TechSpot

System check virus, please help remove

Inactive
By TexAndrea
Jan 10, 2012
Topic Status:
Not open for further replies.
  1. My wxp desktop has the system check virus, can you please help me to disinfect?
  2. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    MBAM Log

    Running in safe mode w/networking, below is the log from Malwarebytes

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.10.01

    Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.7601.17514
    Admin :: MAIN [administrator]

    1/9/2012 9:07:48 PM
    mbam-log-2012-01-09 (21-07-48).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 245745
    Time elapsed: 10 minute(s), 10 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|oklbxWqyXCYA.exe (Rogue.FakeHDD) -> Data: C:\ProgramData\oklbxWqyXCYA.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 11
    C:\ProgramData\oklbxWqyXCYA.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
    C:\ProgramData\iEQu3AI1egu1eN.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-2906683688-78787508-1238319441-1006\Dc3070.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-2906683688-78787508-1238319441-1006\Dc3083.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-2906683688-78787508-1238319441-1006\Dc2939.0-AiR\Setup.exe (Trojan.Chifrax) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-57989841-308236825-839522115-1003\Dc1\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-57989841-308236825-839522115-1003\Dc2\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
    C:\Users\Admin\AppData\Local\Temp\ICReinstall\PDFConverterSetup[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
    C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Users\Admin\AppData\Local\Temp\kilslmd.exex (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Admin\AppData\Local\Temp\ppddfcfux.exxe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    (end)
  3. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    GMER Log

    Run in safe mode w/networking

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-10 06:28:24
    Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3160815AS rev.3.ADA
    Running: g6bm1et1.exe; Driver: C:\Users\Admin\AppData\Local\Temp\pxldypog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13D1 82640369 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82679D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    ? System32\drivers\jntqrwk.sys The system cannot find the path specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[896] kernel32.dll!WriteFile 75C553EE 5 Bytes JMP 000A000A
    .text C:\Windows\system32\svchost.exe[896] USER32.dll!GetCursorPos 7575A4B3 5 Bytes JMP 0064000A
    .text C:\Windows\system32\svchost.exe[896] USER32.dll!GetForegroundWindow 7576335D 5 Bytes JMP 0066000A
    .text C:\Windows\system32\svchost.exe[896] USER32.dll!WindowFromPoint 75786BE9 5 Bytes JMP 0065000A
    .text C:\Windows\system32\svchost.exe[896] ole32.dll!CoCreateInstance 75AD9D0B 5 Bytes JMP 0042000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!CreateWindowExW 7575EC7C 5 Bytes JMP 6F603894 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxParamW 75773B9B 5 Bytes JMP 6F537F51 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxIndirectParamW 75783B7F 5 Bytes JMP 6F73DF28 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxParamA 7579CF42 5 Bytes JMP 6F73DEC5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxIndirectParamA 7579D274 5 Bytes JMP 6F73DF8B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxIndirectA 757AE869 5 Bytes JMP 6F73DE5A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxIndirectW 757AE963 5 Bytes JMP 6F73DDEF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxExA 757AE9C9 5 Bytes JMP 6F73DD8D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxExW 757AE9ED 5 Bytes JMP 6F73DD2B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!CallNextHookEx 7575ABE1 5 Bytes JMP 6F573CA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!UnhookWindowsHookEx 7575ADF9 5 Bytes JMP 6F62D90F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!SetWindowsHookExW 7575E30C 5 Bytes JMP 6F5C7DD1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!CreateWindowExW 7575EC7C 5 Bytes JMP 6F603894 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!DialogBoxParamW 75773B9B 5 Bytes JMP 6F537F51 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!DialogBoxIndirectParamW 75783B7F 5 Bytes JMP 6F73DF28 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!DialogBoxParamA 7579CF42 5 Bytes JMP 6F73DEC5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!DialogBoxIndirectParamA 7579D274 5 Bytes JMP 6F73DF8B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!MessageBoxIndirectA 757AE869 5 Bytes JMP 6F73DE5A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!MessageBoxIndirectW 757AE963 5 Bytes JMP 6F73DDEF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!MessageBoxExA 757AE9C9 5 Bytes JMP 6F73DD8D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!MessageBoxExW 757AE9ED 5 Bytes JMP 6F73DD2B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] ole32.dll!OleLoadFromStream 75A96143 5 Bytes JMP 6F73E27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2004] ole32.dll!CoCreateInstance 75AD9D0B 5 Bytes JMP 6F603422 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!CallNextHookEx 7575ABE1 5 Bytes JMP 6F573CA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!UnhookWindowsHookEx 7575ADF9 5 Bytes JMP 6F62D90F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!SetWindowsHookExW 7575E30C 5 Bytes JMP 6F5C7DD1 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!CreateWindowExW 7575EC7C 5 Bytes JMP 6F603894 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!DialogBoxParamW 75773B9B 5 Bytes JMP 6F537F51 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!DialogBoxIndirectParamW 75783B7F 5 Bytes JMP 6F73DF28 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!DialogBoxParamA 7579CF42 5 Bytes JMP 6F73DEC5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!DialogBoxIndirectParamA 7579D274 5 Bytes JMP 6F73DF8B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!MessageBoxIndirectA 757AE869 5 Bytes JMP 6F73DE5A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!MessageBoxIndirectW 757AE963 5 Bytes JMP 6F73DDEF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!MessageBoxExA 757AE9C9 5 Bytes JMP 6F73DD8D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] USER32.dll!MessageBoxExW 757AE9ED 5 Bytes JMP 6F73DD2B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] ole32.dll!OleLoadFromStream 75A96143 5 Bytes JMP 6F73E27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2536] ole32.dll!CoCreateInstance 75AD9D0B 5 Bytes JMP 6F603422 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1264] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0103A510] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [739D2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [739B5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [739B56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [739D24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [739C8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [739C4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [739C506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [739C5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [739C6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [739C826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [739C87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [739C901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [739CE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1484] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [739C4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----
  4. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    DDS Log

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7601.17514
    Run by Admin at 10:50:31 on 2012-01-10
    Microsoft Windows 7 Ultimate N 6.1.7601.1.1252.1.1033.18.3061.1452 [GMT -6:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Windows\System32\M-AudioTaskBarIcon.exe
    C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
    C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Update\Install\{409A5E27-934D-46A9-BBF0-7C2FA5221151}\GoogleToolbarInstaller_updater_signed.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\ProgramData\WeCareReminder\ReminderHelper.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\mmc.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8&rlz=1T4GGLL_enUS366US366
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uURLSearchHooks: H - No File
    mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFree.dll
    BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFree.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mif5ba~1\office14\GROOVEEX.DLL
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120108135843.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
    BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mif5ba~1\office14\URLREDIR.DLL
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    BHO: MP3 Rocket Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\programdata\wecarereminder\IEHelperv2.5.0.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - g:\program files\microsoft visual studio 10.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
    BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: MP3 Rocket Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
    TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFree.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [<NO NAME>]
    uRun: [SsAAD.exe] g:\progra~1\sony\SsAAD.exe
    uRun: [PhotoJoy] c:\program files\photojoy\bin\PhotoJoy.exe /c
    uRun: [iCloudServices] c:\program files\common files\apple\internet services\iCloudServices.exe
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
    mRun: [DigidesignMMERefresh] g:\program files\digidesign\digidesign\drivers\MMERefresh.exe
    mRun: [Adobe Photo Downloader] "g:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [OpwareSE4] "g:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
    mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Freecorder FLV Service] "g:\program files\freecorder\FLVSrvc.exe" /run
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [TkBellExe] "g:\program files\update\realsched.exe" -osboot
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [eFnStcmpnllsRFa.exe] c:\programdata\eFnStcmpnllsRFa.exe
    StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\admin\appdata\roaming\dropbox\bin\Dropbox.exe
    StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~2.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} - g:\program files\mp4-converter\YouTubeRipper.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~1\office11\REFIEBAR.DLL
    Trusted Zone: dell.com\ausctrxw004.aus.amer
    Trusted Zone: dell.com\ausctrxw03.aus.amer
    Trusted Zone: dell.com\pool_rim_itaas4_pc1.us
    Trusted Zone: skillport.com
    Trusted Zone: skillwsa.com
    Trusted Zone: usps.com\sss-web
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {462D5053-2D60-4022-B583-7E34AA0F90B7} - hxxps://itaas5.dell.com/servlets/activex/popupmenu.cab
    DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196} - hxxps://itaas5.dell.com/servlets/activex/teechart8.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    TCP: Interfaces\{2FCB8A38-EC56-452D-82AC-C15B4874EB6E} : DhcpNameServer = 209.18.47.61 209.18.47.62
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\google\google~3\GO36F4~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mif5ba~1\office14\GROOVEEX.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    .
    =============== File Associations ===============
    .
    .scr=AutoCADScriptFile
    .
    =============== Created Last 30 ================
    .
    2012-01-10 03:06:34 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
    2012-01-10 03:06:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-10 03:06:26 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-10 03:06:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-01 00:41:37 737072 ----a-w- c:\programdata\microsoft\ehome\packages\sportsv2\sportstemplatecore-2\Microsoft.MediaCenter.Sports.UI.dll
    2011-12-23 21:01:23 -------- d-----w- c:\program files\iPod
    2011-12-23 21:01:21 -------- d-----w- c:\program files\iTunes
    2011-12-15 05:18:41 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-15 05:18:41 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    .
    ==================== Find3M ====================
    .
    2011-12-09 16:44:26 60304 ----a-w- c:\users\admin\g2mdlhlpx.exe
    2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
    2011-11-05 04:35:00 981504 ----a-w- c:\windows\system32\wininet.dll
    2011-11-05 04:26:03 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-11-05 02:48:51 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-10-29 14:11:33 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-26 04:28:12 38912 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-24 20:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 20:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-15 19:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-15 19:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-15 19:16:16 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-10-15 19:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-15 19:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-15 19:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-10-15 19:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-15 19:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-15 19:16:16 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-10-15 19:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-10-15 05:38:59 534528 ----a-w- c:\windows\system32\EncDec.dll
    2011-10-13 03:56:20 737280 ----a-w- c:\windows\iun6002.exe
    .
    ============= FINISH: 10:59:04.33 ===============
  5. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    DDS Attach Log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Ultimate N
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/12/2010 11:32:40 PM
    System Uptime: 1/10/2012 10:41:03 AM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0CU409
    Processor: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 2331/333mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 13.776 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows
    PNP Device ID: ROOT\NET\0000
    Service: vpnva
    .
    ==== System Restore Points ===================
    .
    RP261: 1/9/2012 5:59:25 PM - Jan 9 After deleting "System Check" virus
    .
    ==== Installed Programs ======================
    .
    "Nero SoundTrax Help
    µTorrent
    2007 Microsoft Office Suite Service Pack 2 (SP2)
    50 FREE MP3s +1 Free Audiobook!
    Acrobat.com
    Adobe AIR
    Adobe Community Help
    Adobe Dreamweaver CS5
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Help Center 2.0
    Adobe Media Player
    Adobe Photoshop CS5
    Adobe Photoshop Elements 4.0
    Adobe Reader X (10.1.1)
    Adobe Shockwave Player 11.6
    Advertising Center
    AltoMP3 Gold 5.20
    AnalogX Vocal Remover
    AnkhSVN 2.1.8420.8
    Any DWG to Image Converter 2010
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Applian Director
    ArcSoft Print Creations
    ArcSoft Print Creations - Album Page
    ArcSoft Print Creations - Funhouse
    ArcSoft Print Creations - Greeting Card
    ArcSoft Print Creations - Photo Book
    ArcSoft Print Creations - Photo Calendar
    ArcSoft Print Creations - Scrapbook
    ArcSoft Print Creations - Slimline Card
    Ask Toolbar
    ASPCA TriMini Reminder by We-Care.com v5.0.2.1
    AutoCAD 2010 - English
    AutoCAD 2010 Language Pack - English
    Autodesk DWF Viewer
    AvalonDock 1.2 (Build 2691) (1.2.2691)
    AVS Document Converter 2.1.2
    AVS Screen Capture version 2.0.1
    AVS Update Manager 1.0
    AVS Video Editor 6
    AVS Video Recorder 2.4
    AVS Video ReMaker 4.0.8.140
    AVS4YOU Software Navigator 1.4
    Bing Bar
    Bonjour
    Canon MP Navigator 2.2
    Canon MP830
    Canon Utilities Easy-PhotoPrint
    CCScore
    Cisco AnyConnect VPN Client
    Citrix XenApp Web Plugin
    Click to Call with Skype
    Conduit Engine
    Coupon Printer for Windows
    Crystal Reports Basic for Visual Studio 2008
    Crystal Reports for Visual Studio
    D3DX10
    DB CIF Cam
    Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Digidesign Free Bomb Factory Plug-Ins 7.4
    Digidesign Pro Tools M-Powered 7.4cs10
    Digidesign Shared Plug-Ins 7.4
    Disney Micro
    Disney Pix Micro Downloader
    DolbyFiles
    Dotfuscator Software Services - Community Edition
    DriveWare 2.6.2
    Dropbox
    ESSBrwr
    ESSCDBK
    ESScore
    ESSgui
    ESSini
    ESSPCD
    ESSPDock
    ESSTOOLS
    essvatgt
    exPressit S.E. 2.2
    FLAC To MP3 V4.0.4
    FoxTab PDF Converter
    Free PDF to Word Doc Converter v1.1
    Freecorder 5
    Freecorder Toolbar
    G2
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
    Google Chrome
    Google Desktop
    Google Earth
    Google Toolbar for Internet Explorer
    Google Update Helper
    GoToMeeting 5.1.0.873
    Hit'n'Mix Play
    Hollywood Pets v1.3
    Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB971091)
    Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB973674)
    Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2542054)
    Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB982218)
    iCloud
    ImagXpress
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    Interlok driver setup x32
    Internet TV for Windows Media Center
    iTunes
    iZotope RX
    Java Auto Updater
    Java(TM) 6 Update 24
    Java(TM) SE Runtime Environment 6 Update 1
    Junk Mail filter update
    Karaoke Anything!
    Kodak EasyShare software
    M-Audio MobilePre Driver 6.0.1 (x86)
    Malwarebytes Anti-Malware version 1.60.0.1800
    McAfee Total Protection
    Menu Templates - Starter Kit
    Mesh Runtime
    Messenger Companion
    Microsoft .NET Compact Framework 2.0 SP2
    Microsoft .NET Compact Framework 3.5
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft ASP.NET MVC 2
    Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
    Microsoft Document Explorer 2008
    Microsoft Expression Blend 3 SDK
    Microsoft Expression Blend 4
    Microsoft Expression Blend SDK for .NET 4
    Microsoft Expression Blend SDK for Silverlight 4
    Microsoft Expression Design 4
    Microsoft Expression Encoder 4 Pro
    Microsoft Expression Encoder 4 Screen Capture Codec
    Microsoft Expression Studio 4
    Microsoft Expression Web 4
    Microsoft F# Runtime for Silverlight 4
    Microsoft Help Viewer 1.0
    Microsoft IntelliPoint 8.1
    Microsoft IntelliType Pro 8.0
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Communicator 2007
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office File Validation Add-In
    Microsoft Office FrontPage 2003
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office Live Add-in 1.4
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
    Microsoft Office Ultimate 2007
    Microsoft Office Visual Web Developer 2007
    Microsoft Office Visual Web Developer MUI (English) 2007
    Microsoft Office Word MUI (English) 2010
    Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit
    Microsoft Silverlight
    Microsoft Silverlight 3 SDK
    Microsoft Silverlight 4 SDK
    Microsoft Silverlight Tools for Visual Studio 2010
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server 2008 R2 Data-Tier Application Framework
    Microsoft SQL Server 2008 R2 Data-Tier Application Project
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 R2 Transact-SQL Language Service
    Microsoft SQL Server 2008 Setup Support Files
    Microsoft SQL Server Compact 3.5 Design Tools ENU
    Microsoft SQL Server Compact 3.5 for Devices ENU
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server Database Publishing Wizard 1.2
    Microsoft SQL Server Database Publishing Wizard 1.4
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server System CLR Types
    Microsoft SQL Server VSS Writer
    Microsoft Sync Framework Runtime v1.0 SP1 (x86)
    Microsoft Sync Framework SDK v1.0 SP1
    Microsoft Sync Framework Services v1.0 SP1 (x86)
    Microsoft Sync Services for ADO.NET v2.0 SP1 (x86)
    Microsoft Team Foundation Server 2010 Object Model - ENU
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
    Microsoft Visual F# 2.0 Runtime
    Microsoft Visual Studio 2005 Tools for Office Runtime
    Microsoft Visual Studio 2008 Professional Edition - ENU
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    Microsoft Visual Studio 2010 Office Developer Tools (x86)
    Microsoft Visual Studio 2010 Performance Collection Tools - ENU
    Microsoft Visual Studio 2010 SharePoint Developer Tools
    Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
    Microsoft Visual Studio 2010 Ultimate - ENU
    Microsoft Visual Studio Macro Tools
    Microsoft Visual Studio Web Authoring Component
    Microsoft Web Platform Installer 2.0
    Microsoft Windows Media Video 9 VCM
    Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
    Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
    Microsoft Windows SDK for Visual Studio 2008 Tools
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    MobileMe Control Panel
    Movie Templates - Starter Kit
    Mozilla Firefox 8.0.1 (x86 en-US)
    MP3 Rocket
    MP4-Converter 4.1.0
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NCH Toolbox
    Neodynamic Barcode Professional 3.0 for WPF
    Nero 9
    Nero BurningROM
    Nero BurnRights
    Nero ControlCenter
    Nero CoverDesigner
    Nero CoverDesigner Help
    Nero Disc Copy Gadget
    Nero Disc Copy Gadget Help
    Nero DiscSpeed
    Nero DriveSpeed
    Nero Express
    Nero InfoTool
    Nero Installer
    Nero Live
    Nero Live Help
    Nero PhotoSnap
    Nero PhotoSnap Help
    Nero Recode
    Nero Recode Help
    Nero Rescue Agent
    Nero RescueAgent Help
    Nero ShowTime
    Nero StartSmart
    Nero StartSmart Help
    Nero Vision
    Nero WaveEditor
    Nero WaveEditor Help
    NeroBurningROM
    NeroExpress
    neroxml
    netbrdg
    Nikon Message Center
    Nikon Transfer
    Nikon View 6
    Notepad++
    NTI Shadow
    OfotoXMI
    OGA Notifier 2.0.0048.0
    OpenMG Limited Patch 4.6-06-09-04-01
    OpenMG Secure Module 4.6.00
    OverDrive Media Console
    Paint.NET v3.5.10
    PDF Manual NW-S600/S700F Series
    PDF Settings CS5
    PENonPC
    Picture Control Utility
    PowerISO
    Presto! PageManager 7.15.14
    Prism Video File Converter
    Pure Sudoku 1.52
    QuickBooks Premier: Retail Edition 2006
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    REAPER
    Replay Video Capture
    Safari
    ScanSoft OmniPage SE 4.0
    Search Toolbar
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2553353) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Visual Studio 2010 Ultimate - ENU (KB2251489)
    SFR
    SHASTA
    Simple Sudoku 4.1
    skin0001
    SKINXSDK
    SonicStage 4.1
    SoundTrax
    staticcr
    Switch Sound File Converter
    swMSM
    System Requirements Lab for Intel
    TC Bundle v2.0
    TC Native Reverb
    TortoiseSVN 1.6.8.19260 (32 bit)
    TreeSize Free V2.5
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553092)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553455) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
    Update for Microsoft Outlook Social Connector (KB2583935)
    VBA (2627.01)
    VC Runtimes MSI
    VideoPad Video Editor
    ViewNX
    Visual Studio 2005 Tools for Office Second Edition Runtime
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    Visual Studio Tools for the Office system 3.0 Runtime
    VisualSVN Server 2.1.2
    Vo300 USB Internet Speakerphone
    Vogone Demo
    VPRINTOL
    Waves Native Gold Bundle v3.01
    WCF RIA Services V1.0 for Visual Studio 2010
    Web Deployment Tool
    WebEx
    Winamp
    Winamp Detector Plug-in
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Windows Media Center Add-in for Flash
    Windows Mobile 5.0 SDK R2 for Pocket PC
    Windows Mobile 5.0 SDK R2 for Smartphone
    WinMerge 2.12.4
    WinRAR archiver
    WIRELESS
    WPF Toolkit February 2010 (Version 3.5.50211.1)
    Yamaha LS9 Editor
    Yamaha M7CL V3 Editor
    Yamaha Studio Manager
    Yontoo Layers Runtime 1.10.01
    Zinio Alert Messenger
    Zinio Reader 4
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/9/2012 9:31:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
    1/9/2012 9:31:40 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    1/9/2012 9:30:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    1/9/2012 9:30:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    1/9/2012 9:27:58 PM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    1/9/2012 9:27:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    1/9/2012 9:27:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    1/9/2012 9:27:50 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/9/2012 9:27:38 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache SCDEmu spldr Wanarpv6
    1/9/2012 9:27:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    1/9/2012 9:27:21 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000008e (0xc0000005, 0x82845fe8, 0x8c023864, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 010912-28002-01.
    1/9/2012 8:14:16 AM, Error: Service Control Manager [7000] - The Multimedia Class Scheduler service failed to start due to the following error: A thread could not be created for the service.
    1/9/2012 8:03:22 AM, Error: Service Control Manager [7023] - The Multimedia Class Scheduler service terminated with the following error: Not enough storage is available to process this command.
    1/9/2012 6:42:21 AM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 107.
    1/9/2012 6:42:21 AM, Error: Schannel [36874] - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
    1/9/2012 6:19:16 PM, Error: Disk [11] - The driver detected a controller error on \...\DR3.
    1/9/2012 6:05:32 PM, Error: Service Control Manager [7024] - The VisualSVN Server service terminated with service-specific error Incorrect function..
    1/9/2012 6:05:17 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007e (0xc0000005, 0x832afca0, 0x8db23b4c, 0x8db23730). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 010912-34335-01.
    1/9/2012 5:29:26 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    1/9/2012 5:25:30 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MMCSS service.
    1/9/2012 5:25:30 PM, Error: Service Control Manager [7000] - The Multimedia Class Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/8/2012 7:58:56 PM, Error: AeLookupSvc [1] - The Application Experience Lookup service failed to initialize.
    1/8/2012 1:25:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    1/10/2012 10:41:38 AM, Error: Service Control Manager [7024] - The SQL Server (SQLEXPRESS) service terminated with service-specific error WARNING: You have until SQL Server (SQLEXPRESS) to logoff. If you have not logged off at this time, your session will be disconnected, and any open files or devices you have open may lose data..
    1/10/2012 10:41:38 AM, Error: Service Control Manager [7000] - The VisualSVN Server service failed to start due to the following error: The system cannot find the file specified.
    1/10/2012 10:41:35 AM, Error: Service Control Manager [7000] - The Digidesign MME Refresh Service service failed to start due to the following error: The system cannot find the file specified.
    1/10/2012 10:40:15 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    1/10/2012 1:03:25 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaSvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
    .
    ==== End Of File ===========================
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help with the malware.

    How do you know you have the rogue System Check? What is happening -symptoms-to you on the system? There are several very active rogue programs which give some of the similar symptoms- but they do not all have the same fixes.

    You do have malware to be removed, including a rootkit on the MBS in addition to other infective processes. It appears that you have a history of using cracks and keygens- that is always a straight path to malware!
    ==========================================
    There is another log from DDS. It is named Attach.txt. It is not clear if you found this> Steps for the Preliminary Virus and Malware Removal.. It instructs you to paste the log in and not zip it. Please include that in your next reply.
    =======================================
    Please run the following in Normal Mode:If you need to switch to Safe Mode with Networking, I will advise you. If you cannot access the internet, you will need to advise me.
    -----------------------------------
    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      [o] Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      [o] Found non-standard or infected MBR.
      [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Paste this log to your next message.
    ===========================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Expect these- they are normal:
    1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
    2. Before you run the Combofix scan, please disable any security software you have running.
    3. Combofix may need to reboot your computer more than once to do its job this is normal.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =====================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  7. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    Hi Bobbye, Thanks very much for helping me with this. I believe I have the System Check virus because the symptoms match what I've seen on other posts. Plus, that's the name of the new icon on my desktop. Symptoms include:

    All files on all drives were hidden
    Desktop cleared of all icons except System Check icon
    System Check icon on the desktop
    Loads of popups telling me of various problems
    Shortcuts to all start menu items are gone

    I tried to fix this myself by updating McAfee and doing a full scan. That worked for a day or so, then I was doing some indexing and it popped back up in full force. I did a shut down and got a screen telling me to wait for system updates to complete. This is the same message I've seen for valid Microsoft updates. I forced the reboot and came up in safe/networking mode and started through the five steps recommended for preliminary work.

    The "attach.txt" log is in the post just before your post. I put the subject line as
    "DDS Attach Log". It's pasted, not attached.
    I'll go run MBRCheck and be back in a minute. Thanks Again!
  8. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    MBRCheck Log

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7
    Windows Information: Service Pack 1 (build 7601), 32-bit
    Base Board Manufacturer: Dell Inc.
    BIOS Manufacturer: Dell Inc.
    System Manufacturer: Dell Inc.
    System Product Name: Vostro 200
    Logical Drives Mask: 0x0000003c

    Kernel Drivers (total 160):
    0x83205000 \SystemRoot\system32\ntkrnlpa.exe
    0x83617000 \SystemRoot\system32\halmacpi.dll
    0x86DA3000 \SystemRoot\system32\kdcom.dll
    0x8382A000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x838AF000 \SystemRoot\system32\PSHED.dll
    0x838C0000 \SystemRoot\system32\BOOTVID.dll
    0x838C8000 \SystemRoot\system32\CLFS.SYS
    0x8390A000 \SystemRoot\system32\CI.dll
    0x83A04000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x83A75000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x83A83000 \SystemRoot\system32\drivers\ACPI.sys
    0x83ACB000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x83AD4000 \SystemRoot\system32\drivers\msisadrv.sys
    0x83ADC000 \SystemRoot\system32\drivers\pci.sys
    0x83B06000 \SystemRoot\system32\drivers\vdrvroot.sys
    0x83B11000 \SystemRoot\System32\drivers\partmgr.sys
    0x83B22000 \SystemRoot\system32\drivers\volmgr.sys
    0x83B32000 \SystemRoot\System32\drivers\volmgrx.sys
    0x83B7D000 \SystemRoot\system32\drivers\pciide.sys
    0x83B84000 \SystemRoot\system32\drivers\PCIIDEX.SYS
    0x83B92000 \SystemRoot\System32\drivers\mountmgr.sys
    0x83BA8000 \SystemRoot\system32\drivers\vmbus.sys
    0x83BD2000 \SystemRoot\system32\drivers\winhv.sys
    0x83BE4000 \SystemRoot\system32\drivers\atapi.sys
    0x839B5000 \SystemRoot\system32\drivers\ataport.SYS
    0x83BED000 \SystemRoot\system32\drivers\amdxata.sys
    0x8B800000 \SystemRoot\system32\drivers\fltmgr.sys
    0x8B834000 \SystemRoot\system32\drivers\fileinfo.sys
    0x8B845000 \SystemRoot\system32\drivers\mfehidk.sys
    0x8B8B4000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x8B8B9000 \SystemRoot\System32\Drivers\TPkd.sys
    0x8BA01000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8BB30000 \SystemRoot\System32\Drivers\msrpc.sys
    0x8BB5B000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8BB6E000 \SystemRoot\System32\Drivers\cng.sys
    0x8BBCB000 \SystemRoot\System32\drivers\pcw.sys
    0x8BBD9000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x8B8D7000 \SystemRoot\system32\drivers\ndis.sys
    0x8B98E000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8B9CC000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x8BC3B000 \SystemRoot\System32\drivers\tcpip.sys
    0x8BD85000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8BDB6000 \SystemRoot\system32\drivers\mfewfpk.sys
    0x8BDDD000 \SystemRoot\system32\drivers\vmstorfl.sys
    0x8BE14000 \SystemRoot\system32\drivers\volsnap.sys
    0x8BE53000 \SystemRoot\System32\Drivers\spldr.sys
    0x8BE5B000 \SystemRoot\System32\drivers\rdyboost.sys
    0x8BE88000 \SystemRoot\System32\Drivers\mup.sys
    0x8BE98000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x8BEA0000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x8BED2000 \SystemRoot\system32\DRIVERS\disk.sys
    0x8BEE3000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x8BF3A000 \SystemRoot\system32\drivers\cdrom.sys
    0x8BF59000 \SystemRoot\System32\Drivers\Null.SYS
    0x8BF60000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8BF67000 \SystemRoot\System32\drivers\vga.sys
    0x8BF73000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8BF94000 \SystemRoot\System32\drivers\watchdog.sys
    0x8BFA1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8BFA9000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8BFB1000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x8BFB9000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8BFC4000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8BFD2000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8BFE9000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8BC00000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x9180A000 \SystemRoot\system32\drivers\afd.sys
    0x91864000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x9186B000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x9188A000 \SystemRoot\system32\DRIVERS\mfenlfk.sys
    0x91899000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x918A7000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x918BA000 \SystemRoot\system32\drivers\termdd.sys
    0x918CB000 \SystemRoot\System32\Drivers\SCDEmu.SYS
    0x918D6000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x91917000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x91921000 \SystemRoot\system32\drivers\mssmbios.sys
    0x9192B000 \SystemRoot\System32\drivers\discache.sys
    0x91937000 \SystemRoot\system32\drivers\csc.sys
    0x9199B000 \SystemRoot\System32\Drivers\dfsc.sys
    0x919B3000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x919C1000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x919E2000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x9242E000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x92937000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x92C12000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x92C4B000 \SystemRoot\system32\DRIVERS\e1e6032.sys
    0x92C83000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x92C8E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x92CD9000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x92CE8000 \SystemRoot\system32\drivers\HDAudBus.sys
    0x92D07000 \SystemRoot\system32\drivers\1394ohci.sys
    0x92D34000 \SystemRoot\system32\DRIVERS\fdc.sys
    0x92D3F000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x92D45000 \SystemRoot\system32\drivers\CompositeBus.sys
    0x92D52000 \SystemRoot\system32\drivers\MP4ConverterAudio.sys
    0x92D5C000 \SystemRoot\system32\drivers\portcls.sys
    0x92D8B000 \SystemRoot\system32\drivers\drmk.sys
    0x92DA4000 \SystemRoot\system32\drivers\ks.sys
    0x92DD8000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x92400000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x92DEA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x839D8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8BDE6000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8BBE2000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x83800000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x92DF5000 \SystemRoot\system32\DRIVERS\rdpbus.sys
    0x92C00000 \SystemRoot\system32\drivers\kbdclass.sys
    0x92418000 \SystemRoot\system32\drivers\mouclass.sys
    0x92C0D000 \SystemRoot\system32\drivers\swenum.sys
    0x929EE000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x9220A000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x9224E000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x9225F000 \SystemRoot\system32\drivers\HdAudio.sys
    0x922AF000 \SystemRoot\system32\drivers\mfeavfk.sys
    0x922DA000 \SystemRoot\system32\drivers\mfefirek.sys
    0x9232B000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0x92336000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x92338000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x9AD60000 \SystemRoot\System32\win32k.sys
    0x9234F000 \SystemRoot\System32\drivers\Dxapi.sys
    0x92359000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0x92367000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0x9237E000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x9238B000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x92396000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0x9239F000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x923B0000 \SystemRoot\system32\drivers\hidusb.sys
    0x923BB000 \SystemRoot\system32\drivers\HIDCLASS.SYS
    0x923CE000 \SystemRoot\system32\drivers\HIDPARSE.SYS
    0x923D5000 \SystemRoot\system32\drivers\kbdhid.sys
    0x923E1000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x9AFC0000 \SystemRoot\System32\TSDDD.dll
    0x923EC000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x923F7000 \SystemRoot\system32\DRIVERS\point32.sys
    0x9AC00000 \SystemRoot\System32\cdd.dll
    0x9AC20000 \SystemRoot\System32\ATMFD.DLL
    0x8BF08000 \SystemRoot\system32\drivers\luafv.sys
    0x94609000 \SystemRoot\system32\drivers\WudfPf.sys
    0x94623000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x94633000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x94646000 \SystemRoot\system32\drivers\HTTP.sys
    0x946CB000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x946E4000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x946F6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x94719000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x94754000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x9FA29000 \SystemRoot\system32\drivers\peauth.sys
    0x9FAC0000 \SystemRoot\System32\Drivers\secdrv.SYS
    0x9FACA000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x9FAEB000 \SystemRoot\System32\drivers\tcpipreg.sys
    0x9FB23000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x9FB73000 \SystemRoot\System32\DRIVERS\srv.sys
    0x9FBC5000 \SystemRoot\system32\drivers\mfebopk.sys
    0x9FBD2000 \SystemRoot\system32\drivers\cfwids.sys
    0x9FBDF000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0x9FBE8000 \??\C:\Users\Admin\AppData\Local\Temp\mbr.sys
    0x77730000 \Windows\System32\ntdll.dll
    0x48000000 \Windows\System32\smss.exe
    0x77970000 \Windows\System32\apisetschema.dll

    Processes (total 75):
    0 System Idle Process
    4 System
    320 C:\Windows\System32\smss.exe
    480 csrss.exe
    532 C:\Windows\System32\wininit.exe
    540 csrss.exe
    592 C:\Windows\System32\services.exe
    624 C:\Windows\System32\winlogon.exe
    632 C:\Windows\System32\lsass.exe
    640 C:\Windows\System32\lsm.exe
    772 C:\Windows\System32\svchost.exe
    852 C:\Windows\System32\svchost.exe
    956 C:\Windows\System32\svchost.exe
    1012 C:\Windows\System32\svchost.exe
    1056 C:\Windows\System32\svchost.exe
    1244 C:\Windows\System32\svchost.exe
    1360 C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
    1396 C:\Windows\System32\svchost.exe
    1528 C:\Windows\System32\spoolsv.exe
    1560 C:\Windows\System32\svchost.exe
    1656 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    1680 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1708 C:\Program Files\Bonjour\mDNSResponder.exe
    1768 C:\Windows\System32\svchost.exe
    1820 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    1864 C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
    1880 C:\Windows\System32\rundll32.exe
    1960 C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
    2040 C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    416 C:\Program Files\Microsoft\BingBar\SeaPort.EXE
    528 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    716 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    1212 C:\Windows\System32\svchost.exe
    1776 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    112 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
    308 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    2088 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
    2356 C:\Windows\System32\taskhost.exe
    2424 C:\Windows\System32\dwm.exe
    2568 C:\Windows\explorer.exe
    3212 C:\Program Files\McAfee.com\Agent\mcagent.exe
    3244 C:\Windows\System32\M-AudioTaskBarIcon.exe
    3264 C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe
    3280 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    3296 C:\Windows\System32\hkcmd.exe
    3304 C:\Windows\System32\igfxpers.exe
    3328 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    3336 C:\Program Files\Microsoft IntelliType Pro\itype.exe
    3344 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    3404 C:\Program Files\iTunes\iTunesHelper.exe
    3412 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    3420 C:\Program Files\Common Files\Apple\Internet Services\iCloudServices.exe
    3500 C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
    3736 C:\Windows\System32\svchost.exe
    3996 C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe
    4028 C:\Windows\System32\igfxsrvc.exe
    3316 C:\Windows\System32\SearchIndexer.exe
    3292 C:\Program Files\iPod\bin\iPodService.exe
    4456 C:\Program Files\Windows Media Player\wmpnetwk.exe
    4612 C:\Program Files\Internet Explorer\iexplore.exe
    4740 C:\Program Files\Internet Explorer\iexplore.exe
    4824 C:\Program Files\Google\Update\Install\{409A5E27-934D-46A9-BBF0-7C2FA5221151}\GoogleToolbarInstaller_updater_signed.exe
    5272 C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    5736 C:\Windows\System32\SearchProtocolHost.exe
    5992 C:\Windows\System32\svchost.exe
    6132 C:\ProgramData\WeCareReminder\ReminderHelper.exe
    3576 C:\Windows\System32\cmd.exe
    3752 C:\Windows\System32\conhost.exe
    4412 C:\Windows\System32\mmc.exe
    3484 C:\Windows\System32\wuauclt.exe
    2172 C:\Windows\System32\prevhost.exe
    6672 C:\Windows\System32\SearchFilterHost.exe
    3492 C:\Users\Admin\Desktop\AndreaPCCleanUp\MBRCheck.exe
    2160 C:\Windows\System32\conhost.exe
    176 C:\Windows\System32\dllhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

    PhysicalDrive0 Model Number: ST3160815AS, Rev: 3.ADA

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


    Done!
  9. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    CKFiles Log

    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\users\admin\favorites\hey lol cracks.url
    scanner sequence 3.NA.11.GEAPBI
    ----- EOF -----
  10. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    ComboFix Log

    ComboFix 12-01-10.02 - Admin 01/10/2012 14:10:48.2.2 - x86
    Microsoft Windows 7 Ultimate N 6.1.7601.1.1252.1.1033.18.3061.1130 [GMT -6:00]
    Running from: c:\users\Admin\Desktop\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\windows\ERDNT\cache\userinit.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-10 to 2012-01-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-10 20:32 . 2012-01-10 20:32 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-10 03:06 . 2012-01-10 03:06 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
    2012-01-10 03:06 . 2012-01-10 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-10 03:06 . 2012-01-10 03:06 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-10 03:06 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-01 00:41 . 2012-01-01 00:41 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2011-12-23 21:01 . 2012-01-08 15:08 -------- d-----w- c:\program files\iPod
    2011-12-23 21:01 . 2012-01-08 15:08 -------- d-----w- c:\program files\iTunes
    2011-12-15 05:18 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-15 05:18 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-01 00:41 . 2010-02-18 03:52 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2012-01-01 00:40 . 2010-06-03 11:10 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2012-01-01 00:40 . 2010-02-18 03:52 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-12-14 11:56 . 2010-02-28 11:03 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2011-11-03 23:57 . 2011-11-03 23:57 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-10-29 14:11 . 2011-08-20 16:49 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-15 19:16 . 2011-10-30 20:02 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-15 19:16 . 2010-02-13 06:01 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-15 19:16 . 2010-02-13 06:00 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-15 19:16 . 2010-02-13 06:00 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-10-15 19:16 . 2010-02-13 06:00 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-15 19:16 . 2010-02-13 06:00 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-15 19:16 . 2010-02-13 06:00 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-10-15 19:16 . 2010-02-13 06:00 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-15 19:16 . 2010-02-13 06:00 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-10-15 19:16 . 2010-02-13 06:00 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    2011-01-17 21:54 175912 ---ha-w- c:\program files\Freecorder\prxtbFree.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2011-01-17 21:54 175912 ---ha-w- c:\program files\ConduitEngine\prxConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-02-08 22:40 1362320 ---ha-w- c:\program files\Ask.com\GenericAskToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    2011-07-22 23:53 787744 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-08 1362320]
    "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFree.dll" [2011-01-17 175912]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFree.dll" [2011-01-17 175912]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-08 1362320]
    .
    [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    .
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-13 39408]
    "iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2011-11-12 59240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
    "M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-09-02 643592]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
    "WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-28 30192]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    .
    c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk /r \??\G:\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 135664]
    R2 VisualSVNServer;VisualSVN Server;g:\program files\VisualSVN Server\bin\VisualSVNServer.exe [x]
    R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 45464]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-28 30192]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 135664]
    R3 iLokDrvr;Usb Driver;c:\windows\system32\DRIVERS\iLokDrvr.sys [2009-12-23 54328]
    R3 MAUSBMOBILEPRE;Service for M-Audio MobilePre;c:\windows\system32\DRIVERS\MAudioMobilePre.sys [2009-09-02 158344]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-15 87656]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2010-09-11 245760]
    R3 SQTECH9052;Disney Micro;c:\windows\system32\Drivers\Capt9052.sys [2008-02-21 41216]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 VSPerfDrv100;Performance Tools Driver 10.0;g:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-03 1343400]
    R3 XLREN;XLREN;c:\users\Admin\AppData\Local\Temp\XLREN.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
    S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-10-15 165680]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-10-15 64880]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 160608]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-10-18 150856]
    S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-02-03 427192]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-15 57600]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-10-15 338176]
    S3 MP4ConverterAudio;MP4ConverterAudio;c:\windows\system32\drivers\MP4ConverterAudio.sys [2010-09-11 23608]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 05:56]
    .
    2012-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 05:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8&rlz=1T4GGLL_enUS366US366
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
    Trusted Zone: dell.com\ausctrxw004.aus.amer
    Trusted Zone: dell.com\ausctrxw03.aus.amer
    Trusted Zone: dell.com\pool_rim_itaas4_pc1.us
    Trusted Zone: skillport.com
    Trusted Zone: skillwsa.com
    Trusted Zone: usps.com\sss-web
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
    DPF: {BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196} - hxxps://itaas5.dell.com/servlets/activex/teechart8.cab
    .
    .
    ------- File Associations -------
    .
    .scr=AutoCADScriptFile
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(4188)
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\program files\Microsoft\BingBar\SeaPort.EXE
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    c:\windows\System32\spool\drivers\w32x86\3\WrtProc.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-10 14:57:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-10 20:57
    ComboFix2.txt 2012-01-10 19:44
    .
    Pre-Run: 27,031,838,720 bytes free
    Post-Run: 26,822,995,968 bytes free
    .
    - - End Of File - - AE7BB9ABC62731211D91780FCD065C6B
  11. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    ESET - No log

    I ran ESET scan and it ran for about 5 hours. Last time I checked it there were 15 files flagged, I think it said they were infected, but I can't be sure. At the end there was a Finish button, but no log file.
     
  12. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    ESET Again - with log result

    Bobbye, I ran ESET again and got it right this time. Here is the log result from the scan.

    C:\ProgramData\Real\RealUpgrade\upgradeconfiginfo_1370221.xml Win32/Adware.SpywareProtect2009 application
    C:\System Volume Information\SystemRestore\FRStaging\Program Files\Search Toolbar\SearchToolbar.dll Win32/Toolbar.Zugo application
    C:\System Volume Information\SystemRestore\FRStaging\RECYCLER\S-1-5-21-2906683688-78787508-1238319441-1006\Dc3070.exe a variant of Win32/Keygen.AR application
    C:\System Volume Information\SystemRestore\FRStaging\RECYCLER\S-1-5-21-2906683688-78787508-1238319441-1006\Dc3083.exe a variant of Win32/Keygen.AR application
    C:\System Volume Information\SystemRestore\FRStaging\RECYCLER\S-1-5-21-2906683688-78787508-1238319441-1006\Dc2939.0-AiR\Setup.exe Win32/VB.ODU trojan
    C:\System Volume Information\SystemRestore\FRStaging\RECYCLER\S-1-5-21-57989841-308236825-839522115-1003\Dc1\Keygen.exe a variant of Win32/Keygen.AR application
    C:\System Volume Information\SystemRestore\FRStaging\RECYCLER\S-1-5-21-57989841-308236825-839522115-1003\Dc2\Keygen.exe a variant of Win32/Keygen.AR application
    C:\System Volume Information\SystemRestore\FRStaging\Users\Admin\AppData\Local\Temp\softonic-us-silent.exe Win32/Toolbar.Zugo application
    C:\System Volume Information\SystemRestore\FRStaging\Users\Admin\AppData\Local\Temp\ICReinstall\cnet_pdf2wordsetup_exe.exe a variant of Win32/InstallCore.D application
    C:\System Volume Information\SystemRestore\FRStaging\Users\Admin\AppData\Local\Temp\ICReinstall\PDFConverterSetup[1].exe a variant of Win32/InstallCore.E application
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP600\A0148057.exe a variant of Win32/Keygen.AR application
    C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZDMHNGPJ\invoice.html JS/TrojanDownloader.Agent.NVQ trojan
    C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\2ac74c85-51de48d8 a variant of Java/Agent.DZ trojan
    C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\3eef1ec7-5ff01e62 multiple threats
    C:\Users\All Users\Real\RealUpgrade\upgradeconfiginfo_1370221.xml Win32/Adware.SpywareProtect2009 application
  13. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    Hi Bobbye,

    Is that all? Does the ESET log indicate that it's cleaned up? I still don't have my start menu back to normal, I believe my shortcuts are still hosed. Otherwise the system seems to be mostly back to normal - but slow. I'm hesitant to really crank much up until I know the system seems to be clean.

    Thanks - I really appreciate the help,
    Andrea
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, it's not all. Sorry- I missed the Attach.txt log.

    Both Malwarebytes and Eset show a history of using cracks and keygens to pirate software. The CK Log shows an entry what appears to be Favorites site for cracks. Piracy gets you malware. The entries below are the only 'new' entries. The others, in System Volume are in restore points. There are not active n the system and will be removed at the end of cleaning. The entries in the Recycler will have to be removed separately.
    -----------------------------------------
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\ProgramData\Real\RealUpgrade\upgradeconfiginfo_1370221.xml
      C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZDMHNGPJ\invoice.html 
      C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\2ac74c85-51de48d8
      C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\3eef1ec7-5ff01e62 
      C:\Users\All Users\Real\RealUpgrade\upgradeconfiginfo_1370221.xml 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ================================
    There is a different rogue program that presents as pretending to be a security update for Windows installed via Automatic Updates. You may have more than 1 rogue.
    ==============================
    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    ------------------------------------
    .Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    You have multiple entries for these TB and BHO on the system. Additionally, some of these are bundled in the software. When you install a download, choose Custom and only select the program itself, not the junk in the bundle
    ================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\users\Admin\AppData\Local\Temp\XLREN.exe
    DDS::
    uURLSearchHooks: H - No File
    mURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFree.dll
    BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFree.dll
    BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
    BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    BHO: MP3 Rocket Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\programdata\wecarereminder\IEHelperv2.5.0.dll
    BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
    TB: MP3 Rocket Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
    TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFree.dll
    TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
    mRun: [Freecorder FLV Service] "g:\program files\freecorder\FLVSrvc.exe" /run
    mRun: [eFnStcmpnllsRFa.exe] c:\programdata\eFnStcmpnllsRFa.exe
    Trusted Zone: dell.com\ausctrxw004.aus.amer
    Trusted Zone: dell.com\ausctrxw03.aus.amer
    Trusted Zone: dell.com\pool_rim_itaas4_pc1.us
    Trusted Zone: skillport.com
    Trusted Zone: skillwsa.com
    Trusted Zone: usps.com\sss-web
    Registry::
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    "{1392b8d2-5c05-419f-a8f6-b9f15a596612}"=-
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"=--
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{1392B8D2-5C05-419F-A8F6-B9F15A596612}"=-
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-.
    [HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    Clearjavacache::
    Driver::
    XLREN
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Go on to next reply.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have "Omniquad Desktop Surveillance Personal Edition 6.0.3 on the system. It is a keylogger. Did you install it?>> 2011-10-13> c:\windows\iun6002.exe

