also @ TechSpot: Windows 8 Release Preview leaked, Microsoft may raise OEM prices

TechSpot

TechSpot News Products Downloads Forums

[Active] Redirect virus on Firefox and Chrome

Discussion in 'Virus and Malware Removal' started by coga2222, Jul 7, 2011.

Thread Status:: Not open for further replies.

Page 1 of 2

coga2222 Newcomer, in training

Hi, my name is Dave. I recently was infected with a re-direct virus that re-directs virtually all google searches to Edit: Search hyperlink deleted by Bobbye, and almost all searches on Chrome, regardless of engine, to scour.com. Any help is appreciated!! I will post my logs from the 7 step process above as soon as possible. Thanks!!

coga2222, Jul 7, 2011

#1
coga2222 Newcomer, in training

MBAM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7043

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/7/2011 3:37:34 PM
mbam-log-2011-07-07 (15-37-34).txt

Scan type: Quick scan
Objects scanned: 255927
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\Users\administrator.dellimagelt\AppData\Roaming\microsoft\conhost.exe (Backdoor.Bot) -> 8704 -> Unloaded process successfully.
c:\Users\administrator.dellimagelt\AppData\Roaming\dwm.exe (Backdoor.Bot) -> 8412 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Backdoor.Bot) -> Value: conhost -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Value: Load -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Backdoor.Bot) -> Bad: (C:\Users\ADMINI~1.DEL\AppData\Local\Temp\csrss.exe) Good: () -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\administrator.dellimagelt\AppData\Roaming\microsoft\conhost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Users\administrator.dellimagelt\AppData\Roaming\dwm.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\Users\Administrator.DELLIMAGELT\AppData\Local\Temp\csrss.exe (Backdoor.Bot) -> Delete on reboot.

coga2222, Jul 7, 2011

#2
coga2222 Newcomer, in training

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-07-07 16:02:20
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD16 rev.01.0
Running: hmy9q3r9.exe; Driver: C:\Users\ADMINI~1.DEL\AppData\Local\Temp\kxldapow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs VBFilter.Sys (Vexira Antivirus Filter Driver for Windows 2000/XP/2003/Central Command, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat VBFilter.Sys (Vexira Antivirus Filter Driver for Windows 2000/XP/2003/Central Command, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 mekbd.sys (WDM Filter keyboard driver/GenevaLogic AG)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 mekbd.sys (WDM Filter keyboard driver/GenevaLogic AG)

---- EOF - GMER 1.0.15 ----

coga2222, Jul 7, 2011

#3
coga2222 Newcomer, in training

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Administrator at 16:14:47 on 2011-07-07
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3510.2195 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Vexira Antivirus Professional *Disabled/Updated* {23EEBC0C-807F-7CD1-F670-11B63CF63BB9}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\GenevaLogic\Vision\XL\mesuwts.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Vexira Antivirus\Professional\Bin\vbcmserv.exe
c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\GenevaLogic\Vision\XL\MeSuAx.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\GenevaLogic\Vision\Chat\MChat.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Vexira Antivirus\Professional\Bin\vbsystry.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\genevalogic\Vision\XL\MeUiHlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\Aware.exe
C:\Program Files\SMART Technologies\SMART Product Drivers\Marker.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\BtAssist.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\wuauclt.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\mobsync.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyServer = http=127.0.0.1:64404
uInternet Settings,ProxyOverride = <local>;*.local
BHO: {03d4e038-9a50-4f3f-9817-4140e13498a0} - c:\windows\system32\AmRes_fi32.dll
BHO: txthlpBHO Class: {060235dc-6d84-47bd-95d7-a4ef5099a59d} - c:\progra~1\texthe~1\readan~1\TEXTHE~3.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\smart notebook\NotebookPlugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SMART Board Service] c:\program files\smart technologies\smart product drivers\SMARTBoardService.exe
mRun: [SMART SNMP Agent] c:\program files\smart technologies\smart product drivers\SMARTSNMPAgent.exe -e
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [VBSysTrayProf] "c:\program files\vexira antivirus\professional\bin\vbsystry.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MeUiHelper] c:\program files\genevalogic\vision\xl\meuihlp.exe
mRun: [MeControlDL] c:\program files\genevalogic\vision\xl\MeSuAx.exe /DetectLogin
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\smartb~1.lnk - c:\program files\smart technologies\smart product drivers\SMARTBoardTools.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
TCP: Interfaces\{21D9E470-2EFF-4F51-A138-C83482008B38} : DhcpNameServer = 10.10.10.3 10.10.10.4
TCP: Interfaces\{9D1645E5-6AAD-4F80-8958-91CF7D29A1A6} : DhcpNameServer = 192.168.1.1 71.250.0.12
TCP: Interfaces\{9D1645E5-6AAD-4F80-8958-91CF7D29A1A6}\34F67616E6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9D1645E5-6AAD-4F80-8958-91CF7D29A1A6}\6427565666F627D456 : DhcpNameServer = 68.87.64.150 68.87.75.198
TCP: Interfaces\{9D1645E5-6AAD-4F80-8958-91CF7D29A1A6}\94E434C455445413 : DhcpNameServer = 10.10.10.3 10.10.10.4
TCP: Interfaces\{9D1645E5-6AAD-4F80-8958-91CF7D29A1A6}\C41677E63796465614055303 : DhcpNameServer = 172.16.32.242 172.16.32.244 172.16.32.240
TCP: Interfaces\{9D1645E5-6AAD-4F80-8958-91CF7D29A1A6}\D43544F575962756C6563737 : DhcpNameServer = 10.10.10.3 10.10.10.4
TCP: Interfaces\{9D1645E5-6AAD-4F80-8958-91CF7D29A1A6}\E6564776561627D213 : DhcpNameServer = 10.10.10.3 10.10.10.4
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator.dellimagelt\appdata\roaming\mozilla\firefox\profiles\erd168px.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-27 64288]
R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [2010-10-21 17072]
R0 VBRec;VBRec;c:\windows\system32\drivers\vbrec.sys [2010-5-18 20352]
R1 MENET;MENET;c:\windows\system32\drivers\MeNet.sys [2007-8-21 50424]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2010-10-21 81920]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2010-5-10 1803584]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2009-11-4 114688]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2010-2-8 386928]
R2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometerp11\InstallFilterService.exe [2010-10-21 60928]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-18 366640]
R2 MeSuWTS;Vision WTS Helper;c:\program files\genevalogic\vision\xl\mesuwts.exe [2007-8-21 107768]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-8-27 59904]
R2 VAServProf;Vexira Antivirus Professional;c:\program files\vexira antivirus\professional\bin\vbcmserv.exe [2010-5-19 97592]
R2 VBShld;VBShld;c:\windows\system32\drivers\vbshld.sys [2010-5-18 156112]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2010-10-21 42672]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2010-8-27 274984]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-8-27 132480]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-8-27 232960]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-18 22712]
R3 meddmrr;meddmrr;c:\windows\system32\drivers\meddmrr.sys [2007-8-21 10488]
R3 mekbd;mekbd;c:\windows\system32\drivers\mekbd.sys [2010-10-26 12800]
R3 memice;memice;c:\windows\system32\drivers\memice.sys [2010-10-26 11264]
R3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\drivers\SMARTMouseFilterx86.sys [2010-6-15 11048]
R3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\drivers\SMARTVHidMini2000x86.sys [2010-6-15 14120]
R3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\drivers\SMARTVTabletPCx86.sys [2010-6-15 13440]
R3 VBEngNT;VBEngNT;c:\windows\system32\drivers\vbengnt.sys [2010-5-13 237664]
R3 VBFilter;VBFilter;c:\windows\system32\drivers\vbfilter.sys [2010-5-18 27424]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DPS32;Diagnostic Policy Service ;c:\windows\system32\wdc32.exe --> c:\windows\system32\wdc32.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-27 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-27 136176]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 2151128]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-18 39984]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-8-27 48640]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-8-27 38912]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-10-26 1343400]
.
=============== Created Last 30 ================
.
2011-06-27 21:18:55 1152 ----a-w- c:\windows\system32\windrv.sys
2011-06-27 21:18:45 -------- d-----w- c:\program files\SpyNoMore
2011-06-22 21:03:22 -------- d-sh--w- C:\$RECYCLE.BIN
2011-06-22 20:28:59 98816 ----a-w- c:\windows\sed.exe
2011-06-22 20:28:59 518144 ----a-w- c:\windows\SWREG.exe
2011-06-22 20:28:59 256512 ----a-w- c:\windows\PEV.exe
2011-06-22 20:28:59 208896 ----a-w- c:\windows\MBR.exe
2011-06-19 15:38:14 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-19 04:52:41 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-18 20:57:36 -------- d-----w- c:\users\administrator.dellimagelt\appdata\roaming\Malwarebytes
2011-06-18 20:56:49 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-18 20:56:47 -------- d-----w- c:\programdata\Malwarebytes
2011-06-18 20:56:44 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-18 20:56:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-13 11:44:44 365056 ----a-w- c:\windows\system32\AmRes_fi32.dll
.
==================== Find3M ====================
.
.
============= FINISH: 16:15:54.43 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/26/2010 8:14:12 AM
System Uptime: 7/7/2011 4:09:05 PM (0 hours ago)
.
Motherboard: Dell Inc. | |
Processor: Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz | CPU 1 | 911/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 127 GiB total, 96.243 GiB free.
E: is FIXED (NTFS) - 8 GiB total, 7.359 GiB free.
G: is CDROM ()
V: is FIXED (FAT) - 0 GiB total, 0.037 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP24: 1/7/2011 10:47:18 AM - Installed Bluetooth Stack for Windows by Toshiba.
RP25: 1/7/2011 11:14:22 AM - Removed Bluetooth Stack for Windows by Toshiba.
RP26: 1/7/2011 11:16:30 AM - Installed Bluetooth Stack for Windows by Toshiba.
RP27: 2/12/2011 5:37:52 PM - Scheduled Checkpoint
RP28: 2/21/2011 12:08:51 PM - Scheduled Checkpoint
RP29: 5/16/2011 7:17:27 AM - Installed iTunes
RP30: 6/22/2011 4:29:13 PM - ComboFix created restore point
.
==== Installed Programs ======================
.
AccelerometerP11
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AuthenTec Fingerprint Software
BioAPI Framework
Bluetooth Stack for Windows by Toshiba
Bonjour
Broadcom NetXtreme-I Netlink Driver and Management Installer
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Dell Control Point
Dell ControlPoint Security Manager
Dell ControlPoint System Manager
Dell Edoc Viewer
Dell Embassy Trust Suite by Wave Systems
Dell Security Device Driver Pack
Dell Touchpad
Document Manager Lite
DW WLAN Card Utility
EMBASSY Security Center
EMBASSY Security Setup
ESC Home Page Plugin
Gemalto
Google Chrome
Google Update Helper
Inspiration 8
InspireData
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 22
Junk Mail filter update
Kidspiration 3
LessonView
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox 4.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Norton Security Scan
NTRU TCG Software Stack
O2Micro OZ776 SCR Driver
PowerDVD DX
PowerTeacher Gradebook
Preboot Manager
Private Information Manager
QuickTime
Read And Write 8.1 Gold
Security Wizards
Sketchpad
SMART Notebook
SMART Product Drivers
SpyNoMore 2.98
TeacherEXPRESS: Grade 7 Connected Mathematics 2
TeacherEXPRESS: Grade 8 Connected Mathematics 2
Trusted Drive Manager
UPEK TouchChip Fingerprint Reader
Vexira Antivirus Professional
Vision*6
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Wave Infrastructure Installer
Wave Support Software
Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (05/13/2009 8.4.2.0)
Windows Driver Package - Dell Inc. PBADRV System (09/11/2009 1.0.1.6)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
.
==== Event Viewer Messages From Past Week ========
.
7/7/2011 4:11:40 PM, Error: Microsoft-Windows-WMPNSS-Service [14324] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(WindowsMediaPlayer) encountered error '0x80004002'. If possible, reinstall Windows Media Player.
7/7/2011 4:10:01 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
7/7/2011 4:09:27 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain MSD due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
7/7/2011 4:09:25 PM, Error: Service Control Manager [7001] - The NTRU TSS v1.2.1.29 TCS service depends on the TPM Base Services service which failed to start because of the following error: The operation completed successfully.
7/7/2011 3:40:02 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
.
==== End Of File ===========================

coga2222, Jul 7, 2011

#4
Bobbye Helper on the Fringe

I'll be back to review the logs. Just wanted to tell you that I am deleting the other thread you started.

Bobbye, Jul 7, 2011

#5
coga2222 Newcomer, in training

Sorry about that... completely unintentional. For some reason it didn't show up when I looked the first time and I figured I closed the window without hitting submit correctly... my apologies and I really appreciate your help!

coga2222, Jul 7, 2011

#6
Bobbye Helper on the Fringe
You are running 2 antivirus programs. Please remove one of them:
Norton Security Scan> to uninstall run Norton Removal Tool
Vexira Antivirus Professional>> is this through a work environment?

Please reboot the computer when finished.
============================================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HERE and save to the desktop

Double click combofix.exe & follow the prompts.

ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==================================

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESETOnlineScan

For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
[o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
[o] Double click on the on your desktop.

Check 'Yes I accept terms of use.'

Click Start button

Accept any security warnings from your browser.

Uncheck 'Remove found threats'

Check 'Scan archives/

Leave remaining settings as is.

Press the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.

When the scan completes, press List of found threats

Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.

Push the Back button

Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

I have found some of the entries we will need to remove, but I need to review the result of the 2 scans above for additional entries.
Bobbye, Jul 8, 2011

