BleepingComputer.com: Guard online with several other infections

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Guard online with several other infections Can't get it removed

#1 User is offline   rkcmx 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 10-October 11

Posted 10 October 2011 - 09:29 PM

I tried to follow the guide that was posted on here to remove Guard online, but I didn't seem to get very far with it. My original thread I started that has more details is here: http://www.bleepingcomputer.com/forums/topic422841.html/page__gopid__2436574#entry2436574

I can't do much since I can no longer search Google, most of my anti-virus program will no longer work and I have been denied access to them, I can't even move or rename them. Malwarebytes' Anti-Malware keeps blocking svchost, it's trying to access a Web site/IP address. I also know I had a root because I ran TDSS and it removed three of them, but they keep coming back. Their called C5A7BD4E, SafeBoot and VPCVMM. It seems like it keeps getting worse. Here are my logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by onlinecci at 22:11:12 on 2011-10-10
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1782.697 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: STOPzilla Anti-Spyware *Disabled/Updated* {B2E69928-50DC-94CA-6A80-AAB054008761}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_7b6e808b01435efc\STacSV.exe
C:\windows\1321052101:978862769.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\Hpservice.exe
C:\windows\system32\atibtmon.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_7b6e808b01435efc\aestsrv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\windows\System32\svchost.exe -k Akamai
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe
c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe
C:\ProgramData\Rpcnet\Bin\rpcld.exe
C:\Windows\System32\rpcnet.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\windows\system32\wbem\unsecapp.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\taskhost.exe
C:\Windows\system32\userinit.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\coreshredder.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Users\onlinecci\AppData\Local\Temp\winsett.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\onlinecci\AppData\Local\Temp\winsett.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\windows\system32\taskeng.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cci.edu/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\hewlett-packard\hp protecttools security manager\bin\DPAgent.exe,
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [HPAdvisorDock] c:\program files\hewlett-packard\hp advisor\dock\HPAdvisorDock.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\onlinecci\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Windows Auto Config] c:\users\onlinecci\appdata\local\temp\winsett.exe
mRun: [QLBController] c:\program files\hewlett-packard\hp hotkey support\QLBController.exe /start
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [HPPowerAssistant] c:\program files\hewlett-packard\hp power assistant\HPPA_Main.exe /hidden
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\delayedappstarter.exe 120 c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"
mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"
mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [HP Connection Manager.exe] "c:\program files\hewlett-packard\hp connection manager\HP Connection Manager.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NortonOnlineBackupReminder] "c:\program files\symantec\norton online backup\activation\NOBuActivation.exe" UNATTENDED
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Windows Auto Config] c:\users\onlinecci\appdata\local\temp\winsett.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: convergysworkathome.com\www
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.21.199 209.18.47.61 209.18.47.62
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3} : NameServer = 192.168.2.1,209.18.47.61
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3} : DhcpNameServer = 192.168.21.199 209.18.47.61 209.18.47.62
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\037364851313030353432363 : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\037364851313030353432363 : DhcpNameServer = 192.168.200.1 192.168.200.1
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\2656C6B696E6534376 : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\2656C6B696E6534376 : DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\3507565646C496E6B637 : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\3507565646C496E6B637 : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\8497164747 : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\8497164747 : DhcpNameServer = 4.2.2.1
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\D41445453575942554C4543535 : NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\D41445453575942554C4543535 : DhcpNameServer = 192.168.2.1 209.18.47.61 209.18.47.62
Notify: DeviceNP - DeviceNP.dll
LSA: Notification Packages = DPPassFilter scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 95.64.61.143 www.google.com
Hosts: 95.64.61.144 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\onlinecci\appdata\roaming\mozilla\firefox\profiles\yt4mj28p.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\onlinecci\appdata\local\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [2010-2-1 51800]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [2010-2-1 13256]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2011-8-16 59080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [2010-2-1 40088]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2011-6-6 64952]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_7b6e808b01435efc\AEstSrv.exe [2010-6-21 81920]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-4-8 172032]
R2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\hewlett-packard\2009 password filter for hp protecttools\PTChangeFilterService.exe [2010-10-19 32768]
R2 HPDayStarterService;HP DayStarter Service;c:\program files\hewlett-packard\hp quicklook\HPDayStarterService.exe [2010-3-25 90112]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\hewlett-packard\shared\HPDrvMntSvc.exe [2011-3-28 94264]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\hewlett-packard\drive encryption\HpFkCrypt.exe [2010-2-1 281192]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2010-1-19 297984]
R2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\hewlett-packard\hp hotkey support\hpHotkeyMonitor.exe [2010-3-1 264248]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2011-5-5 26168]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-5-23 635416]
R2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\qualcomm\qdlservice2k\QDLService2kHP.exe [2010-3-15 331000]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-6-21 48640]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-6-21 47616]
R2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\rpcnet\bin\rpcld.exe --> c:\programdata\rpcnet\bin\rpcld.exe [?]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-4-8 5429760]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-4-8 157184]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-6-21 29472]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-9 136176]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\hewlett-packard\hp power assistant\HPPA_Service.exe [2010-4-5 103992]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2011-6-21 85560]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-4-5 103992]
S2 inewnetwork;Network Location Awarenes(NLA);c:\windows\system32\svchost.exe -k inetswork [2009-7-13 20992]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-10 366152]
S2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-6-21 38912]
S2 SMManager;HP Connection Manager Service;c:\program files\hewlett-packard\hp connection manager\SMManager.exe [2010-3-12 82760]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-2-18 1664304]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2009-10-21 32312]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2009-12-7 362040]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-9 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-10 22216]
S3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\drivers\qcfilterhp2k.sys [2010-3-15 5248]
S3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\drivers\qcusbnethp2k.sys [2010-3-15 208384]
S3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\drivers\qcusbserhp2k.sys [2010-3-15 106880]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-11-23 1120752]
S3 rtsuvc;Realtek USB2.0 PC Camera;c:\windows\system32\drivers\rtsuvc.sys [2010-6-21 73344]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2010-6-21 12800]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-25 1343400]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-1-8 316416]
.
=============== Created Last 30 ================
.
2011-10-11 02:05:45 100864 ----a-w- C:\pgtiapob.sys
2011-10-10 20:10:21 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-10 20:10:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-10 19:39:45 -------- d--h--w- c:\windows\PIF
2011-10-09 20:24:58 18944 ---h--w- c:\windows\winsett.exe
2011-10-09 20:24:58 18944 ---h--w- c:\windows\system32\winsett.exe
2011-10-07 20:26:07 -------- d-----w- c:\windows\system32\sdtmp
2011-10-07 20:01:24 -------- d-----w- c:\program files\STOPzilla!
2011-10-07 20:01:23 -------- d-----w- c:\programdata\STOPzilla!
2011-10-07 20:01:23 -------- d-----w- c:\program files\common files\iS3
2011-10-07 19:53:25 -------- d-----w- c:\users\onlinecci\appdata\roaming\WLZqhYCwkVlBx0c
2011-10-07 19:53:25 -------- d-----w- c:\users\onlinecci\appdata\roaming\om6sWJ7fE8T
2011-10-07 19:53:22 -------- d-----w- c:\users\onlinecci\appdata\roaming\PjeBPAuoFms
2011-10-07 19:53:20 -------- d-----w- c:\users\onlinecci\appdata\roaming\PgTZqjYCwIOPSbo
2011-10-07 19:47:28 -------- d-----w- c:\users\onlinecci\appdata\roaming\mbF3pmG5aJdKfLh
2011-10-07 19:47:26 -------- d-----w- c:\users\onlinecci\appdata\roaming\Q1uv2bF4pGsJdKf
2011-10-07 19:47:26 -------- d-----w- c:\users\onlinecci\appdata\roaming\OzNycuvDoFpGsJd
2011-10-07 19:47:19 -------- d-----w- c:\users\onlinecci\appdata\roaming\NcS1ibD3oGaHsJf
2011-10-07 19:47:18 -------- d-----w- c:\users\onlinecci\appdata\roaming\R9gTZqjYCkVlNx0
2011-10-07 19:01:34 -------- d-----w- c:\users\onlinecci\appdata\roaming\wttxxA0uuS2ib
2011-10-07 19:01:34 -------- d-----w- c:\users\onlinecci\appdata\roaming\JL99gTXqjYCkIrO
2011-10-07 19:00:54 -------- d-----w- c:\users\onlinecci\appdata\roaming\R3ppnG55QWKfjkV
2011-10-07 19:00:54 -------- d-----w- c:\users\onlinecci\appdata\roaming\JVVVrzONt
2011-10-07 19:00:54 -------- d-----w- c:\users\onlinecci\appdata\roaming\IF33nQdKRLTqjCe
2011-10-07 19:00:35 -------- d-----w- C:\NTAT7UV0sxKxs2I
2011-10-07 18:48:40 -------- d-----w- c:\users\onlinecci\appdata\roaming\vPNAuSobFpGaJd8
2011-10-07 18:48:40 -------- d-----w- c:\users\onlinecci\appdata\roaming\iUCekIBrzN
2011-10-07 18:48:39 -------- d-----w- c:\users\onlinecci\appdata\roaming\zjUCeBPNAuSoF
2011-10-07 18:48:39 -------- d-----w- c:\users\onlinecci\appdata\roaming\KZhTwjUCeB
2011-10-07 18:48:39 -------- d-----w- c:\users\onlinecci\appdata\roaming\DTXwUClzPAu
2011-10-07 18:43:51 -------- d-----w- c:\users\onlinecci\appdata\roaming\UmH5sQJ7dKg9YwV
2011-10-07 18:43:50 -------- d-----w- c:\users\onlinecci\appdata\roaming\EF4amH5sW7E8RqY
2011-10-07 18:43:47 -------- d-----w- c:\users\onlinecci\appdata\roaming\QxuSbp5JdKRhXUl
2011-10-07 18:43:47 -------- d-----w- c:\users\onlinecci\appdata\roaming\iPy1v2Fm5JdKf
2011-10-07 18:43:47 -------- d-----w- c:\users\onlinecci\appdata\roaming\fJdKf9TjeI
2011-10-07 18:40:17 -------- d-----w- c:\users\onlinecci\appdata\roaming\KbD3onG4aHs7EgZ
2011-10-07 18:40:13 -------- d-----w- c:\users\onlinecci\appdata\roaming\XgqYXwkUVlBPc1D
2011-10-07 18:40:09 -------- d-----w- c:\users\onlinecci\appdata\roaming\sQJ7dEK8gZh
2011-10-07 18:40:09 -------- d-----w- c:\users\onlinecci\appdata\roaming\aXwjUVelItPyAuD
2011-10-07 16:47:23 -------- d-----w- c:\users\onlinecci\appdata\roaming\vA0uvS2ib3n5Q
2011-10-07 16:47:23 -------- d-----w- c:\users\onlinecci\appdata\roaming\OrNyA0uvSiFpGaH
2011-10-07 16:47:18 -------- d-----w- c:\users\onlinecci\appdata\roaming\NVrzONxA0c2b3n4
2011-10-07 16:47:14 -------- d-----w- c:\users\onlinecci\appdata\roaming\ztxP0ucS1b3n4m6
2011-10-07 16:47:14 -------- d-----w- c:\users\onlinecci\appdata\roaming\BK7fEL9gTqYwIrO
2011-10-07 16:15:40 7269712 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{88b72a9a-4827-438f-adf2-ef8d4097275d}\mpengine.dll
2011-10-07 16:12:35 -------- d-----w- c:\users\onlinecci\appdata\roaming\pQJ6dEK8fZhXjCl
2011-10-07 16:12:34 -------- d-----w- c:\users\onlinecci\appdata\roaming\qOBtz0ycAiDoFpH
2011-10-07 16:12:33 -------- d-----w- c:\users\onlinecci\appdata\roaming\I6WfLTjwVOPSbo4
2011-10-07 16:12:32 -------- d-----w- c:\users\onlinecci\appdata\roaming\Yzt0uciDn4HsKfL
2011-10-07 16:12:32 -------- d-----w- c:\users\onlinecci\appdata\roaming\PAuSipGHW7RgXYe
2011-10-07 15:54:56 -------- d-----w- c:\programdata\WSTB
2011-10-07 15:50:28 -------- d-----w- c:\users\onlinecci\appdata\roaming\pIVrlONtx0c1b3n
2011-10-07 15:50:27 -------- d-----w- c:\users\onlinecci\appdata\roaming\DaQH6sWK7E9TqYw
2011-10-07 15:34:56 -------- d-----w- c:\users\onlinecci\appdata\roaming\Z44ppmmG5sQ6dK8
2011-10-07 15:34:56 -------- d-----w- c:\users\onlinecci\appdata\roaming\SuuvvD22ob
2011-10-07 15:34:51 -------- d-----w- c:\users\onlinecci\appdata\roaming\XNNNyccA1uvDob4
2011-10-07 15:34:51 -------- d-----w- c:\users\onlinecci\appdata\roaming\fQQQJ77dEK8gZ9Y
2011-10-03 19:26:58 -------- d-----w- c:\users\onlinecci\appdata\local\Programs
2011-10-03 19:26:40 -------- d-----w- c:\windows\DPDrv
2011-10-01 14:35:49 -------- d-----w- c:\programdata\{D3B41B92-9BC2-43EB-916A-4FA9E8191837}
2011-09-30 15:44:29 7269712 ------w- c:\programdata\microsoft\windows defender\definition updates\updates\mpengine.dll
2011-09-30 15:06:53 -------- d-----w- C:\ConvergysHealthChecker
2011-09-28 21:58:02 22992 ----a-r- c:\windows\system32\SZIO5.dll
2011-09-28 21:58:02 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2011-09-28 21:58:00 546256 ----a-r- c:\windows\system32\SZComp5.dll
2011-09-28 21:58:00 480720 ----a-r- c:\windows\system32\SZBase5.dll
2011-09-28 21:58:00 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2011-09-28 21:58:00 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2011-09-28 21:57:58 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2011-09-28 21:57:58 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2011-09-28 21:57:58 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2011-09-28 21:57:58 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2011-09-28 21:57:56 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2011-09-28 21:57:56 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2011-09-16 21:07:40 513952 ----a-w- c:\windows\system32\AppHardT.dll
.
==================== Find3M ====================
.
2011-10-11 02:10:44 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-10-11 02:10:42 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-10-11 01:59:20 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-08-16 21:48:30 59080 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2011-07-16 04:37:32 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34:28 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31:12 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 02:21:47 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
.
============= FINISH: 22:14:22.88 ===============

Attached File(s)


#2 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,507
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 12 October 2011 - 02:35 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\windows\1321052101

  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.


Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#3 User is offline   rkcmx 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 10-October 11

Posted 12 October 2011 - 04:59 PM

Would not allow me to run the dream program, said access denied. I ran Combofix and said there was a rootkit in my tcp/ip but then my computer shut down and had to re run it. Not sure if it will show in these logs. Here they are:

ComboFix 11-10-12.03 - onlinecci 10/12/2011 17:39:52.1.2 - x86 NETWORK
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1782.825 [GMT -4:00]
Running from: c:\users\onlinecci\Downloads\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {DAAC1C79-1A96-9DFE-FC4C-6940214C33E6}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
c:\users\onlinecci\Documents\~WRL3740.tmp
c:\windows\1321052101
.
Infected copy of c:\windows\System32\autochk.exe was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\bd60fbfcf1ac006bf26f6afa5c1dff1a\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7601.17514_none_e3fb573520033bfa\autochk.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-12 to 2011-10-12 )))))))))))))))))))))))))))))))
.
.
2011-10-12 21:49 . 2011-10-12 21:53 -------- d-----w- c:\users\onlinecci\AppData\Local\temp
2011-10-12 21:49 . 2011-10-12 21:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-12 21:37 . 2011-10-12 21:37 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{22A2D96D-49B2-4D20-B52A-978651CA2629}\offreg.dll
2011-10-12 21:37 . 2011-09-21 13:00 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{22A2D96D-49B2-4D20-B52A-978651CA2629}\mpengine.dll
2011-10-11 07:44 . 2011-10-11 07:44 -------- d-----w- C:\found.001
2011-10-10 20:10 . 2011-10-11 07:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-10 19:39 . 2011-10-10 19:39 -------- d--h--w- c:\windows\PIF
2011-10-07 20:01 . 2011-10-11 07:56 -------- d-----w- c:\program files\STOPzilla!
2011-10-07 20:01 . 2011-10-09 21:16 -------- d-----w- c:\programdata\STOPzilla!
2011-10-07 20:01 . 2011-10-07 20:01 -------- d-----w- c:\program files\Common Files\iS3
2011-10-07 19:53 . 2011-10-07 19:53 -------- d-----w- c:\users\onlinecci\AppData\Roaming\WLZqhYCwkVlBx0c
2011-10-07 19:53 . 2011-10-07 19:53 -------- d-----w- c:\users\onlinecci\AppData\Roaming\om6sWJ7fE8T
2011-10-07 19:53 . 2011-10-07 19:53 -------- d-----w- c:\users\onlinecci\AppData\Roaming\PjeBPAuoFms
2011-10-07 19:53 . 2011-10-07 19:53 -------- d-----w- c:\users\onlinecci\AppData\Roaming\PgTZqjYCwIOPSbo
2011-10-07 19:47 . 2011-10-07 19:47 -------- d-----w- c:\users\onlinecci\AppData\Roaming\mbF3pmG5aJdKfLh
2011-10-07 19:47 . 2011-10-07 19:47 -------- d-----w- c:\users\onlinecci\AppData\Roaming\Q1uv2bF4pGsJdKf
2011-10-07 19:47 . 2011-10-07 19:47 -------- d-----w- c:\users\onlinecci\AppData\Roaming\OzNycuvDoFpGsJd
2011-10-07 19:47 . 2011-10-09 20:51 -------- d-----w- c:\users\onlinecci\AppData\Roaming\NcS1ibD3oGaHsJf
2011-10-07 19:47 . 2011-10-07 19:47 -------- d-----w- c:\users\onlinecci\AppData\Roaming\R9gTZqjYCkVlNx0
2011-10-07 19:01 . 2011-10-09 20:51 -------- d-----w- c:\users\onlinecci\AppData\Roaming\wttxxA0uuS2ib
2011-10-07 19:01 . 2011-10-07 19:01 -------- d-----w- c:\users\onlinecci\AppData\Roaming\JL99gTXqjYCkIrO
2011-10-07 19:00 . 2011-10-09 20:52 -------- d-----w- c:\users\onlinecci\AppData\Roaming\JVVVrzONt
2011-10-07 19:00 . 2011-10-07 19:00 -------- d-----w- c:\users\onlinecci\AppData\Roaming\R3ppnG55QWKfjkV
2011-10-07 19:00 . 2011-10-07 19:00 -------- d-----w- c:\users\onlinecci\AppData\Roaming\IF33nQdKRLTqjCe
2011-10-07 19:00 . 2011-10-07 19:00 -------- d-----w- C:\NTAT7UV0sxKxs2I
2011-10-07 18:48 . 2011-10-09 20:52 -------- d-----w- c:\users\onlinecci\AppData\Roaming\vPNAuSobFpGaJd8
2011-10-07 18:48 . 2011-10-07 18:48 -------- d-----w- c:\users\onlinecci\AppData\Roaming\iUCekIBrzN
2011-10-07 18:48 . 2011-10-07 18:48 -------- d-----w- c:\users\onlinecci\AppData\Roaming\zjUCeBPNAuSoF
2011-10-07 18:48 . 2011-10-07 18:48 -------- d-----w- c:\users\onlinecci\AppData\Roaming\KZhTwjUCeB
2011-10-07 18:48 . 2011-10-07 18:48 -------- d-----w- c:\users\onlinecci\AppData\Roaming\DTXwUClzPAu
2011-10-07 18:43 . 2011-10-07 18:43 -------- d-----w- c:\users\onlinecci\AppData\Roaming\UmH5sQJ7dKg9YwV
2011-10-07 18:43 . 2011-10-07 18:43 -------- d-----w- c:\users\onlinecci\AppData\Roaming\EF4amH5sW7E8RqY
2011-10-07 18:43 . 2011-10-09 20:52 -------- d-----w- c:\users\onlinecci\AppData\Roaming\iPy1v2Fm5JdKf
2011-10-07 18:43 . 2011-10-07 18:43 -------- d-----w- c:\users\onlinecci\AppData\Roaming\QxuSbp5JdKRhXUl
2011-10-07 18:43 . 2011-10-07 18:43 -------- d-----w- c:\users\onlinecci\AppData\Roaming\fJdKf9TjeI
2011-10-07 18:40 . 2011-10-07 18:40 -------- d-----w- c:\users\onlinecci\AppData\Roaming\KbD3onG4aHs7EgZ
2011-10-07 18:40 . 2011-10-07 18:40 -------- d-----w- c:\users\onlinecci\AppData\Roaming\XgqYXwkUVlBPc1D
2011-10-07 18:40 . 2011-10-09 20:52 -------- d-----w- c:\users\onlinecci\AppData\Roaming\aXwjUVelItPyAuD
2011-10-07 18:40 . 2011-10-07 18:40 -------- d-----w- c:\users\onlinecci\AppData\Roaming\sQJ7dEK8gZh
2011-10-07 16:47 . 2011-10-07 16:47 -------- d-----w- c:\users\onlinecci\AppData\Roaming\vA0uvS2ib3n5Q
2011-10-07 16:47 . 2011-10-07 16:47 -------- d-----w- c:\users\onlinecci\AppData\Roaming\OrNyA0uvSiFpGaH
2011-10-07 16:47 . 2011-10-07 16:47 -------- d-----w- c:\users\onlinecci\AppData\Roaming\NVrzONxA0c2b3n4
2011-10-07 16:47 . 2011-10-09 20:52 -------- d-----w- c:\users\onlinecci\AppData\Roaming\ztxP0ucS1b3n4m6
2011-10-07 16:47 . 2011-10-07 16:47 -------- d-----w- c:\users\onlinecci\AppData\Roaming\BK7fEL9gTqYwIrO
2011-10-07 16:12 . 2011-10-07 16:12 -------- d-----w- c:\users\onlinecci\AppData\Roaming\pQJ6dEK8fZhXjCl
2011-10-07 16:12 . 2011-10-07 16:12 -------- d-----w- c:\users\onlinecci\AppData\Roaming\qOBtz0ycAiDoFpH
2011-10-07 16:12 . 2011-10-07 16:12 -------- d-----w- c:\users\onlinecci\AppData\Roaming\I6WfLTjwVOPSbo4
2011-10-07 16:12 . 2011-10-09 20:52 -------- d-----w- c:\users\onlinecci\AppData\Roaming\Yzt0uciDn4HsKfL
2011-10-07 16:12 . 2011-10-07 16:12 -------- d-----w- c:\users\onlinecci\AppData\Roaming\PAuSipGHW7RgXYe
2011-10-07 15:54 . 2011-10-09 21:21 -------- d-----w- c:\programdata\WSTB
2011-10-07 15:54 . 2011-10-07 15:54 -------- d-----w- c:\windows\Sun
2011-10-07 15:50 . 2011-10-09 20:52 -------- d-----w- c:\users\onlinecci\AppData\Roaming\pIVrlONtx0c1b3n
2011-10-07 15:50 . 2011-10-07 15:50 -------- d-----w- c:\users\onlinecci\AppData\Roaming\DaQH6sWK7E9TqYw
2011-10-07 15:34 . 2011-10-09 20:52 -------- d-----w- c:\users\onlinecci\AppData\Roaming\Z44ppmmG5sQ6dK8
2011-10-07 15:34 . 2011-10-07 15:34 -------- d-----w- c:\users\onlinecci\AppData\Roaming\SuuvvD22ob
2011-10-07 15:34 . 2011-10-09 21:21 -------- d-----w- c:\users\onlinecci\AppData\Roaming\XNNNyccA1uvDob4
2011-10-07 15:34 . 2011-10-07 15:34 -------- d-----w- c:\users\onlinecci\AppData\Roaming\fQQQJ77dEK8gZ9Y
2011-10-03 19:26 . 2011-10-03 19:26 -------- d-----w- c:\users\onlinecci\AppData\Local\Programs
2011-10-03 19:26 . 2011-10-03 19:26 -------- d-----r- c:\windows\system32\config\systemprofile\Virtual Machines
2011-10-03 19:26 . 2011-10-03 19:26 -------- d-----w- c:\windows\DPDrv
2011-10-01 14:35 . 2011-10-01 14:35 -------- d-----w- c:\programdata\{D3B41B92-9BC2-43EB-916A-4FA9E8191837}
2011-09-30 15:06 . 2011-10-13 01:21 -------- d-----w- C:\ConvergysHealthChecker
2011-09-16 21:07 . 2011-09-16 21:07 513952 ----a-w- c:\windows\system32\AppHardT.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-12 21:50 . 2010-10-27 00:14 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-10-12 21:50 . 2010-07-28 16:16 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-10-12 21:34 . 2010-10-27 00:13 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-08-15 00:40 . 2011-08-15 00:40 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-08-15 00:40 . 2011-08-15 00:40 161792 ----a-w- c:\windows\system32\msls31.dll
2011-08-15 00:40 . 2011-08-15 00:40 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-08-15 00:40 . 2011-08-15 00:40 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-08-15 00:40 . 2011-08-15 00:40 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-08-15 00:40 . 2011-08-15 00:40 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-08-15 00:40 . 2011-08-15 00:40 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-08-15 00:40 . 2011-08-15 00:40 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-08-15 00:40 . 2011-08-15 00:40 367104 ----a-w- c:\windows\system32\html.iec
2011-08-15 00:40 . 2011-08-15 00:40 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-08-15 00:40 . 2011-08-15 00:40 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-15 00:40 . 2011-08-15 00:40 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-15 00:40 . 2011-08-15 00:40 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-08-15 00:40 . 2011-08-15 00:40 152064 ----a-w- c:\windows\system32\wextract.exe
2011-08-15 00:40 . 2011-08-15 00:40 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-08-15 00:40 . 2011-08-15 00:40 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-08-15 00:40 . 2011-08-15 00:40 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-15 00:40 . 2011-08-15 00:40 11776 ----a-w- c:\windows\system32\mshta.exe
2011-08-15 00:40 . 2011-08-15 00:40 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-08-15 00:40 . 2011-08-15 00:40 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-08-15 00:40 . 2011-08-15 00:40 101888 ----a-w- c:\windows\system32\admparse.dll