    Please uninstall in Programs:
    µTorrent
    Ask Toolbar
    Bing Bar
    Conduit Engine
    system.
    Freecorder 5
    Freecorder Toolbar
    Search Toolbar
    System Check
    Yontoo Layers Runtime 1.10.01
    When finished, use Windows Explorer to access Computer> Local Drive> Programs> do a right click> Delete on the folder for each program you uninstalled.
    =============================================
    If you are infected with System Check it is important that you do not delete any files from your Temp folder or use any temp file cleaners[/color]
    ============================================
    Press Windows+R key> type cmd> OK
    1. If your task manager is disabled,copy and run this command
    Code:
    Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
    Press Enter

    2. If you're desktop is blank and unable to right click on it ,run this command
    Code:
    Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop[/b]
    Press Enter
    =============================================
    Please print out the following instructions. It is important that the order of the scan below be followed exactly. Please read through all of the instructions before you begin.
    -----------------------------
    1. Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
    ================================
    2. Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Opti; ons menu appears, using your up/down arrows to reach it and then press ENTER.
    =======================================
    3. To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after runningRKilll as the malware programs will start again.
    ================================
    4. This malware frequently comes with the TDSSrootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Please leave log.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    5. Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheckk Word Wrap before copying the log to paste in your next reply.
    ==============================
    6. Correct Display Changes if needed:
    If the desktop background is black or if the theme has been removed:
    For Windows Vista or Windows 7: Click on Start> Control Panel> Appearance & Personalization> Select Change Theme or Change Desktop Background
    =====================================
    7.Some items may not show on the Start menu. To add them back:
    • Right click on Start> Properties
    • Taskbar and Start Menu Properties screen appears
    • choose Start Menu tab> Click on Customize
    • Check the items you want back on the Start Menu
    • When finished> click on OK> Apply and close.
    ====================================
    You can now reboot back into Normal Mode.

    Please leave new logs in next reply along with description of any remaining problems.
    RKill
    TDSSKiller
    New Mbam
    New Combofix
  16. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    OTM Log

    All processes killed
    ========== FILES ==========
    C:\ProgramData\Real\RealUpgrade\upgradeconfiginfo_1370221.xml moved successfully.
    C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\ZDMHNGPJ\invoice.html moved successfully.
    C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\2ac74c85-51de48d8 moved successfully.
    C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\3eef1ec7-5ff01e62 moved successfully.
    File/Folder C:\Users\All Users\Real\RealUpgrade\upgradeconfiginfo_1370221.xml not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Admin
    ->Temp folder emptied: 295923 bytes
    ->Temporary Internet Files folder emptied: 1234992441 bytes
    ->Java cache emptied: 21566253 bytes
    ->FireFox cache emptied: 65769454 bytes
    ->Google Chrome cache emptied: 8292595 bytes
    ->Apple Safari cache emptied: 16384 bytes
    ->Flash cache emptied: 353543 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56502 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 143363408 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 1,406.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 01122012_211130

    Files moved on Reboot...
    C:\Windows\temp\fla10DD.tmp moved successfully.
    C:\Windows\temp\fla1A1F.tmp moved successfully.
    C:\Windows\temp\fla1BE5.tmp moved successfully.
    C:\Windows\temp\fla1E58.tmp moved successfully.
    C:\Windows\temp\fla34CF.tmp moved successfully.
    C:\Windows\temp\fla46F6.tmp moved successfully.
    C:\Windows\temp\fla5591.tmp moved successfully.
    C:\Windows\temp\fla5C1C.tmp moved successfully.
    C:\Windows\temp\fla76F.tmp moved successfully.
    C:\Windows\temp\fla7E2E.tmp moved successfully.
    C:\Windows\temp\fla8DFD.tmp moved successfully.
    C:\Windows\temp\fla9435.tmp moved successfully.
    C:\Windows\temp\fla96C.tmp moved successfully.
    C:\Windows\temp\flaA83B.tmp moved successfully.
    C:\Windows\temp\flaB6CD.tmp moved successfully.
    C:\Windows\temp\flaB998.tmp moved successfully.
    C:\Windows\temp\flaCB02.tmp moved successfully.
    C:\Windows\temp\flaE784.tmp moved successfully.
    C:\Windows\temp\flaEC7.tmp moved successfully.
    File C:\Windows\temp\mcafee_BvOs11wWhj6EWhM not found!

    Registry entries deleted on Reboot...
  17. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    Combofix Log

    ComboFix 12-01-12.04 - Admin 01/12/2012 22:03:22.3.2 - x86
    Microsoft Windows 7 Ultimate N 6.1.7601.1.1252.1.1033.18.3061.1897 [GMT -6:00]
    Running from: c:\users\Admin\Desktop\ComboFix.exe
    Command switches used :: c:\users\Admin\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\users\Admin\AppData\Local\Temp\XLREN.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
    c:\windows\system32\RENB49F.tmp
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_XLREN
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-13 04:21 . 2012-01-13 04:21 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-13 03:47 . 2012-01-13 03:47 -------- d-----w- c:\program files\Common Files\Java
    2012-01-13 03:45 . 2012-01-13 03:45 -------- d-----w- c:\program files\Java
    2012-01-13 03:36 . 2012-01-13 03:36 0 ----a-w- c:\windows\system32\REN5986.tmp
    2012-01-13 03:36 . 2012-01-13 03:36 0 ----a-w- c:\windows\system32\REN5985.tmp
    2012-01-13 03:36 . 2012-01-13 03:36 0 ----a-w- c:\windows\system32\REN5984.tmp
    2012-01-13 03:11 . 2012-01-13 03:11 -------- d-----w- C:\_OTM
    2012-01-10 21:05 . 2012-01-10 21:05 -------- d-----w- c:\program files\ESET
    2012-01-10 03:06 . 2012-01-10 03:06 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
    2012-01-10 03:06 . 2012-01-10 03:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-01-10 03:06 . 2012-01-10 03:06 -------- d-----w- c:\programdata\Malwarebytes
    2012-01-10 03:06 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2012-01-01 00:41 . 2012-01-01 00:41 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2011-12-23 21:01 . 2012-01-08 15:08 -------- d-----w- c:\program files\iPod
    2011-12-23 21:01 . 2012-01-08 15:08 -------- d-----w- c:\program files\iTunes
    2011-12-15 05:18 . 2011-10-26 04:47 3967856 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-12-15 05:18 . 2011-10-26 04:47 3912560 ----a-w- c:\windows\system32\ntoskrnl.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-01 00:41 . 2010-02-18 03:52 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
    2012-01-01 00:40 . 2010-06-03 11:10 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2012-01-01 00:40 . 2010-02-18 03:52 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-12-14 11:56 . 2010-02-28 11:03 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2011-11-03 23:57 . 2011-11-03 23:57 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
    2011-10-29 14:11 . 2011-08-20 16:49 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-15 19:16 . 2011-10-30 20:02 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-15 19:16 . 2010-02-13 06:01 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-15 19:16 . 2010-02-13 06:00 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-15 19:16 . 2010-02-13 06:00 64880 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-10-15 19:16 . 2010-02-13 06:00 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-15 19:16 . 2010-02-13 06:00 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-15 19:16 . 2010-02-13 06:00 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-10-15 19:16 . 2010-02-13 06:00 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-15 19:16 . 2010-02-13 06:00 165680 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-10-15 19:16 . 2010-02-13 06:00 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 13:55 87304 ---ha-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2011-10-31 21:02 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-13 39408]
    "iCloudServices"="c:\program files\Common Files\Apple\Internet Services\iCloudServices.exe" [2011-11-12 59240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
    "M-Audio Taskbar Icon"="c:\windows\system32\M-AudioTaskBarIcon.exe" [2009-09-02 643592]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
    "WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-28 30192]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    .
    c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2011-12-5 24242056]
    OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk /r \??\G:\0autocheck autochk *
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 135664]
    R2 VisualSVNServer;VisualSVN Server;g:\program files\VisualSVN Server\bin\VisualSVNServer.exe [2010-04-24 23840]
    R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 45464]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-28 30192]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 135664]
    R3 iLokDrvr;Usb Driver;c:\windows\system32\DRIVERS\iLokDrvr.sys [2009-12-23 54328]
    R3 MAUSBMOBILEPRE;Service for M-Audio MobilePre;c:\windows\system32\DRIVERS\MAudioMobilePre.sys [2009-09-02 158344]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-15 87656]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
    R3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2010-09-11 245760]
    R3 SQTECH9052;Disney Micro;c:\windows\system32\Drivers\Capt9052.sys [2008-02-21 41216]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
    R3 VSPerfDrv100;Performance Tools Driver 10.0;g:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [2009-12-09 48128]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-03 1343400]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
    S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-10-15 165680]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-10-15 64880]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 160608]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2011-10-18 150856]
    S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-02-03 427192]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-10-15 57600]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-10-15 338176]
    S3 MP4ConverterAudio;MP4ConverterAudio;c:\windows\system32\drivers\MP4ConverterAudio.sys [2010-09-11 23608]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 05:56]
    .
    2012-01-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 05:56]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/webhp?sourceid=navclient&ie=UTF-8&rlz=1T4GGLL_enUS366US366
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    DPF: {82E5DF24-51E8-47CD-864A-F4BD5005AA73} - hxxps://www.icloud.com/system/iCloud.cab
    DPF: {BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196} - hxxps://itaas5.dell.com/servlets/activex/teechart8.cab
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(4028)
    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
    g:\program files\TortoiseSVN\bin\TortoiseStub.dll
    g:\program files\TortoiseSVN\bin\TortoiseSVN.dll
    g:\program files\TortoiseSVN\bin\intl3_tsvn.dll
    c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\WUDFHost.exe
    c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    g:\program files\Digidesign\Digidesign\Drivers\MMERefresh.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\program files\Microsoft\BingBar\SeaPort.EXE
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\progra~1\Java\jre6\bin\jp2launcher.exe
    c:\program files\Java\jre6\bin\java.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\taskhost.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\windows\system32\conhost.exe
    g:\program files\TortoiseSVN\bin\TSVNCache.exe
    c:\windows\system32\igfxsrvc.exe
    c:\windows\System32\spool\drivers\w32x86\3\WrtProc.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-12 22:41:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-13 04:41
    ComboFix2.txt 2012-01-10 20:57
    ComboFix3.txt 2012-01-10 19:44
    .
    Pre-Run: 24,165,687,296 bytes free
    Post-Run: 24,019,533,824 bytes free
    .
    - - End Of File - - 25AF7DA2D15BE4099AF15DD5AF4A6E95
  18. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    Uninstall Stuff

    No one here claims installing Omniquad, so no, I didn't install it.

    Uninstall and delete programs - here's what I was able to do:

    µTorrent - could not find in programs, deleted uTorrent folder

    Ask Toolbar
    uninstalled in programs, deleted folder

    Bing Bar
    uninstalled in programs, could not find

    Conduit Engine
    Disabled this in IE add ons, unable to uninstall in programs, deleted folder

    system. not sure why this line is here, is it part of another row?

    Freecorder 5 - uninstalled in programs
    Freecorder Toolbar - unable to uninstall in programs, deleted Freecorder folder

    Search Toolbar - not sure what this is. I don't see this in programs or in IE. Google search?

    System Check - I don't see this in programs - isn't this the root of all evil?

    Yontoo Layers Runtime 1.10.01
    Disabled in IE add on - I don't see this in programs to uninstall, deleted folder


    The two registry keys controlling task manager and desktop were not present. I don't have any issues with either.

    I'm currently running unhide and I'll post again when I continue your instructions.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sounds good. Go ahead and run Unhide. I'll set up script for you to run in Comboifx. It will be tomorrow before I can do it. Your patience is appreciated.
  20. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    Rkill Log

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/13/2012 at 12:31:25.
    Operating System: Windows 7 Ultimate N


    Processes terminated by Rkill or while it was running:



    Rkill completed on 01/13/2012 at 12:31:29.
  21. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    New MBAM log

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.13.04

    Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.7601.17514
    Admin :: MAIN [administrator]

    1/13/2012 12:46:55 PM
    mbam-log-2012-01-13 (12-46-55).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 710315
    Time elapsed: 2 hour(s), 14 minute(s), 41 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 12
    C:\System Volume Information\SystemRestore\FRStaging\RECYCLER\S-1-5-21-2906683688-78787508-1238319441-1006\Dc3070.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
    C:\System Volume Information\SystemRestore\FRStaging\RECYCLER\S-1-5-21-2906683688-78787508-1238319441-1006\Dc3083.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
    C:\System Volume Information\SystemRestore\FRStaging\RECYCLER\S-1-5-21-2906683688-78787508-1238319441-1006\Dc2939.0-AiR\Setup.exe (Trojan.Chifrax) -> Quarantined and deleted successfully.
    C:\System Volume Information\SystemRestore\FRStaging\RECYCLER\S-1-5-21-57989841-308236825-839522115-1003\Dc1\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
    C:\System Volume Information\SystemRestore\FRStaging\RECYCLER\S-1-5-21-57989841-308236825-839522115-1003\Dc2\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
    C:\System Volume Information\SystemRestore\FRStaging\Users\Admin\AppData\Local\Temp\ICReinstall\PDFConverterSetup[1].exe (Adware.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP600\A0148057.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
    C:\TDSSKiller_Quarantine\13.01.2012_12.34.21\mbr0000\tdlfs0000\tsk0002.dta (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\TDSSKiller_Quarantine\13.01.2012_12.34.21\mbr0001\tdlfs0000\tsk0002.dta (Trojan.Agent) -> Quarantined and deleted successfully.
    G:\Program Files\FoxTabPDFConverter\Uninstall\Uninstall.exe (Adware.Agent) -> Quarantined and deleted successfully.
    G:\Data\Work\download\Sony ACID Pro 6.0d Build 363\Keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
    G:\Data\Work\download\Sony DVD Architect Pro 5.0b Build 180\Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

    (end)
  22. TexAndrea

    TexAndrea TS Rookie Topic Starter Posts: 18

    Script?

    Bobbye,

    You mentioned a Combofix script that you were going to write on Friday. Just bringing this back to the top of your queue.

    The system has been fine with no issues since the last steps that were done.

    Thanks.
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You are continuing to pirate programs- these new ones in addition to previous ones now in System Restore.

    Sony ACID Pro 6.0d Build 363 is a $300 program
    Sony DVD Architect Pro 5.0b starts at $40

    Please remove all pirated program and downloads to continue support.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.