#7
coga2222 Newcomer, in training

ComboFix 11-07-08.03 - Administrator 07/08/2011 22:51:34.3.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3510.2123 [GMT -4:00]
Running from: c:\users\Administrator.DELLIMAGELT\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Vexira Antivirus Professional *Disabled/Updated* {23EEBC0C-807F-7CD1-F670-11B63CF63BB9}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome.manifest
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome\xulcache.jar
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\defaults\preferences\xulcache.js
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\install.rdf
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome.manifest
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome\xulcache.jar
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\defaults\preferences\xulcache.js
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\install.rdf
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome.manifest
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome\xulcache.jar
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\defaults\preferences\xulcache.js
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\install.rdf
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome.manifest
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome\xulcache.jar
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\defaults\preferences\xulcache.js
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\install.rdf
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome.manifest
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome\xulcache.jar
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\defaults\preferences\xulcache.js
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\install.rdf
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome.manifest
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome\xulcache.jar
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\defaults\preferences\xulcache.js
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\install.rdf
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome.manifest
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome\xulcache.jar
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\defaults\preferences\xulcache.js
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\install.rdf
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome.manifest
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome\xulcache.jar
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\defaults\preferences\xulcache.js
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\install.rdf
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome.manifest
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome\xulcache.jar
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\defaults\preferences\xulcache.js
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\install.rdf
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome.manifest
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome\xulcache.jar
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\defaults\preferences\xulcache.js
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\install.rdf
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome.manifest
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome\xulcache.jar
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\defaults\preferences\xulcache.js
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\install.rdf
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome.manifest
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome\xulcache.jar
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\defaults\preferences\xulcache.js
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\install.rdf
.
.
((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
.
.
2011-07-09 02:59 . 2011-07-09 02:59 -------- d-----w- c:\users\open\AppData\Local\temp
2011-07-09 02:59 . 2011-07-09 02:59 -------- d-----w- c:\users\mmeyer\AppData\Local\temp
2011-07-09 02:59 . 2011-07-09 02:59 -------- d-----w- c:\users\magnolia sc\AppData\Local\temp
2011-07-09 02:59 . 2011-07-09 02:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-09 02:59 . 2011-07-09 02:59 -------- d-----w- c:\users\administrator\AppData\Local\temp
2011-07-09 02:59 . 2011-07-09 02:59 -------- d-----w- c:\users\516\AppData\Local\temp
2011-07-09 02:59 . 2011-07-09 02:59 -------- d-----w- c:\users\_sjtp_tech\AppData\Local\temp
2011-06-27 21:18 . 2011-06-27 21:18 1152 ----a-w- c:\windows\system32\windrv.sys
2011-06-27 21:18 . 2011-07-08 05:59 -------- d-----w- c:\program files\SpyNoMore
2011-06-19 15:38 . 2011-04-21 21:56 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-19 04:52 . 2011-06-19 04:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-18 20:57 . 2011-06-18 20:57 -------- d-----w- c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Malwarebytes
2011-06-18 20:56 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-18 20:56 . 2011-06-18 20:56 -------- d-----w- c:\programdata\Malwarebytes
2011-06-18 20:56 . 2011-06-18 20:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-18 20:56 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-13 11:44 . 2011-06-13 11:44 365056 ----a-w- c:\windows\system32\AmRes_fi32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-09 02:13 . 2010-11-06 17:50 0 ----a-w- c:\users\Administrator.DELLIMAGELT\AppData\Local\WavXMapDrive.bat
2011-07-07 20:56 . 2010-12-27 21:42 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-17 18:30 . 2010-10-26 18:08 0 ----a-w- c:\users\open\AppData\Local\WavXMapDrive.bat
2011-05-17 00:00 . 2011-05-17 00:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03D4E038-9A50-4F3F-9817-4140E13498A0}]
2011-06-13 11:44 365056 ----a-w- c:\windows\System32\AmRes_fi32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-05-25 495708]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-26 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-26 169496]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-01 5249024]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-07-21 147840]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-06-22 34232]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"SMART Board Service"="c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe" [2010-07-15 5350288]
"SMART SNMP Agent"="c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe" [2010-07-15 1662352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"VBSysTrayProf"="c:\program files\Vexira Antivirus\Professional\Bin\vbsystry.exe" [2010-05-26 385976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MeUiHelper"="c:\program files\GenevaLogic\Vision\XL\meuihlp.exe" [2007-08-21 83192]
"MeControlDL"="c:\program files\genevalogic\Vision\XL\MeSuAx.exe" [2007-08-21 328952]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SNM"="c:\program files\SpyNoMore\SNM.exe" [2010-07-12 1067984]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-8-26 2684256]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2010-2-8 1327472]
SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe [2010-7-15 12375952]
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-3-29 132456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 DPS32;Diagnostic Policy Service ;c:\windows\system32\wdc32.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-27 136176]
R2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-01-10 60928]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-27 136176]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-06-28 2151640]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2010-03-21 48640]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2010-03-21 38912]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-26 1343400]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [2010-01-18 17072]
S0 VBRec;VBRec;c:\windows\System32\Drivers\VBRec.Sys [2010-05-18 20352]
S1 MENET;MENET;c:\windows\system32\Drivers\MENET.SYS [2007-08-21 50424]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2010-05-25 81920]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2010-05-10 1803584]
S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [2009-11-04 114688]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-11-20 278304]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2010-02-08 386928]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S2 MeSuWTS;Vision WTS Helper;c:\program files\GenevaLogic\Vision\XL\mesuwts.exe [2007-08-21 107768]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-03-21 59904]
S2 VAServProf;Vexira Antivirus Professional;c:\program files\Vexira Antivirus\Professional\Bin\vbcmserv.exe [2010-05-19 97592]
S2 VBShld;VBShld;c:\windows\system32\Drivers\VBShld.Sys [2010-05-18 156112]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-01-18 42672]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-26 132480]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-02 232960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-05-29 22712]
S3 meddmrr;meddmrr;c:\windows\system32\DRIVERS\meddmrr.sys [2007-08-21 10488]
S3 mekbd;mekbd;c:\windows\system32\Drivers\mekbd.sys [2010-10-26 12800]
S3 memice;memice;c:\windows\system32\Drivers\memice.sys [2010-10-26 11264]
S3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx86.sys [2010-06-15 11048]
S3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [2010-06-15 14120]
S3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx86.sys [2010-06-15 13440]
S3 VBEngNT;VBEngNT;c:\windows\system32\Drivers\VBEngNT.Sys [2010-05-13 237664]
S3 VBFilter;VBFilter;c:\windows\system32\Drivers\VBFilter.Sys [2010-05-18 27424]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - VBCoreNT.0
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-27 21:38]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-27 21:38]
.
2011-07-08 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Engine\3.0.0.103\Nss.exe [2011-02-18 07:25]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:64404
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
FF - ProfilePath - c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBCoreNT.0]
"ImagePath"="\Device\HarddiskVolume3\Program Files\Vexira Antivirus\Professional\Temp\e6ab0uci.vbt"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,b5,e7,98,e7,6f,f1,40,a6,56,96,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,b5,e7,98,e7,6f,f1,40,a6,56,96,\
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AVI"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cdda"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipa"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipg"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipsw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipsw"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itdb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itdb"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ite\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ite"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itl"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itlp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itlp"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itls"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itms"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itpc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itpc"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.m3u"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u8"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M4A"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4b"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4p"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4r\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4r"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mod\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MOV"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcast\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pcast"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pls"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wave\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wave"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.glcx\{656E6547-6176-6F4C-6769-63204C696331}* ]
"{03105F08-1C06-7704-7661-7204706F6060}"=hex:00,00,00,00,da,07,0a,00,02,00,1a,
00,12,00,04,00,1b,00,b6,03,1e,00,00,00,1f,1f,1f,1f,da,07,0a,00,02,00,1a,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-07-08 23:01:21
ComboFix-quarantined-files.txt 2011-07-09 03:01
ComboFix2.txt 2011-06-22 21:04
.
Pre-Run: 104,409,784,320 bytes free
Post-Run: 104,770,523,136 bytes free
.
- - End Of File - - 0D2FF8A69C006A387A7F3571FC0F478B

coga2222, Jul 8, 2011

#8
coga2222 Newcomer, in training

Eset Results

C:\Qoobox\Quarantine\C\ProgramData\AmRes_fi32.dll.vir a variant of Win32/Kryptik.PQF trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{8cef0456-c220-4c9b-9394-a6c03fe71a99}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{8cef0456-c220-4c9b-9394-a6c03fe71a99}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{f8824da4-39c2-4bef-aa70-87f3dbbd75c7}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{f8824da4-39c2-4bef-aa70-87f3dbbd75c7}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{8cef0456-c220-4c9b-9394-a6c03fe71a99}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{8cef0456-c220-4c9b-9394-a6c03fe71a99}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{f8824da4-39c2-4bef-aa70-87f3dbbd75c7}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{f8824da4-39c2-4bef-aa70-87f3dbbd75c7}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{8cef0456-c220-4c9b-9394-a6c03fe71a99}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{8cef0456-c220-4c9b-9394-a6c03fe71a99}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ac4107df-a5cd-4abe-95a0-acf933bdb6e1}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{ad467c1d-1b8a-4cfc-9044-45837f10b4f1}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{d9f65a27-ddaf-413e-83bf-8e4efcb37afc}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{e4450701-dcf3-465a-88fa-f6e970d5c345}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{f8824da4-39c2-4bef-aa70-87f3dbbd75c7}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
C:\Qoobox\Quarantine\C\Users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{f8824da4-39c2-4bef-aa70-87f3dbbd75c7}\chrome\xulcache.jar.vir JS/Agent.NDB trojan
C:\Users\Administrator.DELLIMAGELT\AppData\Local\Google\Chrome\User Data\Default\Default\nmfafonanfpojnioboldigmfocfgkcpj\contentscript.js Win32/TrojanDownloader.Tracur.F trojan
C:\Users\Administrator.DELLIMAGELT\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\73190831-789cfba9 a variant of Java/Exploit.CVE-2010-4452.A trojan
C:\Windows\System32\AmRes_fi32.dll a variant of Win32/Kryptik.OKQ trojan

coga2222, Jul 9, 2011

#9
Bobbye Helper on the Fringe
Okay- everything you see in the Eset log in Qoobox has already been quarantined by Combofix and is not active in the system. For the other:

Please download OTMovit by Old Timer and save to your desktop.

Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Files C:\Users\Administrator.DELLIMAGELT\AppData\Local\Google\Chrome\User Data\Default\Default\nmfafonanfpojnioboldigmfocfgkcpj\contentscript.js C:\Users\Administrator.DELLIMAGELT\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\73190831-789cfba9 C:\Windows\System32\AmRes_fi32.dll :Commands [purity] [emptytemp] [start explorer] [Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================================
And the Java cache also need to be emptied:

. Click Start > Control Panel.

. Double-click the Java icon in the Control Panel.

. Click Settings under Temporary Internet Files.
http://www.java.com/en/img/download/5000020303.jpg[/b]
There are three options on this window to clear the cache.(Version dependent)
[o]. Delete Files
[o]. View Applications
[o]. View Applets
[*]. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
[*]. Click OK on Temporary Files Settings window. [/list]
========================================
Please note: I am seeing a lot of malware in the Java cache. And every time I see it in a lot, the user has one or more outdated versions if Java. The most current version is v6u26. You have Java(TM) 6 Update 22. That is a vulnerability to the system.
Please update: [url=http://www.java.com/en/download/manual.jsp][b][color=blue]Java Updates[/b][/color][/url] . Uninstall any earlier versions in Add/Remove Programs.

[b]Note: Uncheck 'Install Yahoo Toolbar' on the download screen [u]before[/u] you do the update.[/b]
=========================================
Go ahead with the above. I'm going to check the Combofix log.

