010-06-02 21:09:03 0 d-----w- c:\programdata\Temp
    2010-06-02 21:04:36 0 d-----w- c:\program files\Safer Networking
    2010-06-01 15:34:30 0 d-----w- c:\windows\IswTmp
    2010-06-01 15:25:59 0 d-----w- c:\program files\Network and Security Manager
    2010-06-01 15:25:58 0 d--h--w- c:\program files\Zero G Registry
    2010-06-01 15:25:03 0 d--h--w- c:\users\tmorris.corp\InstallAnywhere
    2010-05-28 23:45:47 0 d-----w- c:\program files\Conduit
    2010-05-28 23:45:46 0 d-----w- c:\program files\ZoneAlarm
    2010-05-27 17:08:46 0 d-----w- c:\program files\VideoLAN
    2010-05-27 14:25:18 808240 ----a-w- c:\windows\system32\imagxra7.dll
    2010-05-27 14:25:18 497296 ----a-r- c:\windows\system32\imagxpr7.dll
    2010-05-27 14:25:18 263472 ----a-w- c:\windows\system32\imagxr7.dll
    2010-05-27 14:25:18 1762608 ----a-w- c:\windows\system32\imagx7.dll
    2010-05-27 14:24:09 0 d-----w- c:\program files\Nero
    2010-05-27 14:21:08 39693246 ----a-w- c:\windows\file_3.exe
    2010-05-25 17:37:17 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-05-16 23:51:23 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\runic games
    2010-05-16 23:38:52 0 d-----w- c:\program files\Runic Games
    2010-05-13 18:56:54 0 d-----w- c:\users\tmorri~1.cor\appdata\roaming\Scooter Software
    2010-05-13 18:56:43 0 d-----w- c:\program files\Beyond Compare 2
    2010-05-13 14:09:40 284967462 ----a-w- c:\windows\MEMORY.DMP
    2010-05-12 14:15:21 0 d-----w- c:\program files\PingPlotter Pro
    2010-05-12 13:05:56 740864 ----a-w- c:\windows\system32\inetcomm.dll
    2010-05-07 12:52:11 0 d-----w- C:\Intel
    2010-05-07 04:08:07 7680 ----a-w- c:\windows\RemoveAuditing.exe

    ==================== Find3M ====================

    2010-06-05 11:50:51 17408 ----a-w- c:\windows\system32\rpcnetp.exe
    2010-06-05 11:50:49 56680 ----a-w- c:\windows\system32\rpcnet.dll
    2010-05-28 23:46:37 421441 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
    2010-05-26 17:03:22 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2010-05-15 20:30:50 461400 ----a-w- c:\windows\system32\drivers\vsdatant.sys
    2010-05-07 12:53:49 0 --sha-r- c:\windows\system32\drivers\103C_HP_bNB_EliteBook 8730w_Y5336AN_0U_QCNU931DNQB_EU_4A_I30EC_SHP_V91.23_68PAD F.11_T100126_WU4-0_L409_M2043_J250_7Intel_867A_92.40_#100222_N808610F5;80864236_(FM873UT#ABA)_XMOBILE_CN10_Z_2F.11_G10DE063A.MRK
    2010-04-30 18:34:51 18344 ----a-w- c:\windows\system32\drivers\btwrchid.sys
    2010-04-30 18:34:50 86056 ----a-w- c:\windows\system32\drivers\btwaudio.sys
    2010-04-30 18:34:50 29472 ----a-w- c:\windows\system32\drivers\btwl2cap.sys
    2010-04-30 18:34:50 108072 ----a-w- c:\windows\system32\drivers\btwavdt.sys
    2010-04-30 18:30:40 39712 ----a-w- c:\windows\system32\drivers\psd.sys
    2010-04-30 18:30:40 271648 ----a-w- c:\windows\system32\IfxTpmKsp.dll
    2010-04-22 16:43:58 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
    2010-04-12 16:29:11 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-04-12 16:29:07 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-04-08 17:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-04-08 17:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-04-06 15:23:16 249856 --sh--r- c:\users\tmorri~1.cor\appdata\roaming\vlyvcj.exe
    2010-03-17 00:46:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
    2010-03-17 00:46:00 1515624 ----a-w- c:\windows\system32\nvsvcr.dll
    2010-03-17 00:46:00 13684328 ----a-w- c:\windows\system32\nvcpl.dll
    2010-03-17 00:46:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
    2010-03-17 00:46:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
    2010-03-17 00:45:52 95994 ----a-w- c:\windows\system32\nvcoproc.bin
    2010-03-17 00:45:00 82024 ----a-w- c:\windows\system32\nv3dappshextr.dll
    2010-03-17 00:45:00 149608 ----a-w- c:\windows\system32\nv3dappshext.dll
    2010-03-12 15:26:36 600680 ----a-w- c:\windows\system32\nvuninst.exe
    2010-03-08 21:33:56 427520 ----a-w- c:\windows\system32\vbscript.dll
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
    2010-02-23 00:52:38 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2010-02-22 23:29:18 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
    2010-02-22 23:29:18 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
    2010-02-22 23:29:18 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
    2010-02-22 23:29:18 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2010-02-22 18:06:48 16384 --sha-w- c:\windows\temp\cookies\index.dat
    2010-02-22 18:06:48 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
    2010-02-22 18:06:48 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
    2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 8:33:07.41 ===============
    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
    Last edited by tashi; 2010-06-05 at 17:14. Reason: Merged 4 posts, added link to forum FAQ as to why, copy pasted log into thread

  2. #2
    Security Expert ken545's Avatar
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.



    tmorris.corp <--Is this a corporate computer ?
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •