Security Shield has successfully been installled :(

**JonTom** · 2012-03-27, 21:35

Hello BananaRama

I'm hoping that now you will tell me that I have a clean bill of health

Its looking good so far, but lets make sure by running an Online scan:

Please update your Java
- Click on "Windows Orb" (bottom left hand corner of your screen), then on "Computer" and then on the "Uninstall or Change a Program" tab.
- Uninstall any previous versions of Java that you find (Java(TM) SE Development Kit 6 Update 24, Java(TM) SE Development Kit 7 Update 1 and Java(TM) 6 Update 29).
- Reboot your computer.
- Download the latest version of Java Runtime Environment (JRE) 7
- Scroll down the page until you reach "Java Platform Standard Edition".
- Beneath this and to the right, you will see a red button marked "JRE Download" for Java SE 7 u3
- Click the "Download" button.
- Accept the licence agreement.
- Under "Product / File Description" download the jre-7u3-windows-x64.exe file for Windows x64.
- Save the file to your desktop.
- From your desktop double click on jre-7u3-windows-x64.exe to install the newest version.
- Delete the downloaded installation file after completing the above procedure and reboot your system if not prompted to do so.
Please run the following scan
- Note: You will need to use Internet Explorer for this scan.
- Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
- Please disable your real time security programs before performing the scan.
- Scan your system with Eset Online Scanner
- Place a check mark in the box YES, I accept the Terms Of Use.
- Click the button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
- Check
- Click the button.
- Accept any security warnings from your browser.
- Check
- Make sure that the option to "Remove Found Threats" is UN checked.
- Push the "Start" button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push
- Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
- Push the button.
- Push
Security Check
- Please download Security Check by screen317 from here or here and save the file (called securitycheck.exe) to your desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box (NOTE: If you are running Vista or Win7 please Right click and select "Run as Administrator"..
- A Notepad document should open automatically called checkup.txt; please post the contents of that document in your next reply.
Please post the ESET log and the security check log in your next reply, along with a new set of DDS logs.

**BananaRama** · 2012-03-28, 13:09

Looks like we have some bad news in this one. Also, I can't imagine that it is related, but I had trouble getting onto the SSD site last night.

1) Update Java: done
2)Run ESET (here is the bad news):

C:\Users\davidg\AppData\Local\Mozilla\Firefox\Profiles\ryv0co0u.default\Cache\D\01\E8567d01 JS/Kryptik.KP.Gen trojan

This critter's Date Modified is exactly the time when I had the message box pop up. (I'll wait to delete it this time on your go-ahead

)

3) SecurityCheck:

Results of screen317's Security Check version 0.99.32
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
McAfee VirusScan Enterprise
McAfee Security Scan Plus
McAfee Agent
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
JavaFX 2.0.3
Java(TM) 7 Update 3
Adobe Reader X (10.1.2)
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
McAfee VirusScan Enterprise x64 engineserver.exe
McAfee VirusScan Enterprise vstskmgr.exe
McAfee VirusScan Enterprise shstat.exe
McAfee VirusScan Enterprise x64 SCAN64.EXE
McAfee VirusScan Enterprise x64 mcshield.exe
McAfee VirusScan Enterprise x64 mfeann.exe
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe
``````````End of Log````````````

Thanks for your help!

**BananaRama** · 2012-03-28, 13:18

I had forgotten about the new DDS! Here it is, sorry about that:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.3.1
Run by davidg at 7:14:26 on 2012-03-28
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3892.1138 [GMT -4:00]
.
AV: McAfee VirusScan Enterprise *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files (x86)\Lenovo\Access Connections\AcPrfMgrSvc.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\LENOVO\HOTKEY\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe
C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Windows\system32\mfevtps.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files (x86)\PostgreSQL\9.0\bin\pg_ctl.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Lenovo\Access Connections\AcSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\PostgreSQL\9.0\bin\postgres.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\PostgreSQL\9.0\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\9.0\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\9.0\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\9.0\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\9.0\bin\postgres.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\Program Files (x86)\Lenovo\System Update\SUService.exe
C:\Program Files (x86)\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\TpShocks.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Digital Line Detect\DLG.exe
C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Users\davidg\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Windows\system32\rundll32.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\igfxext.exe
C:\Program Files (x86)\Lenovo\Access Connections\SvcGuiHlpr.exe
C:\Windows\system32\DllHost.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\SCAN64.EXE
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe
C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mfeann.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\davidg\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://lenovo.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Java\x86\jre7\bin\jp2ssv.dll
mRun: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
mRun: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun: [Message Center Plus] C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe /start
mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
mRun: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\davidg\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\davidg\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\davidg\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\DIGITA~1.LNK - C:\Program Files (x86)\Digital Line Detect\DLG.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_03-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{808ECE28-B806-45BD-8ACB-63F64C3FC43B} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{808ECE28-B806-45BD-8ACB-63F64C3FC43B}\2656C6B696E6E2661323 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{808ECE28-B806-45BD-8ACB-63F64C3FC43B}\74F6022457C6C646F67637 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{808ECE28-B806-45BD-8ACB-63F64C3FC43B}\C65647C6966756 : DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\McAfee\VirusScan Enterprise\scriptsn.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~4\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Java\x86\jre7\bin\jp2ssv.dll
mRun-x64: [RotateImage] C:\Program Files (x86)\Integrated Camera Driver\X64\RCIMGDIR.exe
mRun-x64: [PWMTRV] rundll32 C:\PROGRA~2\ThinkPad\UTILIT~1\PWMTR64V.DLL,PwrMgrBkGndMonitor
mRun-x64: [Message Center Plus] C:\Program Files (x86)\LENOVO\Message Center Plus\MCPLaunch.exe /start
mRun-x64: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
mRun-x64: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
mRun-x64: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\davidg\AppData\Roaming\Mozilla\Firefox\Profiles\ryv0co0u.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: C:\Program Files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: C:\Users\davidg\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Users\davidg\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: C:\Users\davidg\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\davidg\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\system32\npdeployJava1.dll
FF - plugin: C:\Windows\system32\npmproxy.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DzHDD64;DzHDD64;C:\Windows\system32\DRIVERS\DzHDD64.sys --> C:\Windows\system32\DRIVERS\DzHDD64.sys [?]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 TPDIGIMN;TPDIGIMN;C:\Windows\system32\DRIVERS\ApsHM64.sys --> C:\Windows\system32\DRIVERS\ApsHM64.sys [?]
R1 lenovo.smi;Lenovo System Interface Driver;C:\Windows\system32\DRIVERS\smiifx64.sys --> C:\Windows\system32\DRIVERS\smiifx64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 DozeSvc;Lenovo Doze Mode Service;C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [2010-5-21 161128]
R2 HsfXAudioService;HsfXAudioService;C:\Windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;C:\Program Files\Lenovo\HOTKEY\cammute.exe [2009-12-9 54632]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;C:\Program Files\Lenovo\HOTKEY\micmute.exe [2009-12-9 44984]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-26 652360]
R2 McAfeeEngineService;McAfee Engine Service;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\engineserver.exe [2009-8-31 19720]
R2 McAfeeFramework;McAfee Framework Service;C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [2009-1-16 103744]
R2 McShield;McAfee McShield;C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\mcshield.exe [2009-8-31 178920]
R2 McTaskManager;McAfee Task Manager;C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe [2009-8-31 66896]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\system32\mfevtps.exe --> C:\Windows\system32\mfevtps.exe [?]
R2 postgresql-9.0;postgresql-9.0 - PostgreSQL Server 9.0;C:/Program Files (x86)/PostgreSQL/9.0/bin/pg_ctl.exe runservice -N "postgresql-9.0" -D "C:/Program Files (x86)/PostgreSQL/9.0/data" -w --> C:/Program Files (x86)/PostgreSQL/9.0/bin/pg_ctl.exe runservice -N postgresql-9.0 [?]
R2 rimspci;rimspci;C:\Windows\system32\DRIVERS\rimspe64.sys --> C:\Windows\system32\DRIVERS\rimspe64.sys [?]
R2 Sentinel64;Sentinel64;C:\Windows\system32\Drivers\Sentinel64.sys --> C:\Windows\system32\Drivers\Sentinel64.sys [?]
R2 TPHKSVC;On Screen Display;C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe [2009-12-9 62904]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-5-21 2320920]
R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [2011-9-9 475088]
R3 5U877;USB Video Device;C:\Windows\system32\DRIVERS\5U877.sys --> C:\Windows\system32\DRIVERS\5U877.sys [?]
R3 acsock;acsock;C:\Windows\system32\DRIVERS\acsock64.sys --> C:\Windows\system32\DRIVERS\acsock64.sys [?]
R3 CAXHWAZL;CAXHWAZL;C:\Windows\system32\DRIVERS\CAXHWAZL.sys --> C:\Windows\system32\DRIVERS\CAXHWAZL.sys [?]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;C:\Windows\system32\DRIVERS\rtl8192se.sys --> C:\Windows\system32\DRIVERS\rtl8192se.sys [?]
R3 TVTI2C;Lenovo SM bus driver;C:\Windows\system32\DRIVERS\Tvti2c.sys --> C:\Windows\system32\DRIVERS\Tvti2c.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DeinoPM;DeinoMPI process manager service;C:\Program Files\DeinoMPI\bin\DeinoPM.exe [2009-8-3 20480]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 pmxdrv;pmxdrv;\??\C:\Windows\system32\drivers\pmxdrv.sys --> C:\Windows\system32\drivers\pmxdrv.sys [?]
S3 Power Manager DBC Service;Power Manager DBC Service;C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe [2010-5-21 75112]
S3 SNTUSB64;SafeNet USB SuperPro/UltraPro/HardwareKey;C:\Windows\system32\DRIVERS\SNTUSB64.SYS --> C:\Windows\system32\DRIVERS\SNTUSB64.SYS [?]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WMSVC;Web Management Service;C:\Windows\system32\inetsrv\wmsvc.exe --> C:\Windows\system32\inetsrv\wmsvc.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-3 59744]
S4 RsFx0151;RsFx0151 Driver;C:\Windows\system32\DRIVERS\RsFx0151.sys --> C:\Windows\system32\DRIVERS\RsFx0151.sys [?]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-6-17 431456]
.
=============== Created Last 30 ================
.
2012-03-27 23:39:09 -------- d-----w- C:\Program Files (x86)\ESET
2012-03-27 23:36:59 -------- d-----w- C:\Program Files\Oracle
2012-03-27 02:33:06 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-27 01:59:05 -------- d-----w- C:\Users\davidg\AppData\Roaming\Malwarebytes
2012-03-27 01:58:53 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-27 01:58:51 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-27 01:58:51 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-26 02:33:15 -------- d-----w- C:\Users\davidg\AppData\Local\Adobe
2012-03-26 00:06:50 98816 ----a-w- C:\Windows\sed.exe
2012-03-26 00:06:50 518144 ----a-w- C:\Windows\SWREG.exe
2012-03-26 00:06:50 256000 ----a-w- C:\Windows\PEV.exe
2012-03-26 00:06:50 208896 ----a-w- C:\Windows\MBR.exe
2012-03-21 01:40:01 750488 ----a-w- C:\Windows\System32\npdeployJava1.dll
2012-03-21 01:35:57 -------- d-----w- C:\Program Files (x86)\Oracle
2012-03-21 01:35:12 637848 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-03-21 01:29:45 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-21 01:29:27 -------- d-----w- C:\ProgramData\McAfee Security Scan
2012-03-21 01:29:25 -------- d-----w- C:\Program Files (x86)\McAfee Security Scan
2012-03-19 01:44:20 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-19 01:44:20 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2012-03-16 02:54:40 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-16 02:54:39 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-16 02:54:38 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-14 11:35:23 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-14 11:35:20 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-14 11:35:20 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-14 11:35:08 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-14 11:35:08 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-14 11:35:08 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-14 11:34:43 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-14 11:34:43 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-14 11:34:42 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-14 11:34:42 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-14 01:57:14 -------- d-----w- C:\Users\davidg\AppData\Local\{60A3A235-04BF-47A8-A203-986EEA3F08DF}
2012-03-14 01:57:03 -------- d-----w- C:\Users\davidg\AppData\Local\{76874FE6-1F82-47EC-A21A-316F0C357A38}
2012-03-13 01:01:33 -------- d-----w- C:\Program Files\iPod
2012-03-13 01:01:31 -------- d-----w- C:\Program Files\iTunes
.
==================== Find3M ====================
.
2012-01-10 17:57:10 567696 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-01-10 17:28:14 660368 ----a-w- C:\Windows\System32\deployJava1.dll
2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
.
============= FINISH: 7:15:25.35 ===============

**JonTom** · 2012-03-28, 17:22

Hello BananaRama

Thank you for the logs.

This critter's Date Modified is exactly the time when I had the message box pop up. (I'll wait to delete it this time on your go-ahead )

This one needs to go.

Rerun the Eset Online Scan, but this time under scan settings, be sure to check the option to Remove found threats. Save the log as before and copy and paste the contents in your next reply.

**BananaRama** · 2012-03-29, 04:22

Hi JonTom,

Here we go. Result of ESET:

C:\Users\davidg\AppData\Local\Mozilla\Firefox\Profiles\ryv0co0u.default\Cache\D\01\E8567d01 JS/Kryptik.KP.Gen trojan cleaned by deleting - quarantined

I haven't closed out of the ESET yet; do I want to check either of "Uninstall application on close" or "Delete quarantined files"?

**BananaRama** · 2012-03-29, 04:28

Hi JonTom,

Here we go. Result of ESET:

C:\Users\davidg\AppData\Local\Mozilla\Firefox\Profiles\ryv0co0u.default\Cache\D\01\E8567d01 JS/Kryptik.KP.Gen trojan cleaned by deleting - quarantined

I haven't closed out of the ESET yet; do I want to check either of "Uninstall application on close" or "Delete quarantined files"?

**JonTom** · 2012-03-29, 12:47

Hello BananaRama

Thank you for the ESET log.

I haven't closed out of the ESET yet; do I want to check either of "Uninstall application on close" or "Delete quarantined files"?

The infected item has already been quarantined but you can click on Delete quarantined files if you wish.

Your latest DDS log appears to be clean, so as long as you are no longer experiencing any problems we can remove our tools:

Please Uninstall Combofix
- Hold down the Windows key (has the Windows symbol on it) and press the "R" key.
- A Run box will open.
- Type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
Please perform the following cleanup procedure
- Double click on the OTL.exe icon on your desktop to run the program. (Note: If you are running Vista/Windows 7, right-click on the file and choose Run As Administrator).
- Once OTL has opened, click on the "CleanUp!" button.
- Follow any prompts that you receive.
Removal of Tools
- You no longer need aswMBR, RogueKiller or Security Check. Please delete them from your machine.
Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.
Finally, please take the time to read through the information provided below:

Enhance your System Security
- For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here.
- IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
- Once complete, remember to re-engage your resident security before going online.
Web Browsers and Browser Security

Firefox
- You can download Firefox from here.
No-Script
- If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
- You can download No-Script by clicking here.
Internet Explorer
- The newest version of Internet Explorer is available from here.
- Please Note: IE9 is not configured to run on XP machines.
SpywareBlaster
- If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
- SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
- You can download SpywareBlaster by clicking here.
Web of Trust
- When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
- Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
- You can download Web of Trust by clicking here.
Keep your Software Updated
- Outdated software can sometimes have vulnerabilities that are exploitable by malware.
- Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here.
Passwords
- Learn how to create strong passwords by clicking here and test the strength of the passwords you already use by clicking here.
General Reading
- PC Safety and Security - What do I need?
- How to prevent Malware (by Miekiemoes)
Learn How To Combat Malware
- Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here.

**BananaRama** · 2012-03-29, 14:35

Hi JonTom,

Yay! Victory! Thank you for your help and patience!

I do have two questions:

1) Do you know anything off the top of your head about what that trojan is designed to do? That is, is there anything specific I should be looking for in terms of "damage already done"? I plan on changing all my passwords to everything, but are there any further steps I should take in this vein?
2) Looking at the message boards, it seems like a similar message has plagued a few other users; is there anything I can do to help out you, the ComboFix, OTL, aswMBR, etc. teams so that they stop this thing earlier?

Now a statement: I am heading to the donation page (unless there is a different/additional site you would suggest?). Thank you again!

**JonTom** · 2012-03-29, 21:57

1) Do you know anything off the top of your head about what that trojan is designed to do?

Security Shield is one of many malicious rogues that use "scareware" tactics to try and temp you to install it. Typically you would receive a message informing you that an infection has been detected on your machine and you need to run a scan to remove it.

The rogue will produce false alerts and detections in order to convince people to purchase the product.

They then inform you that you need to pay money to register the software in order to remove these non-existent threats. Of course, this is a complete con designed only to scare you into handing over your money.

I plan on changing all my passwords to everything, but are there any further steps I should take in this vein?
is there anything specific I should be looking for in terms of "damage already done"?

Changing your passwords is always recommended. As for anything else it depends on how the machine is running. It is difficult to determine exactly what damage (if any) has been caused since system scans do not report on the integrity of every file present on the machine.

2) Looking at the message boards, it seems like a similar message has plagued a few other users; is there anything I can do to help out you, the ComboFix, OTL, aswMBR, etc. teams so that they stop this thing earlier?

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Being vigilant and exercising caution when surfing the web is the best way to steer clear of the dangers posed by scareware.

Now a statement: I am heading to the donation page

Your donation is very much appreciated

Yay! Victory! Thank you for your help and patience!

You are Very Welcome BananaRama

Best wishes

JonTom

**JonTom** · 2012-04-01, 13:49

Since this problem appears to be resolved this topic is now closed.

Glad we could help

Best wishes
JonTom

Thread: Security Shield has successfully been installled :(

Thread Tools

Display

Posting Permissions