2011-07-16 04:37 . 2011-08-10 11:06 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34 . 2011-08-10 11:06 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31 . 2011-08-10 11:06 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 04:19 . 2011-08-10 11:06 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 11:06 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 11:06 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1515576]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-02-22 2363392]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QLBController"="c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe" [2010-03-01 256056]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2010-03-06 563736]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe" [2010-04-05 1691192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-04-05 8192]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2010-01-19 11266048]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-08 102400]
"HP Connection Manager.exe"="c:\program files\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe" [2010-03-13 1119048]
"estar"="c:\system.sav\Util\HideDOS.EXE" [2006-11-28 77824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-25 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" [2009-12-03 3331944]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-03-17 495708]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2009-12-07 18:36 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R1 MpKsl07275354;MpKsl07275354;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{023C0C89-1597-46B1-8646-CB42C5B47FF7}\MpKsl07275354.sys [x]
R1 MpKsl11135ced;MpKsl11135ced;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{004EC49B-61F2-4238-A440-4B85C8C1D7FF}\MpKsl11135ced.sys [x]
R1 MpKsl2137a27a;MpKsl2137a27a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2AF2075A-AB29-4B23-AD6D-896435BE78B7}\MpKsl2137a27a.sys [x]
R1 MpKsl458ca2bf;MpKsl458ca2bf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1EB1554C-9270-42DB-A8D0-0F9D25E1C026}\MpKsl458ca2bf.sys [x]
R1 MpKsl4956d41c;MpKsl4956d41c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1EB1554C-9270-42DB-A8D0-0F9D25E1C026}\MpKsl4956d41c.sys [x]
R1 MpKsl63178ebf;MpKsl63178ebf;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{16490F51-8733-47B5-839C-09043D04AF29}\MpKsl63178ebf.sys [x]
R1 MpKsl67784d3d;MpKsl67784d3d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{229C0DBB-32E3-47E5-9AFB-8DF08D4F9558}\MpKsl67784d3d.sys [x]
R1 MpKsl6bea8b0d;MpKsl6bea8b0d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EFA29363-7B09-4EF0-A460-1C50842B78CB}\MpKsl6bea8b0d.sys [x]
R1 MpKsl7c304f7c;MpKsl7c304f7c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E5CD72C5-88C7-45BD-BC1B-58563D52A856}\MpKsl7c304f7c.sys [x]
R1 MpKsl8b6ddcb5;MpKsl8b6ddcb5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AF4E65F5-C7D5-4D23-9A13-2A45779755CE}\MpKsl8b6ddcb5.sys [x]
R1 MpKsl8e0e312e;MpKsl8e0e312e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{051380D5-4447-4F54-A9A0-A75D51F0A1F8}\MpKsl8e0e312e.sys [x]
R1 MpKsl951289dc;MpKsl951289dc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{52521419-33E4-4E20-AA6D-2689554D2994}\MpKsl951289dc.sys [x]
R1 MpKsl9e7c5956;MpKsl9e7c5956;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8BC8B49C-E841-4D62-A2EF-D2E8D154712E}\MpKsl9e7c5956.sys [x]
R1 MpKslc5152fa5;MpKslc5152fa5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{44DEF8E7-ECC3-4E9E-9FD5-27572FAC495B}\MpKslc5152fa5.sys [x]
R1 MpKslc83c607e;MpKslc83c607e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AEBAC687-D965-4C65-A29D-0BAEE0B87513}\MpKslc83c607e.sys [x]
R1 MpKsldafe2be9;MpKsldafe2be9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1EB1554C-9270-42DB-A8D0-0F9D25E1C026}\MpKsldafe2be9.sys [x]
R1 MpKslde7aa450;MpKslde7aa450;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2AF2075A-AB29-4B23-AD6D-896435BE78B7}\MpKslde7aa450.sys [x]
R1 MpKsle1e800f0;MpKsle1e800f0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1EB1554C-9270-42DB-A8D0-0F9D25E1C026}\MpKsle1e800f0.sys [x]
R1 MpKslef39ac1e;MpKslef39ac1e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{051380D5-4447-4F54-A9A0-A75D51F0A1F8}\MpKslef39ac1e.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 136176]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-04-15 1378040]
R2 SMManager;HP Connection Manager Service;c:\program files\Hewlett-Packard\HP Connection Manager\SMManager.exe [2010-03-13 82760]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-02-18 1664304]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2009-10-21 32312]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2009-12-07 362040]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 136176]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2010-11-08 15264]
R3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\DRIVERS\qcfilterhp2k.sys [2010-03-15 5248]
R3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\DRIVERS\qcusbnethp2k.sys [2010-03-15 208384]
R3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\DRIVERS\qcusbserhp2k.sys [2010-03-15 106880]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-11-23 1120752]
R3 rtsuvc;Realtek USB2.0 PC Camera;c:\windows\system32\DRIVERS\rtsuvc.sys [2010-01-30 73344]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-06-21 12800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-25 1343400]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 RsvLock;RsvLock; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_7b6e808b01435efc\aestsrv.exe [2009-03-03 81920]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-08 172032]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2010-04-05 103992]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-10-19 32768]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-04-05 103992]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [2010-03-25 90112]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2010-02-02 281192]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [2010-01-19 297984]
S2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [2010-03-01 264248]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-05 26168]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2010-03-06 635416]
S2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\QUALCOMM\QDLService2k\QDLService2kHP.exe [2010-03-15 331000]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-12-12 38912]
S2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\Rpcnet\Bin\rpcld.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-08 5429760]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-08 157184]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-01-07 29472]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-01-08 316416]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-02-22 18:38 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 17:11]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 17:11]
.
2011-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-806783369-3586686801-2702779342-1003Core.job
- c:\users\onlinecci\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-12 21:10]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-806783369-3586686801-2702779342-1003UA.job
- c:\users\onlinecci\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-12 21:10]
.
2011-10-01 c:\windows\Tasks\HPCeeScheduleForonlinecci.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cci.edu/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: convergysworkathome.com\www
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
TCP: DhcpNameServer = 192.168.21.199 209.18.47.61 209.18.47.62
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}: NameServer = 192.168.2.1,209.18.47.61
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\037364851313030353432363: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\2656C6B696E6534376: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\3507565646C496E6B637: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\8497164747: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\D41445453575942554C4543535: NameServer = 156.154.70.22,156.154.71.22
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
FF - ProfilePath - c:\users\onlinecci\AppData\Roaming\Mozilla\Firefox\Profiles\yt4mj28p.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{21FA44EF-376D-4D53-9B0F-8A89D3229068}"=hex:51,66,7a,6c,4c,1d,38,12,81,47,e9,
25,5f,79,3d,08,e4,19,c9,c9,d6,7c,d4,7c
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=hex:51,66,7a,6c,4c,1d,38,12,57,36,90,
43,f7,9e,4b,04,e0,be,4b,59,e7,b4,e8,87
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,
02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3134413B-49B4-425C-98A5-893C1F195601}"=hex:51,66,7a,6c,4c,1d,38,12,55,42,27,
35,86,07,32,07,e7,b3,ca,7c,1a,47,12,15
"{395610AE-C624-4F58-B89E-23733EA00F9A}"=hex:51,66,7a,6c,4c,1d,38,12,c0,13,45,
3d,16,88,36,0a,c7,88,60,33,3b,fe,4b,8e
"{6EBF7485-159F-4BFF-A14F-B9E3AAC4465B}"=hex:51,66,7a,6c,4c,1d,38,12,eb,77,ac,
6a,ad,5b,91,0e,de,59,fa,a3,af,9a,02,4f
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AE7CD045-E861-484F-8273-0445EE161910}"=hex:51,66,7a,6c,4c,1d,38,12,2b,d3,6f,
aa,53,a6,21,0d,fd,65,47,05,eb,48,5d,04
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}"=hex:51,66,7a,6c,4c,1d,38,12,ae,8e,49,
e5,24,cb,cf,07,fe,fc,9f,d4,e9,44,8b,04
"{F4971EE7-DAA0-4053-9964-665D8EE6A077}"=hex:51,66,7a,6c,4c,1d,38,12,89,1d,84,
f0,92,94,3d,05,e6,72,25,1d,8b,b8,e4,63
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:16,05,42,2e,7f,6c,cc,01
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5396)
c:\program files\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFTaskbar.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_7b6e808b01435efc\STacSV.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\rpcnet.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files\PDF Complete\pdfupd.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\vssvc.exe
c:\windows\system32\wermgr.exe
.
**************************************************************************
.
Completion time: 2011-10-12 17:57:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-12 21:57
.
Pre-Run: 91,219,390,464 bytes free
Post-Run: 91,275,558,912 bytes free
.
- - End Of File - - 9257AFA4C57C274DFA9C07E4A3737B83

#4 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,507
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 12 October 2011 - 05:11 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\users\onlinecci\AppData\Roaming\WLZqhYCwkVlBx0c
c:\users\onlinecci\AppData\Roaming\om6sWJ7fE8T
c:\users\onlinecci\AppData\Roaming\PjeBPAuoFms
c:\users\onlinecci\AppData\Roaming\PgTZqjYCwIOPSbo
c:\users\onlinecci\AppData\Roaming\mbF3pmG5aJdKfLh
c:\users\onlinecci\AppData\Roaming\Q1uv2bF4pGsJdKf
c:\users\onlinecci\AppData\Roaming\OzNycuvDoFpGsJd
c:\users\onlinecci\AppData\Roaming\NcS1ibD3oGaHsJf
c:\users\onlinecci\AppData\Roaming\R9gTZqjYCkVlNx0
c:\users\onlinecci\AppData\Roaming\wttxxA0uuS2ib
c:\users\onlinecci\AppData\Roaming\JL99gTXqjYCkIrO
c:\users\onlinecci\AppData\Roaming\JVVVrzONt
c:\users\onlinecci\AppData\Roaming\R3ppnG55QWKfjkV
c:\users\onlinecci\AppData\Roaming\IF33nQdKRLTqjCe
C:\NTAT7UV0sxKxs2I
c:\users\onlinecci\AppData\Roaming\vPNAuSobFpGaJd8
c:\users\onlinecci\AppData\Roaming\iUCekIBrzN
c:\users\onlinecci\AppData\Roaming\zjUCeBPNAuSoF
c:\users\onlinecci\AppData\Roaming\KZhTwjUCeB
c:\users\onlinecci\AppData\Roaming\DTXwUClzPAu
c:\users\onlinecci\AppData\Roaming\UmH5sQJ7dKg9YwV
c:\users\onlinecci\AppData\Roaming\EF4amH5sW7E8RqY
c:\users\onlinecci\AppData\Roaming\iPy1v2Fm5JdKf
c:\users\onlinecci\AppData\Roaming\QxuSbp5JdKRhXUl
c:\users\onlinecci\AppData\Roaming\fJdKf9TjeI
c:\users\onlinecci\AppData\Roaming\KbD3onG4aHs7EgZ
c:\users\onlinecci\AppData\Roaming\XgqYXwkUVlBPc1D
c:\users\onlinecci\AppData\Roaming\aXwjUVelItPyAuD
c:\users\onlinecci\AppData\Roaming\sQJ7dEK8gZh
c:\users\onlinecci\AppData\Roaming\vA0uvS2ib3n5Q
c:\users\onlinecci\AppData\Roaming\OrNyA0uvSiFpGaH
c:\users\onlinecci\AppData\Roaming\NVrzONxA0c2b3n4
c:\users\onlinecci\AppData\Roaming\ztxP0ucS1b3n4m6
c:\users\onlinecci\AppData\Roaming\BK7fEL9gTqYwIrO
c:\users\onlinecci\AppData\Roaming\pQJ6dEK8fZhXjCl
c:\users\onlinecci\AppData\Roaming\qOBtz0ycAiDoFpH
c:\users\onlinecci\AppData\Roaming\I6WfLTjwVOPSbo4
c:\users\onlinecci\AppData\Roaming\Yzt0uciDn4HsKfL
c:\users\onlinecci\AppData\Roaming\PAuSipGHW7RgXYe
c:\users\onlinecci\AppData\Roaming\pIVrlONtx0c1b3n
c:\users\onlinecci\AppData\Roaming\DaQH6sWK7E9TqYw
c:\users\onlinecci\AppData\Roaming\Z44ppmmG5sQ6dK8
c:\users\onlinecci\AppData\Roaming\SuuvvD22ob
c:\users\onlinecci\AppData\Roaming\XNNNyccA1uvDob4
c:\users\onlinecci\AppData\Roaming\fQQQJ77dEK8gZ9Y

Driver::
MpKsl07275354
MpKsl11135ced
MpKsl2137a27a
MpKsl458ca2bf
MpKsl4956d41c
MpKsl63178ebf
MpKsl67784d3d
MpKsl6bea8b0d
MpKsl7c304f7c
MpKsl8b6ddcb5
MpKsl8e0e312e
MpKsl951289dc
MpKsl9e7c5956
MpKslc5152fa5
MpKslc83c607e
MpKsldafe2be9
MpKslde7aa450
MpKsle1e800f0
MpKslef39ac1e


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

    In your next post I need the following

    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   rkcmx 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 10-October 11

Posted 12 October 2011 - 05:50 PM

I am still unable to access certain programs. Either says can't access or there are no resources. Thank you for the help so far

ComboFix 11-10-12.03 - onlinecci 10/12/2011 18:31:46.2.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.1782.881 [GMT -4:00]
Running from: c:\users\onlinecci\Downloads\ComboFix.exe
Command switches used :: c:\users\onlinecci\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {DAAC1C79-1A96-9DFE-FC4C-6940214C33E6}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\NTAT7UV0sxKxs2I
c:\users\onlinecci\AppData\Roaming\aXwjUVelItPyAuD
c:\users\onlinecci\AppData\Roaming\BK7fEL9gTqYwIrO
c:\users\onlinecci\AppData\Roaming\DaQH6sWK7E9TqYw
c:\users\onlinecci\AppData\Roaming\DTXwUClzPAu
c:\users\onlinecci\AppData\Roaming\EF4amH5sW7E8RqY
c:\users\onlinecci\AppData\Roaming\fJdKf9TjeI
c:\users\onlinecci\AppData\Roaming\fQQQJ77dEK8gZ9Y
c:\users\onlinecci\AppData\Roaming\I6WfLTjwVOPSbo4
c:\users\onlinecci\AppData\Roaming\IF33nQdKRLTqjCe
c:\users\onlinecci\AppData\Roaming\iPy1v2Fm5JdKf
c:\users\onlinecci\AppData\Roaming\iUCekIBrzN
c:\users\onlinecci\AppData\Roaming\JL99gTXqjYCkIrO
c:\users\onlinecci\AppData\Roaming\JVVVrzONt
c:\users\onlinecci\AppData\Roaming\KbD3onG4aHs7EgZ
c:\users\onlinecci\AppData\Roaming\KZhTwjUCeB
c:\users\onlinecci\AppData\Roaming\mbF3pmG5aJdKfLh
c:\users\onlinecci\AppData\Roaming\NcS1ibD3oGaHsJf
c:\users\onlinecci\AppData\Roaming\NVrzONxA0c2b3n4
c:\users\onlinecci\AppData\Roaming\om6sWJ7fE8T
c:\users\onlinecci\AppData\Roaming\OrNyA0uvSiFpGaH
c:\users\onlinecci\AppData\Roaming\OzNycuvDoFpGsJd
c:\users\onlinecci\AppData\Roaming\PAuSipGHW7RgXYe
c:\users\onlinecci\AppData\Roaming\PgTZqjYCwIOPSbo
c:\users\onlinecci\AppData\Roaming\pIVrlONtx0c1b3n
c:\users\onlinecci\AppData\Roaming\PjeBPAuoFms
c:\users\onlinecci\AppData\Roaming\pQJ6dEK8fZhXjCl
c:\users\onlinecci\AppData\Roaming\Q1uv2bF4pGsJdKf
c:\users\onlinecci\AppData\Roaming\qOBtz0ycAiDoFpH
c:\users\onlinecci\AppData\Roaming\QxuSbp5JdKRhXUl
c:\users\onlinecci\AppData\Roaming\R3ppnG55QWKfjkV
c:\users\onlinecci\AppData\Roaming\R9gTZqjYCkVlNx0
c:\users\onlinecci\AppData\Roaming\sQJ7dEK8gZh
c:\users\onlinecci\AppData\Roaming\SuuvvD22ob
c:\users\onlinecci\AppData\Roaming\UmH5sQJ7dKg9YwV
c:\users\onlinecci\AppData\Roaming\vA0uvS2ib3n5Q
c:\users\onlinecci\AppData\Roaming\vPNAuSobFpGaJd8
c:\users\onlinecci\AppData\Roaming\WLZqhYCwkVlBx0c
c:\users\onlinecci\AppData\Roaming\wttxxA0uuS2ib
c:\users\onlinecci\AppData\Roaming\XgqYXwkUVlBPc1D
c:\users\onlinecci\AppData\Roaming\XNNNyccA1uvDob4
c:\users\onlinecci\AppData\Roaming\Yzt0uciDn4HsKfL
c:\users\onlinecci\AppData\Roaming\Z44ppmmG5sQ6dK8
c:\users\onlinecci\AppData\Roaming\zjUCeBPNAuSoF
c:\users\onlinecci\AppData\Roaming\ztxP0ucS1b3n4m6
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MPKSL07275354
-------\Legacy_MPKSL2137A27A
-------\Legacy_MPKSL458CA2BF
-------\Legacy_MPKSL4956D41C
-------\Legacy_MPKSL63178EBF
-------\Legacy_MPKSL67784D3D
-------\Legacy_MPKSL6BEA8B0D
-------\Legacy_MPKSL7C304F7C
-------\Legacy_MPKSL8B6DDCB5
-------\Legacy_MPKSL8E0E312E
-------\Legacy_MPKSL951289DC
-------\Legacy_MPKSL9E7C5956
-------\Legacy_MPKSLC5152FA5
-------\Legacy_MPKSLC83C607E
-------\Legacy_MPKSLDAFE2BE9
-------\Legacy_MPKSLDE7AA450
-------\Legacy_MPKSLE1E800F0
-------\Legacy_MPKSLEF39AC1E
-------\Service_MpKsl07275354
-------\Service_MpKsl11135ced
-------\Service_MpKsl2137a27a
-------\Service_MpKsl458ca2bf
-------\Service_MpKsl4956d41c
-------\Service_MpKsl63178ebf
-------\Service_MpKsl67784d3d
-------\Service_MpKsl6bea8b0d
-------\Service_MpKsl7c304f7c
-------\Service_MpKsl8b6ddcb5
-------\Service_MpKsl8e0e312e
-------\Service_MpKsl951289dc
-------\Service_MpKsl9e7c5956
-------\Service_MpKslc5152fa5
-------\Service_MpKslc83c607e
-------\Service_MpKsldafe2be9
-------\Service_MpKslde7aa450
-------\Service_MpKsle1e800f0
-------\Service_MpKslef39ac1e
.
.
((((((((((((((((((((((((( Files Created from 2011-09-12 to 2011-10-12 )))))))))))))))))))))))))))))))
.
.
2011-10-12 22:41 . 2011-10-12 22:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-12 22:06 . 2011-10-12 22:06 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{22A2D96D-49B2-4D20-B52A-978651CA2629}\offreg.dll
2011-10-12 21:49 . 2011-10-12 22:44 -------- d-----w- c:\users\onlinecci\AppData\Local\temp
2011-10-12 21:37 . 2011-09-21 13:00 7269712 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{22A2D96D-49B2-4D20-B52A-978651CA2629}\mpengine.dll
2011-10-11 07:44 . 2011-10-11 07:44 -------- d-----w- C:\found.001
2011-10-10 20:10 . 2011-10-11 07:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-10 19:39 . 2011-10-10 19:39 -------- d--h--w- c:\windows\PIF
2011-10-07 20:01 . 2011-10-11 07:56 -------- d-----w- c:\program files\STOPzilla!
2011-10-07 20:01 . 2011-10-09 21:16 -------- d-----w- c:\programdata\STOPzilla!
2011-10-07 20:01 . 2011-10-07 20:01 -------- d-----w- c:\program files\Common Files\iS3
2011-10-07 15:54 . 2011-10-09 21:21 -------- d-----w- c:\programdata\WSTB
2011-10-07 15:54 . 2011-10-07 15:54 -------- d-----w- c:\windows\Sun
2011-10-03 19:26 . 2011-10-03 19:26 -------- d-----w- c:\users\onlinecci\AppData\Local\Programs
2011-10-03 19:26 . 2011-10-03 19:26 -------- d-----r- c:\windows\system32\config\systemprofile\Virtual Machines
2011-10-03 19:26 . 2011-10-03 19:26 -------- d-----w- c:\windows\DPDrv
2011-10-01 14:35 . 2011-10-01 14:35 -------- d-----w- c:\programdata\{D3B41B92-9BC2-43EB-916A-4FA9E8191837}
2011-09-30 15:06 . 2011-10-13 01:21 -------- d-----w- C:\ConvergysHealthChecker
2011-09-16 21:07 . 2011-09-16 21:07 513952 ----a-w- c:\windows\system32\AppHardT.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-12 22:43 . 2010-10-27 00:13 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2011-10-12 22:43 . 2010-07-28 16:16 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-10-12 22:03 . 2010-10-27 00:14 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2011-08-15 00:40 . 2011-08-15 00:40 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-08-15 00:40 . 2011-08-15 00:40 161792 ----a-w- c:\windows\system32\msls31.dll
2011-08-15 00:40 . 2011-08-15 00:40 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-08-15 00:40 . 2011-08-15 00:40 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-08-15 00:40 . 2011-08-15 00:40 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-08-15 00:40 . 2011-08-15 00:40 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-08-15 00:40 . 2011-08-15 00:40 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-08-15 00:40 . 2011-08-15 00:40 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-08-15 00:40 . 2011-08-15 00:40 367104 ----a-w- c:\windows\system32\html.iec
2011-08-15 00:40 . 2011-08-15 00:40 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-08-15 00:40 . 2011-08-15 00:40 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-15 00:40 . 2011-08-15 00:40 152064 ----a-w- c:\windows\system32\wextract.exe
2011-08-15 00:40 . 2011-08-15 00:40 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-08-15 00:40 . 2011-08-15 00:40 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-08-15 00:40 . 2011-08-15 00:40 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-15 00:40 . 2011-08-15 00:40 11776 ----a-w- c:\windows\system32\mshta.exe
2011-08-15 00:40 . 2011-08-15 00:40 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-08-15 00:40 . 2011-08-15 00:40 101888 ----a-w- c:\windows\system32\admparse.dll
2011-07-16 04:37 . 2011-08-10 11:06 169984 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 04:34 . 2011-08-10 11:06 290816 ----a-w- c:\windows\system32\KernelBase.dll
2011-07-16 04:31 . 2011-08-10 11:06 271360 ----a-w- c:\windows\system32\conhost.exe
2011-07-16 04:19 . 2011-08-10 11:06 4608 ---ha-w- c:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 4096 ---ha-w- c:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 4096 ---ha-w- c:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 4096 ---ha-w- c:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 5120 ---ha-w- c:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-07-16 04:19 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 11:06 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 11:06 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 11:06 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21 . 2011-08-10 11:06 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-02-10 1515576]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-02-22 2363392]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QLBController"="c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe" [2010-03-01 256056]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2010-03-06 563736]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe" [2010-04-05 1691192]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-28 1721640]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-04-05 8192]
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe" [2009-06-03 153640]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe" [2009-06-03 400936]
"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2010-01-19 11266048]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-04-08 102400]
"HP Connection Manager.exe"="c:\program files\Hewlett-Packard\HP Connection Manager\HP Connection Manager.exe" [2010-03-13 1119048]
"estar"="c:\system.sav\Util\HideDOS.EXE" [2006-11-28 77824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-25 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" [2009-12-03 3331944]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-03-17 495708]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2009-12-07 18:36 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 136176]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R2 SMManager;HP Connection Manager Service;c:\program files\Hewlett-Packard\HP Connection Manager\SMManager.exe [2010-03-13 82760]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-02-18 1664304]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [2009-10-21 32312]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2009-12-07 362040]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 136176]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\DRIVERS\qcfilterhp2k.sys [2010-03-15 5248]
R3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\DRIVERS\qcusbnethp2k.sys [2010-03-15 208384]
R3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\DRIVERS\qcusbserhp2k.sys [2010-03-15 106880]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-11-23 1120752]
R3 rtsuvc;Realtek USB2.0 PC Camera;c:\windows\system32\DRIVERS\rtsuvc.sys [2010-01-30 73344]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\DRIVERS\vpcuxd.sys [2010-06-21 12800]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-25 1343400]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 64288]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 RsvLock;RsvLock; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 207400]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_7b6e808b01435efc\aestsrv.exe [2009-03-03 81920]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-04-08 172032]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2010-04-05 103992]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2010-10-19 32768]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-06-21 85560]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-04-05 103992]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [2010-03-25 90112]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [2010-02-02 281192]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [2010-01-19 297984]
S2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [2010-03-01 264248]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-05 26168]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2010-03-06 635416]
S2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\QUALCOMM\QDLService2k\QDLService2kHP.exe [2010-03-15 331000]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-10-29 47616]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-12-12 38912]
S2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\Rpcnet\Bin\rpcld.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-04-08 5429760]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-04-08 157184]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-01-07 29472]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2010-01-08 316416]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-02-22 18:38 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 17:11]
.
2011-10-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-09 17:11]
.
2011-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-806783369-3586686801-2702779342-1003Core.job
- c:\users\onlinecci\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-12 21:10]
.
2011-10-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-806783369-3586686801-2702779342-1003UA.job
- c:\users\onlinecci\AppData\Local\Google\Update\GoogleUpdate.exe [2011-03-12 21:10]
.
2011-10-01 c:\windows\Tasks\HPCeeScheduleForonlinecci.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cci.edu/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: convergysworkathome.com\www
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
TCP: DhcpNameServer = 192.168.21.199 209.18.47.61 209.18.47.62
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}: NameServer = 192.168.2.1,209.18.47.61
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\037364851313030353432363: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\2656C6B696E6534376: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\3507565646C496E6B637: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\8497164747: NameServer = 156.154.70.22,156.154.71.22
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\D41445453575942554C4543535: NameServer = 156.154.70.22,156.154.71.22
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
FF - ProfilePath - c:\users\onlinecci\AppData\Roaming\Mozilla\Firefox\Profiles\yt4mj28p.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{21FA44EF-376D-4D53-9B0F-8A89D3229068}"=hex:51,66,7a,6c,4c,1d,38,12,81,47,e9,
25,5f,79,3d,08,e4,19,c9,c9,d6,7c,d4,7c
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"=hex:51,66,7a,6c,4c,1d,38,12,57,36,90,
43,f7,9e,4b,04,e0,be,4b,59,e7,b4,e8,87
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,
02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3134413B-49B4-425C-98A5-893C1F195601}"=hex:51,66,7a,6c,4c,1d,38,12,55,42,27,
35,86,07,32,07,e7,b3,ca,7c,1a,47,12,15
"{395610AE-C624-4F58-B89E-23733EA00F9A}"=hex:51,66,7a,6c,4c,1d,38,12,c0,13,45,
3d,16,88,36,0a,c7,88,60,33,3b,fe,4b,8e
"{6EBF7485-159F-4BFF-A14F-B9E3AAC4465B}"=hex:51,66,7a,6c,4c,1d,38,12,eb,77,ac,
6a,ad,5b,91,0e,de,59,fa,a3,af,9a,02,4f
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AE7CD045-E861-484F-8273-0445EE161910}"=hex:51,66,7a,6c,4c,1d,38,12,2b,d3,6f,
aa,53,a6,21,0d,fd,65,47,05,eb,48,5d,04
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}"=hex:51,66,7a,6c,4c,1d,38,12,ae,8e,49,
e5,24,cb,cf,07,fe,fc,9f,d4,e9,44,8b,04
"{F4971EE7-DAA0-4053-9964-665D8EE6A077}"=hex:51,66,7a,6c,4c,1d,38,12,89,1d,84,
f0,92,94,3d,05,e6,72,25,1d,8b,b8,e4,63
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:16,05,42,2e,7f,6c,cc,01
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5348)
c:\program files\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFTaskbar.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_7b6e808b01435efc\STacSV.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\rpcnet.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\sppsvc.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
c:\program files\Hewlett-Packard\Shared\hpCaslNotification.exe
c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-10-12 18:48:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-12 22:48
ComboFix2.txt 2011-10-12 21:57
.
Pre-Run: 90,997,735,424 bytes free
Post-Run: 90,699,436,032 bytes free
.
- - End Of File - - 7181C3EACA66B527625013AF2A426442

#6 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,507
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 12 October 2011 - 06:13 PM

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0

Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   rkcmx 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 10-October 11

Posted 12 October 2011 - 06:34 PM

Just creates a blank log

#8 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,507
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 12 October 2011 - 06:54 PM

Hello

1. make sure junction.exe is on the C drive

2.click on start

3. click on run

4. type CMD into the run box and click on OK

5. copy and paste thes line into the CMD window


    cd c:\
    junction -s c:\>log.txt
    start log.txt


6. wait about 5 min untill the report popsup

7.copy and paste this report here

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   rkcmx 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 10-October 11

Posted 12 October 2011 - 08:02 PM

Still blank

#10 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,507
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 12 October 2011 - 09:01 PM

Hello

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   rkcmx 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 10-October 11

Posted 14 October 2011 - 11:09 PM

The file was too big to upload in one file and too long to post so I am doing it in two parts

Attached File(s)


#12 User is offline   rkcmx 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 9
  • Joined: 10-October 11

Posted 14 October 2011 - 11:10 PM

And now I can't upload the 2nd part, saying too big. Sorry

#13 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,507
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 15 October 2011 - 01:42 AM

upload it to mediafire.com and send me the link



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#14 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,507
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 18 October 2011 - 08:00 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#15 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,507
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 21 October 2011 - 01:41 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users