[b]Edit: Question: Are some users unable to use the [b]Windows Media Player 11[/b]? If so, some entries may need to made for the Registry.
Bobbye, Jul 10, 2011

#10

Bobbye Helper on the Fringe

When you have finished with my Reply #10:

Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code:
File::
c:\windows\system32\wdc32.exe
FileLook::
c:\windows\system32\AmRes_fi32.dll
Folder::
c:\users\mmeyer\AppData\Local\temp
c:\users\magnolia sc\AppData\Local\temp
c:\users\Default\AppData\Local\temp
c:\users\administrator\AppData\Local\temp
c:\users\516\AppData\Local\temp
c:\users\_sjtp_tech\AppData\Local\temp
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:64404
BHO: {03d4e038-9a50-4f3f-9817-4140e13498a0} - c:\windows\system32\AmRes_fi32.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03D4E038-9A50-4F3F-9817-4140E13498A0}]
RegNull::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.glcx\{656E6547-6176-6F4C-6769-63204C696331}* ]
RegLock::
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Internet Explorer\User Preferences]
Driver::
DPS32
Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================

Bobbye, Jul 10, 2011

#11

coga2222 Newcomer, in training

Java Updated- I had to run OTMoveit twice... It froze the first time and I had to restart my comp without being prompted.... I do not know if this had any effect on the logs, though I cannot locate another log file. Thanks again for your help!

All processes killed
========== FILES ==========
File/Folder C:\Users\Administrator.DELLIMAGELT\AppData\Local\Google\Chrome\User Data\Default\Default\nmfafonanfpojnioboldigmfocfgkcpj\contentscript.js not found.
File/Folder C:\Users\Administrator.DELLIMAGELT\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\73190831-789cfba9 not found.
File/Folder C:\Windows\System32\AmRes_fi32.dll not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: 324
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: 516
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.DELLIMAGELT
->Temp folder emptied: 149424 bytes
->Temporary Internet Files folder emptied: 3513949 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 6450205 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: magnolia sc
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: mmeyer
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: open
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 2103593 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 56958 bytes

User: Public
->Temp folder emptied: 0 bytes

User: _sjtp_tech
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56502 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1024 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 12.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 07102011_223713

