ComboFix.txt
ComboFix 12-07-26.03 - Rich 07/25/2012 15:32:34.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.3015.1679 [GMT -4:00]
Running from: c:\users\Rich\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Roaming
c:\windows\msvcr71.dll
c:\windows\system32\Thumbs.db
c:\windows\system32\TPAPSLOG.LOG
c:\windows\system32\TPHDLOG0.LOG
Q:\AUTORUN.INF
S:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))
.
.
2012-07-25 15:43 . 2012-07-25 15:43--------d-----w-C:\FRST
2012-07-24 04:55 . 2012-07-24 12:09--------d-----w-c:\program files\Enigma Software Group
2012-07-24 04:54 . 2012-07-24 12:08--------d-----w-c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-07-24 04:54 . 2012-07-24 04:54--------d-----w-c:\program files\Common Files\Wise Installation Wizard
2012-07-23 21:42 . 2012-07-23 21:42--------d-----w-C:\TDSSKiller_Quarantine
2012-07-23 21:04 . 2012-07-23 21:04388096----a-r-c:\users\Rich\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-07-23 18:31 . 2012-07-23 18:58--------d-----w-c:\programdata\Spybot - Search & Destroy
2012-07-23 18:31 . 2012-07-23 18:33--------d-----w-c:\program files\Spybot - Search & Destroy
2012-07-23 18:25 . 2012-07-23 18:25--------d-----w-c:\users\Rich\AppData\Local\ElevatedDiagnostics
2012-07-22 21:27 . 2012-07-22 21:27--------d-sh--w-c:\windows\system32\%APPDATA%
2012-07-22 20:39 . 2012-07-22 20:59--------d-----w-c:\users\Rich\AppData\Roaming\.minecraft
2012-07-13 13:50 . 2012-06-13 13:402047488----a-w-c:\windows\system32\win32k.sys
2012-07-13 13:45 . 2012-06-05 16:47708608----a-w-c:\program files\Common Files\System\ado\msado15.dll
2012-07-13 13:45 . 2012-06-05 16:471401856----a-w-c:\windows\system32\msxml6.dll
2012-07-13 13:45 . 2012-06-05 16:471248768----a-w-c:\windows\system32\msxml3.dll
2012-07-13 13:44 . 2012-06-04 15:26440704----a-w-c:\windows\system32\drivers\ksecdd.sys
2012-07-13 13:44 . 2012-06-02 00:03204288----a-w-c:\windows\system32\ncrypt.dll
2012-07-13 13:44 . 2012-06-02 00:04278528----a-w-c:\windows\system32\schannel.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-03 17:46 . 2011-03-01 22:1422344----a-w-c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-21 11:3953784----a-w-c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 11:3945080----a-w-c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 11:3935864----a-w-c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 11:39577048----a-w-c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 11:391933848----a-w-c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-21 11:392422272----a-w-c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-21 11:3988576----a-w-c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 11:39171904----a-w-c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-21 11:3933792----a-w-c:\windows\system32\wuapp.exe
2012-05-15 06:37 . 2012-06-13 11:54916992----a-w-c:\windows\system32\wininet.dll
2012-05-15 06:32 . 2012-06-13 11:5443520----a-w-c:\windows\system32\licmgr10.dll
2012-05-15 06:32 . 2012-06-13 11:541469440----a-w-c:\windows\system32\inetcpl.cpl
2012-05-15 06:31 . 2012-06-13 11:54109056----a-w-c:\windows\system32\iesysprep.dll
2012-05-15 06:31 . 2012-06-13 11:5471680----a-w-c:\windows\system32\iesetup.dll
2012-05-15 05:01 . 2012-06-13 11:54385024----a-w-c:\windows\system32\html.iec
2012-05-15 03:26 . 2012-06-13 11:54133632----a-w-c:\windows\system32\ieUnatt.exe
2012-05-15 03:23 . 2012-06-13 11:541638912----a-w-c:\windows\system32\mshtml.tlb
2012-05-04 20:09 . 2012-05-04 20:09476960----a-w-c:\windows\system32\npdeployJava1.dll
2012-05-04 20:09 . 2010-10-28 04:25472864----a-w-c:\windows\system32\deployJava1.dll
2012-05-01 14:03 . 2012-06-13 11:54180736----a-w-c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:1994208----a-w-c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:1994208----a-w-c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:1994208----a-w-c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-24 206240]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-24 487424]
"TpShocks"="TpShocks.exe" [2008-06-07 181536]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2009-04-15 61728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-12-04 185896]
"RoxioDragToDisc"="c:\program files\Lenovo\Drag-to-Disc\DrgToDsc.exe" [2007-03-13 1116920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2009-01-14 644384]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2008-05-29 367128]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-17 145944]
"Message Center Plus"="c:\program files\LENOVO\Message Center Plus\MCPLaunch.exe" [2009-05-28 49976]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2008-08-31 165208]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2008-08-31 124248]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2009-02-11 1191936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"IaNvSrv"="c:\program files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe" [2009-02-23 33304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-11-03 182808]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-04 242976]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2008-06-25 3077432]
"CreateLMBCShortCut"="c:\program files\Lenovo\Mobile Broadband Connect\UserShortcutCreator.exe" [2009-04-13 40960]
"CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BTVLogEx.DLL" [2009-01-14 214576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ACWlIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWlIcon.exe" [2009-04-16 177440]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2009-04-16 435488]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-5 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office 2000\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetworkREG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
HPZ12REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 19:54]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 21:08]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-01 21:08]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3651803881-577552454-1164569185-1003Core.job
- c:\users\Rich\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-30 23:05]
.
2012-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3651803881-577552454-1164569185-1003UA.job
- c:\users\Rich\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-30 23:05]
.
2012-07-16 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2009-02-20 20:57]
.
2012-07-25 c:\windows\Tasks\User_Feed_Synchronization-{3C1880B2-4DB5-4B71-A925-8296E0027D74}.job
- c:\windows\system32\msfeedssync.exe [2012-06-13 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://
www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.100.1
TCP: Interfaces\{3A2487DF-4FC8-4633-91AA-B7B0E8442563}: NameServer = 0.0.0.0
DPF: Web-Based Email Tools - hxxp://email05.secureserver.net/Download.CAB
FF - ProfilePath - c:\users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\h6onl1c9.default\
FF - prefs.js: browser.startup.homepage - hxxp://
www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-LAME for Audacity_is1 - c:\program files\Audacity\Lame for Audacity\unins000.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3651803881-577552454-1164569185-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1022E41E-5986-485A-979E-242FEE380E88}* = 0*]
"AppName"="Roblox.exe"
"Policy"=dword:00000003
"AppPath"="c:\\Users\\Rich\\AppData\\Local\\Roblox\\Versions\\version-3bc3e39888854c74\\"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3456)
c:\users\Rich\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\iashost.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2012-07-25 15:45:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-25 19:44
.
Pre-Run: 38,225,571,840 bytes free
Post-Run: 37,692,157,952 bytes free
.
- - End Of File - - E70613497B7E33F81EA2BF66FE3DD615
Changes I noticed:
No more popup advertisements when browsing web.
Windows Firewall is now on.
Windows Update now works.
Security Center service still won't start.
I currently have no virus protection running. Should I reinstall MS Security Essentials now as your instructions recommend, or wait until your green light?
Can you recommend a virus protection will prevent Sirefef variants? Security Essentials did not prevent it.
Thanks,
Rich