TechSpot

Win 7 Antivirus 2012 fake AV infection

By Anchorage
Jun 18, 2011
  1. My daughter's Windows 7 laptop boots up to a screen that says Win 7 Antispyware 2012 Firewall Alert and then continues to pop up all sorts of alerts warning of various infections and asking you to click on a button to activate Win 7 Antispyware 2012.

    When I try to start up IE and go to your site or anywhere else it gets hijacked to a screen that says visiting the site may pose a security threat and recommends getting a copy of Win 7 Antispyware 2012. On top of that it continues popping up other bogus warning windows.

    I used another computer (the one I'm using to access the forum now) to review your 7-steps, downloaded MBAM, GMER, and DDS, copied to CD and inserted in infected laptop.

    I was able to get McAfee AV to run a scan after several attempts, and it came back with a message that it found 1 issue and had stopped the process rgl.exe.

    I then installed MBAM, ran it and detected 3 issues, had me restart the computer. Log file below, also log files for GMER and DDS.
     
  2. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    MBAM log:
    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6888

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    6/18/2011 11:29:55 AM
    mbam-log-2011-06-18 (11-29-55).txt

    Scan type: Quick scan
    Objects scanned: 169596
    Time elapsed: 6 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3611660972 (Trojan.FakeAlert) -> Value: 3611660972 -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\Jenny\AppData\Local\rgl.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  3. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    GMER log was empty? Tried running it again, see the quick scan occur at startup of GMER, but again log file is empty. I tried clicking the Scan button even though your 7-step directions don't say to do so, and now it has been running for many minutes scanning the hard drive. In the meanwhile I am posting the DDS logs that were created when I ran DDS right after first time I tried GMER.

    .
    DDS (Ver_2011-06-12.02) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385
    Run by Jenny at 11:46:11 on 2011-06-18
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3894.2681 [GMT -7:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
    C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
    C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
    C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
    C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe
    C:\Windows\system32\mfevtps.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Windows\system32\svchost.exe -k HPService
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
    C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    C:\Program Files\Hewlett-Packard\HPToneControl\HPToneCtl.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Hewlett-Packard\HP ENVY Document Card Utilities\hpdocstart.exe
    C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
    C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
    C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\system32\msiexec.exe
    C:\Program Files\Common Files\McAfee\Core\mchost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110515172256.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
    uRun: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
    uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    mRun: [HP Envy Guides AutoPlay] C:\Program Files (x86)\Hewlett-Packard\HP ENVY Document Card Utilities\hpdocstart.exe
    mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" UNATTENDED
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office10\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    TCP: Interfaces\{C47BF78F-6744-4806-BE24-0D676274CF06} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    TCP: Interfaces\{FF3BA0AB-A0D6-4975-9D9A-010F0D5C466E} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
    BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO-X64: 0x1 - No File
    BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO-X64: HP Print Enhancer - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110515172256.dll
    BHO-X64: scriptproxy - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64: SkypeIEPluginBHO - No File
    BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    BHO-X64: HP Smart BHO Class - No File
    TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
    mRun-x64: [HP Envy Guides AutoPlay] C:\Program Files (x86)\Hewlett-Packard\HP ENVY Document Card Utilities\hpdocstart.exe
    mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" UNATTENDED
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
    mRun-x64: [(Default)]
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Jenny\AppData\Roaming\Mozilla\Firefox\Profiles\rbf0nox1.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - component: C:\Program Files (x86)\McAfee\SiteAdvisor\components\McFFPlg.dll
    FF - plugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\Default\AppData\Local\HuluDesktop\instances\0.9.11.1\nphdplg.dll
    FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - C:\Program Files (x86)\McAfee\SiteAdvisor
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
    R1 DVMIO;DeviceVM IO Service;C:\Windows\system32\DRIVERS\dvmio.sys --> C:\Windows\system32\DRIVERS\dvmio.sys [?]
    R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
    R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2010-11-21 89600]
    R2 CinemaNow Service;CinemaNow Service;C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2010-1-15 127984]
    R2 DvmMDES;DeviceVM Meta Data Export Service;C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-2-8 338168]
    R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-12-16 102968]
    R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]
    R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
    R2 HPWMISVC;HPWMISVC;C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-1-18 20480]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [2011-5-3 101048]
    R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-12-20 355440]
    R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-12-20 355440]
    R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-12-20 355440]
    R2 McShield;McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2010-12-20 200056]
    R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2010-12-20 245352]
    R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
    R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-6-26 2533400]
    R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
    R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
    R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
    R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
    R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
    R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 hpdoccardsvc;HP Documention Flash Card Detection Service;C:\Program Files (x86)\Hewlett-Packard\HP ENVY Document Card Utilities\doccardsvc.exe [2010-3-24 83240]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
    S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-1-4 340240]
    S3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
    S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
    S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]
    S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]
    S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-06-18 18:21:35 -------- d-----w- C:\Users\Jenny\AppData\Roaming\Malwarebytes
    2011-06-18 18:21:31 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-06-18 18:21:30 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-06-18 18:21:27 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-06-18 18:21:27 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-06-05 21:54:29 -------- d-----w- C:\Program Files\iPod
    2011-06-05 21:54:28 -------- d-----w- C:\Program Files\iTunes
    2011-06-05 21:54:28 -------- d-----w- C:\Program Files (x86)\iTunes
    2011-06-05 21:50:39 -------- d-----w- C:\Program Files\Bonjour
    2011-06-05 21:50:39 -------- d-----w- C:\Program Files (x86)\Bonjour
    2011-05-30 02:44:11 -------- d-----w- C:\ProgramData\Skype Extras
    .
    ==================== Find3M ====================
    .
    2011-04-19 01:11:57 8507392 ----a-w- C:\Windows\System32\drivers\NETwNs64.sys
    2011-04-14 21:01:38 9984 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
    2011-04-14 21:01:38 94992 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
    2011-04-14 21:01:38 75160 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys
    2011-04-14 21:01:38 63056 ----a-w- C:\Windows\System32\drivers\cfwids.sys
    2011-04-14 21:01:38 530304 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
    2011-04-14 21:01:38 441840 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
    2011-04-14 21:01:38 283744 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
    2011-04-14 21:01:38 190520 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
    2011-04-14 21:01:38 149032 ----a-w- C:\Windows\System32\mfevtps.exe
    2011-04-14 21:01:38 121376 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
    2011-04-09 06:58:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
    2011-04-09 06:45:48 5509504 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2011-04-09 06:13:06 3957632 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2011-04-09 06:13:06 3901824 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2011-04-09 05:56:38 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
    2011-04-06 23:26:58 96544 ----a-w- C:\Windows\System32\dnssd.dll
    2011-04-06 23:26:58 69408 ----a-w- C:\Windows\System32\jdns_sd.dll
    2011-04-06 23:26:58 237856 ----a-w- C:\Windows\System32\dnssdX.dll
    2011-04-06 23:26:58 119584 ----a-w- C:\Windows\System32\dns-sd.exe
    2011-04-06 23:20:16 91424 ----a-w- C:\Windows\SysWow64\dnssd.dll
    2011-04-06 23:20:16 75040 ----a-w- C:\Windows\SysWow64\jdns_sd.dll
    2011-04-06 23:20:16 197920 ----a-w- C:\Windows\SysWow64\dnssdX.dll
    2011-04-06 23:20:16 107808 ----a-w- C:\Windows\SysWow64\dns-sd.exe
    .
    ============= FINISH: 11:47:04.45 ===============
     
  4. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-12.02)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 7/30/2010 9:46:18 AM
    System Uptime: 6/18/2011 11:32:27 AM (0 hours ago)
    .
    Motherboard: Hewlett-Packard | | 144C
    Processor: Intel(R) Core(TM) i5 CPU M 450 @ 2.40GHz | CPU | 2400/1066mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 444 GiB total, 362.912 GiB free.
    D: is FIXED (NTFS) - 21 GiB total, 3.06 GiB free.
    E: is FIXED (FAT32) - 0 GiB total, 0.082 GiB free.
    F: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP121: 4/21/2011 9:42:29 AM - Windows Update
    RP122: 4/23/2011 1:10:32 AM - HPSF Restore Point
    RP123: 4/29/2011 10:00:05 AM - Windows Update
    RP124: 5/2/2011 5:22:58 PM - HPSF Applying updates
    RP125: 5/10/2011 1:09:37 PM - Scheduled Checkpoint
    RP126: 5/11/2011 1:16:48 AM - Windows Update
    RP127: 5/11/2011 10:00:08 AM - Windows Modules Installer
    RP128: 5/19/2011 12:08:12 AM - Windows Update
    RP129: 5/27/2011 9:36:03 PM - Scheduled Checkpoint
    RP130: 6/5/2011 2:53:14 PM - Installed iTunes
    RP131: 6/15/2011 7:12:25 PM - Windows Update
    RP132: 6/18/2011 9:49:39 AM - Windows Update
    RP133: 6/18/2011 11:37:45 AM - HPSF Applying updates
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    ActiveCheck component for HP Active Support Library
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.4.0
    Adobe Shockwave Player
    Aleks 3.14
    Apple Application Support
    Apple Software Update
    Bejeweled 2 Deluxe
    Blackhawk Striker 2
    Blasterball 3
    BufferChm
    Build-a-lot 2
    C4700
    Cake Mania
    Canon Digital Camera Solution Disk 40-46 Software Starter Guide
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon MovieEdit Task for ZoomBrowser EX
    Canon Personal Printing Guide
    Canon PowerShot SD1200 IS_IXUS 95 IS Camera User Guide
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities PhotoStitch
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    Chuzzle Deluxe
    CinemaNow Media Manager
    Compatibility Pack for the 2007 Office system
    Coupon Printer for Windows
    CyberLink DVD Suite
    Destinations
    DeviceDiscovery
    Diner Dash 2 Restaurant Rescue
    Dora's Carnival Adventure
    DVD Menu Pack for HP MediaSmart Video
    Escape Rosecliff Island
    ESU for Microsoft Windows 7
    Faerie Solitaire
    FATE
    GPBaseService2
    HP Advisor
    HP Customer Experience Enhancements
    HP DVB-T TV Tuner 8.0.64.43
    HP ENVY Document Card Utilities
    HP Game Console
    HP Games
    HP MediaSmart CinemaNow 2.0
    HP MediaSmart DVD
    HP MediaSmart Internet TV
    HP MediaSmart Music
    HP MediaSmart Photo
    HP MediaSmart Video
    HP MediaSmart Webcam
    HP MediaSmart/TouchSmart Netflix
    HP Photo Creations
    HP QuickWeb Installer
    HP Setup
    HP Software Framework
    HP Support Assistant
    HP Update
    HP User Guides 0176
    HPAsset component for HP Active Support Library
    HPPhotoGadget
    HPProductAssistant
    Hulu Desktop
    IDT Audio
    Intel(R) Control Center
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) Management Engine Components
    Intel(R) Rapid Storage Technology
    Java Auto Updater
    Java(TM) 6 Update 21
    Jewel Quest 3
    Jewel Quest Solitaire 2
    Junk Mail filter update
    LabelPrint
    Malwarebytes' Anti-Malware version 1.51.0.1200
    MarketResearch
    McAfee SecurityCenter
    Microsoft Choice Guard
    Microsoft Office XP Standard for Students and Teachers
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft WSE 3.0 Runtime
    Movie Theme Pack for HP MediaSmart Video
    Mozilla Firefox (3.6.8)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Mystery P.I. - The New York Fortune
    Norton Online Backup
    Penguins!
    PhotoNow!
    Plants vs. Zombies
    Poker Superstars III
    Polar Bowler
    Polar Golfer
    Power2Go
    PowerDirector
    PS_AIO_06_C4700_SW_Min
    QuickTime
    QuickTransfer
    Realtek Ethernet Controller Driver For Windows 7
    Realtek USB 2.0 Card Reader
    Recovery Manager
    Respondus LockDown Browser
    Roxio CinemaNow 2.0
    Scan
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Skype Toolbars
    Skype™ 5.3
    SmartWebPrinting
    SolutionCenter
    Status
    TextTwist 2
    The Sims 2
    Toolbox
    TrayApp
    Virtual Families
    Virtual Villagers - The Secret City
    WebReg
    Wheel of Fortune 2
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    Zuma's Revenge
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/15/2011 8:56:28 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    6/15/2011 8:49:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    6/15/2011 8:45:34 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    6/15/2011 8:45:34 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    6/15/2011 8:45:33 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    6/15/2011 8:45:33 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    6/15/2011 8:45:32 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    6/15/2011 8:45:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    6/15/2011 8:45:14 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache DVMIO mfehidk mfenlfk mfewfpk NetBIOS NetBT nsiproxy Psched rdbss spldr Tcpip tdx vwififlt Wanarpv6 WfpLwf
    6/15/2011 8:45:14 PM, Error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/15/2011 8:45:14 PM, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/15/2011 8:45:14 PM, Error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the Windows Firewall service which failed to start because of the following error: The dependency service or group failed to start.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/15/2011 8:45:13 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    6/15/2011 2:06:10 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HP Wireless Assistant Service service.
    .
    ==== End Of File ===========================
     
  5. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    GMER long scan completed, again empty log file, it did put up a message box saying GMER hasn't found any system modification.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware. Don't worry about GMER right now.

    Please tell your daughter or whoever uses the system not to act on those 'alerts' and messages. It's a scan to get the user to click on the site.
    ===============================================
    Let run these scan sto get additional information:
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==============================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case. (I don't need a McAfee scan log)
    =========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Reminder to be patient
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  7. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    ComboFix 11-06-17.04 - Jenny 06/18/2011 13:55:29.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.2503 [GMT -7:00]
    Running from: c:\users\Jenny\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-18 21:04 . 2011-06-18 21:04 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
    2011-06-18 21:04 . 2011-06-18 21:04 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
    2011-06-18 21:04 . 2011-06-18 21:04 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
    2011-06-18 21:04 . 2011-06-18 21:04 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
    2011-06-18 21:03 . 2011-06-18 21:03 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-18 20:48 . 2011-06-18 20:51 -------- d-----w- C:\32788R22FWJFW
    2011-06-18 20:14 . 2011-06-18 20:14 -------- d-----w- c:\windows\system32\SPReview
    2011-06-18 20:14 . 2011-06-18 20:14 -------- d-----w- c:\windows\system32\EventProviders
    2011-06-18 18:21 . 2011-06-18 18:21 -------- d-----w- c:\users\Jenny\AppData\Roaming\Malwarebytes
    2011-06-18 18:21 . 2011-05-29 16:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-06-18 18:21 . 2011-06-18 18:21 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-18 18:21 . 2011-06-18 18:21 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-06-18 18:21 . 2011-05-29 16:11 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-18 16:53 . 2011-04-29 03:06 467456 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-06-18 16:53 . 2011-04-29 03:05 410112 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-18 16:53 . 2011-04-29 03:05 168448 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-18 16:53 . 2011-02-25 06:22 861696 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-18 16:53 . 2011-02-25 05:34 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
    2011-06-18 16:53 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
    2011-06-18 16:53 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
    2011-06-07 19:35 . 2011-06-07 19:35 103864 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    2011-06-07 19:35 . 2011-06-07 19:35 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
    2011-06-07 03:56 . 2010-11-05 01:57 48976 ----a-w- c:\windows\system32\netfxperf.dll
    2011-06-07 03:56 . 2010-11-05 01:57 1942856 ----a-w- c:\windows\system32\dfshim.dll
    2011-06-07 03:56 . 2010-11-05 01:58 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll
    2011-06-07 03:56 . 2010-11-20 13:27 12288 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
    2011-06-07 03:56 . 2010-11-20 13:27 3715584 ----a-w- c:\windows\system32\mstscax.dll
    2011-06-07 03:56 . 2010-11-20 11:07 59392 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
    2011-06-07 03:56 . 2010-11-20 13:27 14967808 ----a-w- c:\program files\DVD Maker\OmdBase.dll
    2011-06-07 03:56 . 2010-11-20 13:26 1838080 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-06-07 03:56 . 2010-11-20 12:19 3215872 ----a-w- c:\windows\SysWow64\mstscax.dll
    2011-06-07 03:54 . 2010-11-20 13:25 22016 ----a-w- c:\windows\system32\credssp.dll
    2011-06-07 03:53 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
    2011-06-07 03:53 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
    2011-06-07 03:53 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
    2011-06-07 03:53 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
    2011-06-07 03:51 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2011-06-07 03:51 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
    2011-06-07 03:51 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
    2011-06-07 03:51 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
    2011-06-07 03:51 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
    2011-06-07 03:51 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
    2011-06-07 03:51 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
    2011-06-05 21:54 . 2011-06-05 21:54 -------- d-----w- c:\program files\iPod
    2011-06-05 21:54 . 2011-06-05 21:55 -------- d-----w- c:\program files\iTunes
    2011-06-05 21:54 . 2011-06-05 21:54 -------- d-----w- c:\program files (x86)\iTunes
    2011-06-05 21:50 . 2011-06-05 21:50 -------- d-----w- c:\program files\Bonjour
    2011-06-05 21:50 . 2011-06-05 21:50 -------- d-----w- c:\program files (x86)\Bonjour
    2011-05-30 02:44 . 2011-05-30 02:44 -------- d-----w- c:\programdata\Skype Extras
    2011-05-30 02:43 . 2011-05-30 02:43 -------- d-----w- c:\program files (x86)\Common Files\Skype
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-18 20:22 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2011-06-18 20:22 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2011-04-19 01:11 . 2011-04-19 01:11 8507392 ----a-w- c:\windows\system32\drivers\NETwNs64.sys
    2011-04-14 21:01 . 2010-12-20 19:33 9984 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-04-14 21:01 . 2010-12-20 19:33 149032 ----a-w- c:\windows\system32\mfevtps.exe
    2011-04-14 21:01 . 2010-12-20 19:33 94992 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-04-14 21:01 . 2010-12-20 19:33 75160 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-04-14 21:01 . 2010-12-20 19:33 63056 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-04-14 21:01 . 2010-12-20 19:33 530304 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-04-14 21:01 . 2010-12-20 19:33 441840 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-04-14 21:01 . 2010-12-20 19:33 283744 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-04-14 21:01 . 2010-12-20 19:33 190520 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-04-14 21:01 . 2010-12-20 19:33 121376 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-04-09 07:02 . 2011-05-10 17:23 5562240 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-04-09 06:58 . 2011-05-19 05:34 142336 ----a-w- c:\windows\system32\poqexec.exe
    2011-04-09 06:02 . 2011-05-10 17:23 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2011-04-09 06:02 . 2011-05-10 17:23 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2011-04-09 05:56 . 2011-05-19 05:34 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
    2011-04-06 23:26 . 2011-04-06 23:26 96544 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 23:26 . 2011-04-06 23:26 69408 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-04-06 23:26 . 2011-04-06 23:26 237856 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 23:26 . 2011-04-06 23:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
    2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\SysWow64\dnssd.dll
    2011-04-06 23:20 . 2011-04-06 23:20 75040 ----a-w- c:\windows\SysWow64\jdns_sd.dll
    2011-04-06 23:20 . 2011-04-06 23:20 197920 ----a-w- c:\windows\SysWow64\dnssdX.dll
    2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\SysWow64\dns-sd.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-01-28 1712184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "HP Envy Guides AutoPlay"="c:\program files (x86)\Hewlett-Packard\HP ENVY Document Card Utilities\hpdocstart.exe" [2010-03-24 76584]
    "NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" [2009-12-03 3331944]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1486392]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
    Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-12-16 102968]
    R3 hpdoccardsvc;HP Documention Flash Card Detection Service;c:\program files (x86)\Hewlett-Packard\HP ENVY Document Card Utilities\doccardsvc.exe [2010-03-24 83240]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
    R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-01-04 340240]
    R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
    S1 DVMIO;DeviceVM IO Service;c:\windows\system32\DRIVERS\dvmio.sys [x]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2010-11-21 89600]
    S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-01-16 127984]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    S2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-02-08 338168]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-29 94264]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
    S2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-01-18 20480]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files (x86)\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 101048]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 245352]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-05-01 2533400]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
    S3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-14 c:\windows\Tasks\HPCeeScheduleForJenny.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Quick Launch"="c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-01-18 451072]
    "SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
    "HPToneControl"="c:\program files\Hewlett-Packard\HPToneControl\HPTonectl.exe" [2009-08-19 107832]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-05-17 172032]
    "HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2009-12-16 8192]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-11-21 487424]
    "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-01-04 1933584]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    FF - ProfilePath - c:\users\Jenny\AppData\Roaming\Mozilla\Firefox\Profiles\rbf0nox1.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files (x86)\McAfee\SiteAdvisor
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
    AddRemove-{08DB3902-2CE0-474D-BCE3-0177766CE9F1} - c:\program files (x86)\InstallShield Installation Information\{08DB3902-2CE0-474D-BCE3-0177766CE9F1}\setup.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\windows\SysWOW64\rundll32.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    Completion time: 2011-06-18 14:11:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-06-18 21:11
    .
    Pre-Run: 400,885,624,832 bytes free
    Post-Run: 401,125,339,136 bytes free
    .
    - - End Of File - - D84D57E3913FA78127504252DEAA3274
     
  8. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    Thanks for the help, Bobbye. ComboFix log posted above. I'm still running the ESET online scanner and will post those results next.
    My daughter was smart enough to recognize the fake AV warnings and not click on any of the options offered. A couple of the windows contained obvious misspellings or funny grammar. How to avoid this infection in the future? She doesn't recall ever following any links to sites that she didn't recognize as trusted regular sites she visits.
     
  9. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    OK, ESET Scan completed, said it found a Java downloader trojan. Log below:

    C:\Users\Jenny\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\35d60d30-52bb73a8 Java/TrojanDownloader.OpenStream.NCA trojan

    It has not removed it since we unchecked the "remove found threats" box.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You did the right thing! Here's how to remove the Java malware:
    1. . Click Start > Control Panel.
    2. . Double-click the Java icon [​IMG] in the Control Panel.
    3. . Click Settings under Temporary Internet Files.
      [​IMG]
      [* Click Delete files.
      http://www.java.com/en/img/download/plugin_cache3.jpg[/b]
      [*]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [*]. Click OK on Temporary Files Settings window. [/list]
      ============================================
      [b]Question:[/b]> Have you or your daughter intentionally put a keylogger on the system?
      2011-06-07 19:35 103864 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\[B]nppdf32.dll[/B]
      2011-06-07 19:35 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins[B]\nppdf32.dll[/B]
      [QUOTE]Perfect Keylogger surveillance software[/QUOTE]
     
  11. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    Deleted the Java temporary files.
    Neither of us intentionally put a keylogger on the system! Any way to tell how long that's been there? How do get rid of it? Sounds like she better change any password she's ever typed in??
     
  12. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    I looked up the nppdf32.dll and it's called out as a plug-in for Adobe Acrobat Reader to allow printing and viewing files? Did ComboFix detect it as being infected or replaced with a keylogger? In any case, I've had her change all her online passwords using another computer.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are correct: nppdf32.dll is a module associated with Adobe Acrobat from Adobe Systems Inc. and so am I. It's not always safe to go by just a name.

    For example copies of this plug-in for Adobe Acrobat Reader need to be located in both the Programs Files Acrobat folder as well as your browser's plug-in folder. Your entries are:
    I did not find the plug-ins listed separately, in addition to the program file entry. Please use Windows Explorer> Windows key + E to access the Adobe Program folder. See if this plug in for either/or or both Internet Explorer and Firefox.

    Then click on Tools> Addons> Plugins in Firefox to see if it is listed there.
    ============================================
    SS SS Plugin> including
    is named the Perfect Keylogger surveillance software.

    Source:
    http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=nppdf32.dll
     
  14. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    OK, I've searched in the Adobe program folders (and for good measure on the whole C: drive).

    Here is what I found in Adobe program folders:
    C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
    C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll

    Both files had timestamps of 6/7/2011 12:35pm, and size 103864 bytes.

    I checked Firefox Tools/Addons/Plugins and found it lists one for Adobe Acrobat 9.4.5.236, and lists it as Adobe PDF Plug-In for Firefox and Netscape "9.4.5". I could not find a way to drill down to the plug-in filename itself.

    I also checked IE8 Tools/Addons and found a couple references to Adobe plug-ins but drilling to the details the filenames were AcroIEHelperShim.dll and AcroPDF.dll. Should I be able to find an entry for nppdf32.dll?

    thanks for your help so far, anything else I can do to confirm whether or not there is a keylogger on the computer?
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're okay! Sorry for the scare. Sometimes, when you look for zebras, you find zebras> I have several special malware search options. So if I search under malware, (the zebra) I find a malware entry. Had I just done a simple Google search instead, I would have found the check for these plugins. But better to check than 'assume.'
    =================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    
    DDS::
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    mRun: [<NO NAME>] 
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO-X64: 0x1 - No File
    BHO-X64: HP Print Enhancer - No File
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO-X64: scriptproxy - No File
    BHO-X64: SkypeIEPluginBHO - No File
    BHO-X64: HP Smart BHO Class - No File
    EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
    mRun-x64: [(Default)] 
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please update Java here: Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Please update the Adobe Reader here: Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
    ===========================================
    Can you tell me what problems remain from the rogue AV malware?
     
  16. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    We're not seeing any symptoms of the fake AV (no popups, no messages).
    I've updated to latest Java and Adobe Reader and uninstalled all earlier versions.
    Below is the ComboFix log file from running the CFScript you gave me:

    ComboFix 11-06-21.06 - Jenny 06/21/2011 22:01:33.3.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.2643 [GMT -7:00]
    Running from: c:\users\Jenny\Desktop\ComboFix.exe
    Command switches used :: c:\users\Jenny\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-22 05:07 . 2011-06-22 05:07 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-21 03:26 . 2011-06-21 03:26 -------- d-----w- c:\programdata\{E91883C8-8CDC-46A4-A45F-CB40EB82ED60}
    2011-06-20 04:28 . 2011-06-20 04:28 -------- d-----w- c:\users\Jenny\AppData\Roaming\PeerNetworking
    2011-06-18 21:24 . 2011-06-18 21:24 -------- d-----w- c:\program files (x86)\ESET
    2011-06-18 20:14 . 2011-06-18 20:14 -------- d-----w- c:\windows\system32\SPReview
    2011-06-18 20:14 . 2011-06-18 20:14 -------- d-----w- c:\windows\system32\EventProviders
    2011-06-18 18:21 . 2011-06-18 18:21 -------- d-----w- c:\users\Jenny\AppData\Roaming\Malwarebytes
    2011-06-18 18:21 . 2011-05-29 16:11 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-06-18 18:21 . 2011-06-18 18:21 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-18 18:21 . 2011-06-18 18:21 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-06-18 18:21 . 2011-05-29 16:11 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-18 16:54 . 2011-04-25 05:33 1923968 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2011-06-18 16:54 . 2011-04-25 02:34 499200 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-06-18 16:54 . 2010-11-20 13:33 288640 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
    2011-06-18 16:54 . 2011-04-27 02:40 158208 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-18 16:54 . 2011-04-27 02:39 289280 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-18 16:54 . 2011-04-27 02:39 128000 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-06-18 16:54 . 2011-05-28 03:06 3135488 ----a-w- c:\windows\system32\win32k.sys
    2011-06-18 16:53 . 2011-04-29 03:06 467456 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-06-18 16:53 . 2011-04-29 03:05 410112 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-18 16:53 . 2011-04-29 03:05 168448 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-18 16:53 . 2011-02-25 06:22 861696 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-18 16:53 . 2011-02-25 05:34 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
    2011-06-18 16:53 . 2011-05-03 05:29 976896 ----a-w- c:\windows\system32\inetcomm.dll
    2011-06-18 16:53 . 2011-05-03 04:30 741376 ----a-w- c:\windows\SysWow64\inetcomm.dll
    2011-06-07 19:35 . 2011-06-07 19:35 103864 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    2011-06-07 19:35 . 2011-06-07 19:35 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
    2011-06-07 03:56 . 2010-11-05 01:57 48976 ----a-w- c:\windows\system32\netfxperf.dll
    2011-06-07 03:56 . 2010-11-05 01:57 1942856 ----a-w- c:\windows\system32\dfshim.dll
    2011-06-07 03:56 . 2010-11-05 01:58 1130824 ----a-w- c:\windows\SysWow64\dfshim.dll
    2011-06-07 03:56 . 2010-11-20 13:27 12288 ----a-w- c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
    2011-06-07 03:56 . 2010-11-20 13:27 3715584 ----a-w- c:\windows\system32\mstscax.dll
    2011-06-07 03:56 . 2010-11-20 11:07 59392 ----a-w- c:\windows\system32\drivers\TsUsbFlt.sys
    2011-06-07 03:56 . 2010-11-20 13:27 14967808 ----a-w- c:\program files\DVD Maker\OmdBase.dll
    2011-06-07 03:56 . 2010-11-20 13:26 1838080 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-06-07 03:56 . 2010-11-20 12:19 3215872 ----a-w- c:\windows\SysWow64\mstscax.dll
    2011-06-07 03:54 . 2010-11-20 13:25 22016 ----a-w- c:\windows\system32\credssp.dll
    2011-06-07 03:53 . 2010-11-20 12:18 323072 ----a-w- c:\windows\SysWow64\drvstore.dll
    2011-06-07 03:53 . 2010-11-20 12:18 257024 ----a-w- c:\windows\SysWow64\dpx.dll
    2011-06-07 03:53 . 2010-11-20 12:21 363008 ----a-w- c:\windows\SysWow64\wbemcomn.dll
    2011-06-07 03:53 . 2010-11-20 12:19 606208 ----a-w- c:\windows\SysWow64\wbem\fastprox.dll
    2011-06-07 03:51 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2011-06-07 03:51 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
    2011-06-07 03:51 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
    2011-06-07 03:51 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
    2011-06-07 03:51 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
    2011-06-07 03:51 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
    2011-06-07 03:51 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
    2011-06-05 21:54 . 2011-06-05 21:54 -------- d-----w- c:\program files\iPod
    2011-06-05 21:54 . 2011-06-05 21:55 -------- d-----w- c:\program files\iTunes
    2011-06-05 21:54 . 2011-06-05 21:54 -------- d-----w- c:\program files (x86)\iTunes
    2011-06-05 21:50 . 2011-06-05 21:50 -------- d-----w- c:\program files\Bonjour
    2011-06-05 21:50 . 2011-06-05 21:50 -------- d-----w- c:\program files (x86)\Bonjour
    2011-05-30 02:44 . 2011-05-30 02:44 -------- d-----w- c:\programdata\Skype Extras
    2011-05-30 02:43 . 2011-05-30 02:43 -------- d-----w- c:\program files (x86)\Common Files\Skype
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-18 20:22 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2011-06-18 20:22 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2011-04-19 01:11 . 2011-04-19 01:11 8507392 ----a-w- c:\windows\system32\drivers\NETwNs64.sys
    2011-04-14 21:01 . 2010-12-20 19:33 9984 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-04-14 21:01 . 2010-12-20 19:33 149032 ----a-w- c:\windows\system32\mfevtps.exe
    2011-04-14 21:01 . 2010-12-20 19:33 94992 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-04-14 21:01 . 2010-12-20 19:33 75160 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2011-04-14 21:01 . 2010-12-20 19:33 63056 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-04-14 21:01 . 2010-12-20 19:33 530304 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-04-14 21:01 . 2010-12-20 19:33 441840 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-04-14 21:01 . 2010-12-20 19:33 283744 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2011-04-14 21:01 . 2010-12-20 19:33 190520 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-04-14 21:01 . 2010-12-20 19:33 121376 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-04-09 07:02 . 2011-05-10 17:23 5562240 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-04-09 06:58 . 2011-05-19 05:34 142336 ----a-w- c:\windows\system32\poqexec.exe
    2011-04-09 06:02 . 2011-05-10 17:23 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2011-04-09 06:02 . 2011-05-10 17:23 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2011-04-09 05:56 . 2011-05-19 05:34 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
    2011-04-06 23:26 . 2011-04-06 23:26 96544 ----a-w- c:\windows\system32\dnssd.dll
    2011-04-06 23:26 . 2011-04-06 23:26 69408 ----a-w- c:\windows\system32\jdns_sd.dll
    2011-04-06 23:26 . 2011-04-06 23:26 237856 ----a-w- c:\windows\system32\dnssdX.dll
    2011-04-06 23:26 . 2011-04-06 23:26 119584 ----a-w- c:\windows\system32\dns-sd.exe
    2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\SysWow64\dnssd.dll
    2011-04-06 23:20 . 2011-04-06 23:20 75040 ----a-w- c:\windows\SysWow64\jdns_sd.dll
    2011-04-06 23:20 . 2011-04-06 23:20 197920 ----a-w- c:\windows\SysWow64\dnssdX.dll
    2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\SysWow64\dns-sd.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-06-22_04.40.02 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-05-17 00:55 . 2011-06-22 04:50 51542 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2009-07-14 05:10 . 2011-06-21 04:54 38512 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2011-06-22 04:50 38512 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-07-31 02:45 . 2011-06-22 04:50 12670 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4265423840-2729286521-1213370152-1000_UserData.bin
    + 2010-07-30 15:32 . 2011-06-22 04:48 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-07-30 15:32 . 2011-06-22 04:39 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-07-30 15:32 . 2011-06-22 04:48 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-07-30 15:32 . 2011-06-22 04:39 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2011-06-22 04:48 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2011-06-22 04:39 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:46 . 2011-06-22 04:47 91720 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    + 2011-06-22 05:08 . 2011-06-22 05:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-06-22 04:39 . 2011-06-22 04:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-06-22 05:08 . 2011-06-22 05:08 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-06-22 04:39 . 2011-06-22 04:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-06-26 09:17 . 2011-06-22 05:07 744336 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2009-07-14 05:01 . 2011-06-22 04:38 257684 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2011-06-22 05:07 257684 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2010-07-31 02:42 . 2011-06-22 05:07 487496 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4265423840-2729286521-1213370152-1000-8192.dat
    - 2010-07-31 02:42 . 2011-06-22 04:38 487496 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4265423840-2729286521-1213370152-1000-8192.dat
    - 2011-06-21 04:47 . 2011-06-22 04:38 3449556 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4265423840-2729286521-1213370152-1000-4096.dat
    + 2011-06-21 04:47 . 2011-06-22 05:07 3449556 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4265423840-2729286521-1213370152-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPAdvisorDock"="c:\program files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe" [2010-01-28 1712184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "HP Envy Guides AutoPlay"="c:\program files (x86)\Hewlett-Packard\HP ENVY Document Card Utilities\hpdocstart.exe" [2010-03-24 76584]
    "NortonOnlineBackupReminder"="c:\program files (x86)\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" [2009-12-03 3331944]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1486392]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
    Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 hpdoccardsvc;HP Documention Flash Card Detection Service;c:\program files (x86)\Hewlett-Packard\HP ENVY Document Card Utilities\doccardsvc.exe [2010-03-24 83240]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]
    R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-01-04 340240]
    R3 NETw5s64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [x]
    R3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [x]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [x]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
    S1 DVMIO;DeviceVM IO Service;c:\windows\system32\DRIVERS\dvmio.sys [x]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2010-11-21 89600]
    S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-01-16 127984]
    S2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-02-08 338168]
    S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-12-16 102968]
    S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-29 94264]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
    S2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-01-18 20480]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files (x86)\McAfee\SiteAdvisor\McSACore.exe [2011-02-16 101048]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-04-14 245352]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-05-01 2533400]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]
    S3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-21 c:\windows\Tasks\HPCeeScheduleForJenny.job
    - c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-01-05 10:53]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "HP Quick Launch"="c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-01-18 451072]
    "SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
    "HPToneControl"="c:\program files\Hewlett-Packard\HPToneControl\HPTonectl.exe" [2009-08-19 107832]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-05-17 172032]
    "HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2009-12-16 8192]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-11-21 487424]
    "IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2011-01-04 1933584]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 415256]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    FF - ProfilePath - c:\users\Jenny\AppData\Roaming\Mozilla\Firefox\Profiles\rbf0nox1.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files (x86)\McAfee\SiteAdvisor
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\windows\SysWOW64\rundll32.exe
    c:\program files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
    .
    **************************************************************************
    .
    Completion time: 2011-06-21 22:16:08 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-06-22 05:16
    ComboFix2.txt 2011-06-22 04:44
    ComboFix3.txt 2011-06-18 21:11
    .
    Pre-Run: 394,173,108,224 bytes free
    Post-Run: 393,842,524,160 bytes free
    .
    - - End Of File - - 60FB4AAC2D6889CD24FACA391713F538
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, then- looks good! No missing files, programs, icons or other? That's been the thorn in the side of user who get these rogue security programs.

    Since all is well and the system is clean, we can remove the tools we used:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Click on Start> right click on Computer> Properties
    • Select System Protection
    • Click on the Create button (near bottom)
    • Type a name for the Restore Point
    • Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
    • Click Start> Computer> right click the C Drive and choose Properties> enter.
    • Click Disk Cleanup from there.
      [​IMG]
    • Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
    • Click the More Options tab
      [​IMG]
    • Click the Clean up under System Restore and Shadow Copies.
    • Click OK.
    • You will get a confirmation screen> Just click Delete.
    • Click OK on the Disk Cleanup Screen.
    • Click Delete Files on the Confirmation screen.
    [​IMG]
    It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin

    Let me know if you have any questions!
     
  18. Anchorage

    Anchorage TS Rookie Topic Starter Posts: 18

    I completed all the cleanup actions. We haven't noticed any missing files, programs, or icons. Everything seems to be back to normal, THANKS so much for the help!
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. I'm leaving some tips to help keep it clean!

    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editior in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o] [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      [o] Temporary File Cleaner
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...