coga2222, Jul 10, 2011

#12
coga2222 Newcomer, in training

ComboFix 11-07-10.05 - Administrator 07/10/2011 23:06:10.4.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3510.2220 [GMT -4:00]
Running from: c:\users\Administrator.DELLIMAGELT\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator.DELLIMAGELT\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Vexira Antivirus Professional *Disabled/Updated* {23EEBC0C-807F-7CD1-F670-11B63CF63BB9}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\wdc32.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\_sjtp_tech\AppData\Local\temp
c:\users\516\AppData\Local\temp
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\chrome.manifest
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\chrome\xulcache.jar
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\defaults\preferences\xulcache.js
c:\users\516\AppData\Roaming\Mozilla\Firefox\Profiles\r3o80w56.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\install.rdf
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\chrome.manifest
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\chrome\xulcache.jar
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\defaults\preferences\xulcache.js
c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\install.rdf
c:\users\administrator\AppData\Local\temp
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\chrome.manifest
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\chrome\xulcache.jar
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\defaults\preferences\xulcache.js
c:\users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\moahyg9w.default\extensions\{1f79d4ae-f1ed-48ca-83e1-4b7665761d00}\install.rdf
c:\users\Default\AppData\Local\temp
c:\users\magnolia sc\AppData\Local\temp
c:\users\mmeyer\AppData\Local\temp
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_DPS32
.
.
((((((((((((((((((((((((( Files Created from 2011-06-11 to 2011-07-11 )))))))))))))))))))))))))))))))
.
.
2011-07-11 03:13 . 2011-07-11 03:13 -------- d-----w- c:\users\open\AppData\Local\temp
2011-07-11 03:13 . 2011-07-11 03:13 -------- d-----w- c:\users\324\AppData\Local\temp
2011-07-11 02:49 . 2011-07-11 02:49 -------- d-----w- c:\program files\Common Files\Java
2011-07-11 02:48 . 2011-07-11 02:48 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-07-11 02:35 . 2011-07-11 02:35 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-07-11 02:35 . 2011-07-11 02:35 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-07-11 02:26 . 2011-07-11 02:26 -------- d-----w- C:\_OTM
2011-07-09 03:06 . 2011-07-09 03:06 -------- d-----w- c:\program files\ESET
2011-06-27 21:18 . 2011-06-27 21:18 1152 ----a-w- c:\windows\system32\windrv.sys
2011-06-27 21:18 . 2011-07-08 05:59 -------- d-----w- c:\program files\SpyNoMore
2011-06-19 15:38 . 2011-04-21 21:56 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-06-19 04:52 . 2011-06-19 04:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-18 20:57 . 2011-06-18 20:57 -------- d-----w- c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Malwarebytes
2011-06-18 20:56 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-18 20:56 . 2011-06-18 20:56 -------- d-----w- c:\programdata\Malwarebytes
2011-06-18 20:56 . 2011-06-18 20:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-18 20:56 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-11 03:15 . 2010-11-06 17:50 0 ----a-w- c:\users\Administrator.DELLIMAGELT\AppData\Local\WavXMapDrive.bat
2011-07-11 02:48 . 2010-10-26 18:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-07 20:56 . 2010-12-27 21:42 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-17 18:30 . 2010-10-26 18:08 0 ----a-w- c:\users\open\AppData\Local\WavXMapDrive.bat
2011-07-11 02:35 . 2011-05-17 00:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-05-25 495708]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-04-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-04-26 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-04-26 169496]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-01 5249024]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-07-21 147840]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-06-22 34232]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"SMART Board Service"="c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardService.exe" [2010-07-15 5350288]
"SMART SNMP Agent"="c:\program files\SMART Technologies\SMART Product Drivers\SMARTSNMPAgent.exe" [2010-07-15 1662352]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"VBSysTrayProf"="c:\program files\Vexira Antivirus\Professional\Bin\vbsystry.exe" [2010-05-26 385976]
"MeUiHelper"="c:\program files\GenevaLogic\Vision\XL\meuihlp.exe" [2007-08-21 83192]
"MeControlDL"="c:\program files\genevalogic\Vision\XL\MeSuAx.exe" [2007-08-21 328952]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2009-07-22 83336]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SNM"="c:\program files\SpyNoMore\SNM.exe" [2010-07-12 1067984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2009-8-26 2684256]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2010-2-8 1327472]
SMART Board Tools.lnk - c:\program files\SMART Technologies\SMART Product Drivers\SMARTBoardTools.exe [2010-7-15 12375952]
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-3-29 132456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-27 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-12-27 136176]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-06-28 2151640]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-05-29 39984]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2010-03-21 48640]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2010-03-21 38912]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-26 1343400]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-12-03 64288]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [2010-01-18 17072]
S0 VBRec;VBRec;c:\windows\System32\Drivers\VBRec.Sys [2010-05-18 20352]
S1 MENET;MENET;c:\windows\system32\Drivers\MENET.SYS [2007-08-21 50424]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2010-05-25 81920]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2010-05-10 1803584]
S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [2009-11-04 114688]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-11-20 278304]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2010-02-08 386928]
S2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-01-10 60928]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-05-29 366640]
S2 MeSuWTS;Vision WTS Helper;c:\program files\GenevaLogic\Vision\XL\mesuwts.exe [2007-08-21 107768]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-03-21 59904]
S2 VAServProf;Vexira Antivirus Professional;c:\program files\Vexira Antivirus\Professional\Bin\vbcmserv.exe [2010-05-19 97592]
S2 VBShld;VBShld;c:\windows\system32\Drivers\VBShld.Sys [2010-05-18 156112]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-01-18 42672]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-26 132480]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-02 232960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-05-29 22712]
S3 meddmrr;meddmrr;c:\windows\system32\DRIVERS\meddmrr.sys [2007-08-21 10488]
S3 mekbd;mekbd;c:\windows\system32\Drivers\mekbd.sys [2010-10-26 12800]
S3 memice;memice;c:\windows\system32\Drivers\memice.sys [2010-10-26 11264]
S3 SMARTMouseFilterx86;HID-compliant mouse;c:\windows\system32\DRIVERS\SMARTMouseFilterx86.sys [2010-06-15 11048]
S3 SMARTVHidMini2000x86;SMART HID Device;c:\windows\system32\DRIVERS\SMARTVHidMini2000x86.sys [2010-06-15 14120]
S3 SMARTVTabletPCx86;SMART Virtual TabletPC;c:\windows\system32\DRIVERS\SMARTVTabletPCx86.sys [2010-06-15 13440]
S3 VBEngNT;VBEngNT;c:\windows\system32\Drivers\VBEngNT.Sys [2010-05-13 237664]
S3 VBFilter;VBFilter;c:\windows\system32\Drivers\VBFilter.Sys [2010-05-18 27424]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - VBCoreNT.0
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-27 21:38]
.
2011-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-27 21:38]
.
2011-07-08 c:\windows\Tasks\Norton Security Scan for Administrator.job
- c:\program files\Norton Security Scan\Engine\3.0.0.103\Nss.exe [2011-02-18 07:25]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 71.250.0.12
FF - ProfilePath - c:\users\Administrator.DELLIMAGELT\AppData\Roaming\Mozilla\Firefox\Profiles\erd168px.default\
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBCoreNT.0]
"ImagePath"="\Device\HarddiskVolume3\Program Files\Vexira Antivirus\Professional\Temp\lhl67ljh.vbt"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3G2"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.3GP"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADT\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ADTS\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ADTS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AVI"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.CDA"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cdda\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.cdda"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipa"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipg"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ipsw\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ipsw"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itdb\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itdb"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ite\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.ite"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itl"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itlp\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itlp"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itls"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itms"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.itpc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.itpc"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2t\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.m3u"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u8\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m3u8"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M4A"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4b\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4b"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4p\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4p"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4r\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.m4r"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mod\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MOV"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP3"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MP4"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.M2TS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcast\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pcast"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.pls"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MIDI"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tts\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.TTS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAV"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wave\UserChoice]
@Denied: (2) (Administrator)
"Progid"="iTunes.wave"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WAX"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMA"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMV"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WVX"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5600)
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\program files\Dell\DW WLAN Card\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Dell\DW WLAN Card\bcmwltry.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\system32\taskhost.exe
c:\program files\GenevaLogic\Vision\Chat\MChat.exe
c:\windows\system32\conhost.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\SMART Technologies\SMART Product Drivers\Aware.exe
c:\program files\DellTPad\Apntex.exe
c:\windows\system32\conhost.exe
c:\program files\SMART Technologies\SMART Product Drivers\Marker.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\BtAssist.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
c:\windows\system32\sppsvc.exe
c:\program files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-07-10 23:20:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-11 03:20
ComboFix2.txt 2011-07-09 03:01
ComboFix3.txt 2011-06-22 21:04
.
Pre-Run: 104,456,699,904 bytes free
Post-Run: 104,124,854,272 bytes free
.
- - End Of File - - B18EC54BF645408247A285B306A40F96

coga2222, Jul 10, 2011

#13
Bobbye Helper on the Fringe

I thought I asked this, but maybe I just thought it! Are any of the accounts having a problem using Windows Media Player 11 or iTunes?

Have you noticed any change, hopefully improvement in the browser redirects?

Bobbye, Jul 11, 2011

#14
coga2222 Newcomer, in training

No problems with Windows Media player, and I have not used Itunes on this computer yet. The redirects seem to be much better though. Can't believe how much stuff is being picked up by these scans though.

coga2222, Jul 11, 2011

#15
Bobbye Helper on the Fringe

We are noticing some locked Registry keys such as this:

[HKEY_USERS\S-1-5-21-2644167271-439061571-2009282644-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserCh oice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

It is not clear if the Administrator has been denied use or whether all accounts 'other that' the Administrator are denied.I currently have 2 threads with the same type of entries. The Denied2) would usually indicate Automatic.

There are the same type of entries for different WMP file associations. And tare 2 of same for @Denied: (2) (Administrator)"Progid"="FirefoxHTML" and a few for different file associations for iTunes: @Denied: (2) (Administrator)

I would like you to check this out please. Are you the Administrator? Are you logging on under the Administrative account. If Yes/Yes, please see if you can access the files in WMD, HTRML in Firefox or the iTunes files. Then, if there is any other user account on the system, see if they can access the same.

You can look in the Locked Registry Keys section to see the file extensions.

Let me know please.

Bobbye, Jul 11, 2011

#16
coga2222 Newcomer, in training

I am logged in as the admin. I apologize, but I really don't know how to access these files. I tried to use my computer to find them, but was unable to do so. I also do not know where to find the registry keys on my comp. We got these computers fairly recently, and I believe they use the newest windows OS (vista?) and I have no clue where to find the "run" link that used to be on the start menu (if that is needed for any of these operations)

coga2222, Jul 12, 2011

#17
Bobbye Helper on the Fringe

I think the simplest thing to ask for both of us is: Are you, as the Administrator and/or the rest of the users seeing "Access is Denied" on any transactions with Windows Media Player, iTunes or Firefox?

Bobbye, Jul 14, 2011

#18
coga2222 Newcomer, in training

I cannot log on under anything other than administrator because I am not aware of any other passcodes (this is a work laptop that I am permitted to bring home). Under administrator, there are no access denied issues.

coga2222, Jul 19, 2011

#19
Bobbye Helper on the Fringe
Dave, this computer has been badly infected. There have been large numbers of deletions by Malwarebytes, Combofix and the script I had you run in Combofix. The malware showed to be mostly the Backdoor.Bot

What is a Backdoor.bot?

This is a piece of malware that has worm, downloader, backdoor, keylogger and spy ability. It may arrive on a system after being exploited by a copy of the worm, residing on an infected machine in the network. After execution, the malware will inject a piece of code in kernel mode (by gaining access to \Device\PhysicalMemory). It will make a copy of itself inside c:\windows\fonts\unwise_.exe (hidden), execute it and continue execution there. The original file it will then be deleted. The worm will register itself as a service under the name: Windows Hosts Controller, and setting the information to "Enables Windows Host Controller Service. This service cannot be stopped." discouraging users from deleting it.
- The worm has the ability to spread via:
o USB drives; when it detects a new drive, it will make a fresh copy of itself, on the USB drive in the following directory:
Recycler\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx\file-name.exe. It will also create an autorun.inf file that will point to the new copy.

And yes- it makes Registry changes to the firewall, the Security Center. It can do or cause:

Use of the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)

Data theft (e.g. retrieving passwords or credit card information)

Installation of software, including third-party malware

Downloading or uploading of files on the user's computer

Modification or deletion of files

Keystroke logging

Watching the user's screen

Wasting the computer's storage space

Crashing the computer

You mention that you got this system recently, but you don't mention if it was new and clean when you go it. I see the following accounts:
User: Administrator.DELLIMAGELT> Main account with most activity.
User: _sjtp_tech> some activity
User: open> some activity

The following accounts are set up but show no activity:
User: Public
User: mmeyer
User: Default User
User: Default
User: 324
User: 516
User: administrator
===============================================
Because of the extent of the infection, because of the type of infection and because this it your work computer, I am going to refer you to the IT for the office. You are either getting infected through their servers or because the machine wasn't clean in the first place.

Your alternative is to reformat/reinstall. This is the best choice, no matter who does it, because of the characteristics of the Backdoor.bot and because there are also other Trojans and Worms on the system.

And if flash drives (USB drives) are being used between computers, they will all need to be disinfected.

By the way, the operating system is Microsoft Windows 7 Professional
Bobbye, Jul 20, 2011

#20

(You must log in or sign up to reply here.)

Page 1 of 2

Thread Status:: Not open for further replies.

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved