Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Trojans cleaned, modified windows.  (Read 5794 times)

0 Members and 1 Guest are viewing this topic.

SalP

    Topic Starter


    Rookie
    • Experience: Familiar
    • OS: Windows 7
    Trojans cleaned, modified windows.
    « on: January 12, 2012, 10:54:13 AM »
    It appears I had been infected with a Trojan virus.  It looks like it modified Windows.  I'll post the original MBAM logs along with a screen shot momentarily.

    Quote
    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.12.01

    Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.7601.17514
    Sal :: SAL-PC [administrator]

    1/12/2012 2:34:40 AM
    mbam-log-2012-01-12 (02-34-40).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 476523
    Time elapsed: 1 hour(s), 37 minute(s), 39 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|LuJmxWoSNc.exe (Trojan.FakeAlert) -> Data: C:\ProgramData\LuJmxWoSNc.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 2
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 7
    C:\ProgramData\LuJmxWoSNc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\ProgramData\HjwzEGjO3hMIss.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Sal\AppData\Local\Temp\Mifd7ysZ7UZUl6.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Sal\AppData\Local\Temp\ICReinstall\cnet2_Lives_exe.exe (PUP.CNET.Adware.Bundle) -> Quarantined and deleted successfully.
    C:\Users\Sal\AppData\Local\Temp\ICReinstall\cnet2_mod-video-converter_exe.exe (PUP.CNET.Adware.Bundle) -> Quarantined and deleted successfully.
    C:\Users\Sal\AppData\Local\Temp\ICReinstall\cnet2_Pazera_Free_MP4_to_AVI_Converter_exe.exe (PUP.CNET.Adware.Bundle) -> Quarantined and deleted successfully.
    C:\Users\Sal\AppData\Local\Temp\ICReinstall\cnet2_SpesoftVideoConverterSetup_exe.exe (PUP.CNET.Adware.Bundle) -> Quarantined and deleted successfully.

    (end)

    Quote
    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.12.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    Sal :: SAL-PC [administrator]

    1/12/2012 4:16:40 AM
    mbam-log-2012-01-12 (04-16-40).txt

    Scan type: Full scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 476996
    Time elapsed: 2 hour(s), 43 minute(s), 59 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\$Recycle.Bin\S-1-5-21-3871039636-1935808284-3132821144-1000\$R3LEX4B.exe (PUP.CNET.Adware.Bundle) -> Quarantined and deleted successfully.

    (end)

    Quote
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/12/2012 at 12:22 PM

    Application Version : 5.0.1142

    Core Rules Database Version : 8126
    Trace Rules Database Version: 5938

    Scan type       : Quick Scan
    Total Scan Time : 00:22:11

    Operating System Information
    Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
    UAC On - Limited User

    Memory items scanned      : 606
    Memory threats detected   : 0
    Registry items scanned    : 60391
    Registry threats detected : 0
    File items scanned        : 30977
    File threats detected     : 0


    Quote
    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.12.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 8.0.7601.17514
    Sal :: SAL-PC [administrator]

    1/12/2012 12:24:09 PM
    mbam-log-2012-01-12 (12-24-09).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 178220
    Time elapsed: 5 minute(s), 52 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    Quote
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 1.6.0_30
    Run by Sal at 12:35:04 on 2012-01-12
    Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6143.4337 [GMT -5:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Windows\system32\mfevtps.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Users\Sal\AppData\Roaming\Spotify\spotify.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files\mcafee.com\agent\mcagent.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Windows\system32\msiexec.exe
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111220044023.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
    uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [Spotify] "C:\Users\Sal\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart
    uRun: [Google Update] "C:\Users\Sal\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{906A0659-4400-4DC7-B110-51D3B7A309F7} : DhcpNameServer = 192.168.1.1 68.237.161.12
    TCP: Interfaces\{9119282E-5577-4E9E-BAEF-A78718186537} : DhcpNameServer = 192.168.1.1 68.237.161.12
    TCP: Interfaces\{A8879E61-4DAF-4925-84BA-80063B6E8548} : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{AE0795C9-B67C-46E9-AA31-3DA152801F46} : DhcpNameServer = 192.168.1.1 68.237.161.12
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\msc\McSnIePl.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO-X64:     HP Print Enhancer - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64:     AcroIEHelperStub - No File
    BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO-X64:     McAfee Phishing Filter - No File
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111220044023.dll
    BHO-X64:     scriptproxy - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64:     SkypeIEPluginBHO - No File
    BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    BHO-X64:     HP Smart BHO Class - No File
    TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
    mRun-x64: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun-x64: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Sal\AppData\Roaming\Mozilla\Firefox\Profiles\bc6vgme3.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
    FF - plugin: c:\progra~2\mcafee\msc\npMcSnFFPl.dll
    FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnu.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\Sal\AppData\Local\Google\Update\1.3.21.93\npGoogleUpdate3.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
    R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
    R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
    R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
    R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-3-16 13336]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-8-31 249936]
    R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-8-31 249936]
    R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-8-31 249936]
    R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-8-31 249936]
    R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2011-3-16 199272]
    R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2011-3-16 208536]
    R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
    R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
    R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]
    R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2011-3-16 689472]
    R3 AE1000;Linksys AE1000 Driver;C:\Windows\system32\DRIVERS\ae1000w7.sys --> C:\Windows\system32\DRIVERS\ae1000w7.sys [?]
    R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
    R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
    R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
    R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
    R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
    R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]
    S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
    S3 Andbus;LGE Android Platform Composite USB Device;C:\Windows\system32\DRIVERS\lgandbus64.sys --> C:\Windows\system32\DRIVERS\lgandbus64.sys [?]
    S3 AndDiag;LGE Android Platform USB Serial Port;C:\Windows\system32\DRIVERS\lganddiag64.sys --> C:\Windows\system32\DRIVERS\lganddiag64.sys [?]
    S3 AndGps;LGE Android Platform USB GPS NMEA Port;C:\Windows\system32\DRIVERS\lgandgps64.sys --> C:\Windows\system32\DRIVERS\lgandgps64.sys [?]
    S3 ANDModem;LGE Android Platform USB Modem;C:\Windows\system32\DRIVERS\lgandmodem64.sys --> C:\Windows\system32\DRIVERS\lgandmodem64.sys [?]
    S3 McAWFwk;McAfee Activation Service;C:\PROGRA~1\mcafee\msc\mcawfwk.exe [2011-3-16 220528]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
    S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-8-31 249936]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-01-12 16:58:37   --------   d-----w-   C:\Users\Sal\AppData\Roaming\SUPERAntiSpyware.com
    2012-01-12 16:58:17   --------   d-----w-   C:\ProgramData\SUPERAntiSpyware.com
    2012-01-12 16:58:17   --------   d-----w-   C:\Program Files\SUPERAntiSpyware
    2012-01-12 16:54:16   --------   d-----w-   C:\Program Files\CCleaner
    2012-01-12 16:42:12   --------   d-----w-   C:\Users\Sal\AppData\Local\{BE4A8820-8C48-46BB-91F7-4BB27EE235AE}
    2012-01-12 16:41:52   --------   d-----w-   C:\Users\Sal\AppData\Local\{01FCEC20-A538-4018-A3D6-1E6433720E78}
    2012-01-11 19:39:53   --------   d-----w-   C:\Users\Sal\AppData\Local\{23543AD4-B8B1-4655-93B6-86EE679CA3DD}
    2012-01-11 02:19:35   1572864   ----a-w-   C:\Windows\System32\quartz.dll
    2012-01-11 02:19:35   1328128   ----a-w-   C:\Windows\SysWow64\quartz.dll
    2012-01-11 02:19:34   514560   ----a-w-   C:\Windows\SysWow64\qdvd.dll
    2012-01-11 02:19:34   366592   ----a-w-   C:\Windows\System32\qdvd.dll
    2012-01-11 02:19:27   1731920   ----a-w-   C:\Windows\System32\ntdll.dll
    2012-01-11 02:19:27   1292080   ----a-w-   C:\Windows\SysWow64\ntdll.dll
    2012-01-11 02:19:25   77312   ----a-w-   C:\Windows\System32\packager.dll
    2012-01-11 02:19:24   67072   ----a-w-   C:\Windows\SysWow64\packager.dll
    2012-01-11 02:07:16   --------   d-----w-   C:\Users\Sal\AppData\Local\{091B1AAF-6494-4813-8CF6-BF76FDF5EE86}
    2012-01-11 02:06:41   --------   d-----w-   C:\Users\Sal\AppData\Local\{C774196C-962A-438E-9440-E49E70A08352}
    2012-01-07 19:38:31   --------   d-----w-   C:\Program Files (x86)\Educational Simulations
    2012-01-07 00:26:39   479232   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
    2012-01-07 00:26:39   43992   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
    2012-01-07 00:26:38   626688   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
    2012-01-07 00:26:38   548864   ----a-w-   C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
    2012-01-02 16:24:03   --------   d-----w-   C:\Users\Sal\AppData\Local\{6DE55C4D-1E5E-4FDB-8644-787D191C1993}
    2011-12-30 04:37:50   --------   d-----w-   C:\Users\Sal\AppData\Roaming\Pamela Call Recorder
    2011-12-30 04:37:25   --------   d-----w-   C:\Users\Sal\AppData\Roaming\Pamela
    2011-12-30 04:37:24   172544   ----a-w-   C:\Windows\SysWow64\RemoteControl.dll
    2011-12-30 04:37:23   --------   d-----w-   C:\Program Files (x86)\PamelaPCR
    2011-12-29 02:31:48   --------   d-----w-   C:\Program Files (x86)\Free M4a to MP3 Converter
    2011-12-29 02:00:41   --------   d-----w-   C:\Program Files (x86)\pazera-software
    2011-12-29 01:58:25   --------   d-----w-   C:\MTV_OUTPUT
    2011-12-29 01:58:07   --------   d-----w-   C:\Program Files (x86)\Video Convert
    2011-12-29 01:57:50   77824   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
    2011-12-29 01:57:50   32768   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
    2011-12-29 01:57:50   225280   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
    2011-12-29 01:57:50   176128   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
    2011-12-29 01:57:49   614532   ----a-w-   C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    2011-12-29 01:46:45   --------   d-----w-   C:\Users\Sal\AppData\Local\*SPAM URL* Studio
    2011-12-28 12:44:34   --------   d-----w-   C:\Users\Sal\AppData\Local\{6A4B126E-21F2-4622-AE3B-BB783E6FB4F1}
    2011-12-28 12:44:15   --------   d-----w-   C:\Users\Sal\AppData\Local\{6CADD8DD-B05F-4BF4-B9F8-3D7A6F903AC1}
    2011-12-15 19:17:38   --------   d-----w-   C:\Users\Sal\AppData\Local\{2FBC307F-8942-4A11-8CCA-0DEAF80B73FF}
    2011-12-15 19:17:20   --------   d-----w-   C:\Users\Sal\AppData\Local\{70A27D54-EAC0-4349-BD51-FCC06CFB9FB6}
    2011-12-14 17:52:11   43520   ----a-w-   C:\Windows\System32\csrsrv.dll
    2011-12-14 17:52:03   1188864   ----a-w-   C:\Windows\System32\wininet.dll
    2011-12-14 17:52:00   981504   ----a-w-   C:\Windows\SysWow64\wininet.dll
    2011-12-14 06:53:53   --------   d-----w-   C:\Users\Sal\AppData\Local\{FD60E775-E57B-485C-B3FD-F7CEDB5BAFA1}
    2011-12-14 06:53:32   --------   d-----w-   C:\Users\Sal\AppData\Local\{6BF1CE0C-4D8D-48A1-AECB-71F9FB977E9E}
    .
    ==================== Find3M  ====================
    .
    2011-12-10 20:24:08   23152   ----a-w-   C:\Windows\System32\drivers\mbam.sys
    2011-11-24 04:52:09   3145216   ----a-w-   C:\Windows\System32\win32k.sys
    2011-11-10 10:54:13   472808   ----a-w-   C:\Windows\SysWow64\deployJava1.dll
    2011-11-06 03:48:02   414368   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-05 05:32:50   2048   ----a-w-   C:\Windows\System32\tzres.dll
    2011-11-05 04:26:03   2048   ----a-w-   C:\Windows\SysWow64\tzres.dll
    2011-11-05 03:32:47   1638912   ----a-w-   C:\Windows\System32\mshtml.tlb
    2011-11-05 02:48:51   1638912   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
    2011-10-24 19:29:02   94208   ----a-w-   C:\Windows\SysWow64\QuickTimeVR.qtx
    2011-10-24 19:29:02   69632   ----a-w-   C:\Windows\SysWow64\QuickTime.qts
    2011-10-18 19:32:28   161168   ----a-w-   C:\Windows\System32\mfevtps.exe
    2011-10-15 18:16:16   75808   ----a-w-   C:\Windows\System32\drivers\mfenlfk.sys
    2011-10-15 18:16:16   65264   ----a-w-   C:\Windows\System32\drivers\cfwids.sys
    2011-10-15 18:16:16   647080   ----a-w-   C:\Windows\System32\drivers\mfehidk.sys
    2011-10-15 18:16:16   481768   ----a-w-   C:\Windows\System32\drivers\mfefirek.sys
    2011-10-15 18:16:16   284648   ----a-w-   C:\Windows\System32\drivers\mfewfpk.sys
    2011-10-15 18:16:16   229528   ----a-w-   C:\Windows\System32\drivers\mfeavfk.sys
    2011-10-15 18:16:16   160280   ----a-w-   C:\Windows\System32\drivers\mfeapfk.sys
    2011-10-15 18:16:16   10248   ----a-w-   C:\Windows\System32\drivers\mfeclnk.sys
    2011-10-15 18:16:16   100912   ----a-w-   C:\Windows\System32\drivers\mferkdet.sys
    2011-10-15 06:31:56   723456   ----a-w-   C:\Windows\System32\EncDec.dll
    2011-10-15 05:38:59   534528   ----a-w-   C:\Windows\SysWow64\EncDec.dll
    .
    ============= FINISH: 12:41:27.98 ===============


    Quote
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 3/22/2011 3:45:30 PM
    System Uptime: 1/12/2012 11:40:06 AM (1 hours ago)
    .
    Motherboard: Dell Inc. |  | 018D1Y
    Processor: Pentium(R) Dual-Core  CPU      E5800  @ 3.20GHz | CPU 1 | 3203/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 918 GiB total, 509.347 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    I: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP66: 12/15/2011 3:00:20 AM - Windows Update
    RP67: 12/28/2011 8:32:26 PM - Installed Coby Media Manager
    RP68: 12/28/2011 8:57:54 PM - Installed Video Convert
    RP69: 1/10/2012 11:10:19 PM - Windows Update
    RP70: 1/12/2012 12:31:35 PM - Installed Java(TM) 6 Update 30
    .
    ==== Installed Programs ======================
    .
     Update for Microsoft Office 2007 (KB2508958)
    Adobe AIR
    Adobe Community Help
    Adobe Download Assistant
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.2
    AIM 7
    Amazon MP3 Downloader 1.0.14
    Apple Application Support
    Apple Software Update
    Audacity 1.3.12
    BufferChm
    Consumer In-Home Service Agreement
    Copy
    D3DX10
    Dell DataSafe Local Backup
    Dell DataSafe Local Backup - Support Software
    Dell DataSafe Online
    Dell Dock
    Dell Getting Started Guide
    Dell Marketplace Webslice IE8
    Destinations
    DeviceDiscovery
    DirectX 9 Runtime
    DJ_AIO_05_F4400_Software_Min
    Download Updater (AOL LLC)
    Dropbox
    F4400
    Free M4a to MP3 Converter 7.0
    Google Chrome
    GoToAssist 8.0.0.514
    GPBaseService2
    HP Photo Creations
    HP Update
    HPPhotoGadget
    HPProductAssistant
    HPSSupply
    Intel(R) Control Center
    Intel(R) Rapid Storage Technology
    Internet Explorer
    Java Auto Updater
    Java(TM) 6 Update 30
    Junk Mail filter update
    LAME v3.98.3 for Audacity
    Last.fm 1.5.4.27091
    LG United Mobile Drivers
    Malwarebytes Anti-Malware version 1.60.0.1800
    MarketResearch
    McAfee SecurityCenter
    Mesh Runtime
    Messenger Companion
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Starter 2010 - English
    Microsoft Office Word MUI (English) 2007
    Microsoft PowerPoint Viewer
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFCLOC_x86
    Mozilla Firefox 9.0.1 (x86 en-US)
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP3 Parser (KB973685)
    Pam Call Recorder 4.8
    Pazera Free MP4 to AVI Converter 1.6
    PhotoShowExpress
    Police Quest: SWAT 1, 2
    QuickTime
    Real Lives 2004
    Realtek High Definition Audio Driver
    Redist
    Roxio Activation Module
    Roxio BackOnTrack
    Roxio Burn
    Roxio Creator Starter
    Roxio Express Labeler 3
    Scan
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Skype Click to Call
    Skype™ 5.5
    SmartWebPrinting
    SolutionCenter
    Sonic CinePlayer Decoder Pack
    Spotify
    Status
    Steam
    System Requirements Lab
    System Requirements Lab CYRI
    Toolbox
    TrayApp
    TrustedID
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Verizon Media Manager
    Video Convert
    WebReg
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Yahoo! Messenger
    YouTube Downloader 3.4
    .
    ==== Event Viewer Messages From Past Week ========
    .
    1/12/2012 4:13:31 AM, Error: Service Control Manager [7001]  - The Computer Browser service depends on the Server service which failed to start because of the following error:  The dependency service or group failed to start.
    1/12/2012 2:31:54 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {395633B1-EED9-4DFC-B67F-9788B51C9F06}
    1/12/2012 2:31:43 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    1/12/2012 2:30:09 AM, Error: Service Control Manager [7001]  - The HomeGroup Provider service depends on the Function Discovery Provider Host service which failed to start because of the following error:  The dependency service or group failed to start.
    1/12/2012 2:30:09 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    1/12/2012 2:30:09 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    1/12/2012 2:30:03 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/12/2012 2:29:55 AM, Error: Microsoft-Windows-DistributedCOM [10005]  - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    1/12/2012 2:29:49 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  discache spldr Wanarpv6
    1/12/2012 2:29:42 AM, Error: Service Control Manager [7001]  - The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error:  The dependency service or group failed to start.
    1/12/2012 11:46:52 AM, Error: Service Control Manager [7022]  - The Windows Update service hung on starting.
    1/10/2012 9:06:02 PM, Error: VDS Basic Provider [1]  - Unexpected failure. Error code: D@01010004
    1/10/2012 9:05:23 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the Client Virtualization Handler service to connect.
    1/10/2012 9:05:23 PM, Error: Service Control Manager [7000]  - The Client Virtualization Handler service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================

    « Last Edit: January 12, 2012, 11:36:37 AM by SalP »

    SalP

      Topic Starter


      Rookie
      • Experience: Familiar
      • OS: Windows 7
      Re: Trojans cleaned, modified windows.
      « Reply #1 on: January 12, 2012, 10:55:38 AM »
      I apologize.  I had mistakenly attached the logs instead of copying and pasting them in quotes.
      « Last Edit: January 12, 2012, 11:37:16 AM by SalP »

      SuperDave

      • Malware Removal Specialist


      • Sage
      • Thanked: 858
      • Certifications: List
      • Experience: Expert
      • OS: Windows 8
      Re: Trojans cleaned, modified windows.
      « Reply #2 on: January 12, 2012, 12:08:53 PM »
      Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

      1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
      2. The fixes are specific to your problem and should only be used for this issue on this machine.
      3. If you don't know or understand something, please don't hesitate to ask.
      4. Please DO NOT run any other tools or scans while I am helping you.
      5. It is important that you reply to this thread. Do not start a new topic.
      6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
      7. Absence of symptoms does not mean that everything is clear.

      If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
      *************************************************************************
      Quote
      I apologize.  I had mistakenly attached the logs instead of copying and pasting them in quotes.
      Not a problem.

      Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

      link # 1
      Link # 2
      If you are using Firefox, make sure that your download settings are as follows:

      * Tools->Options->Main tab
      * Set to "Always ask me where to Save the files".

      Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

      Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

      Right-click combofix.exe and select Run as Administrator and follow the prompts.
      When finished, ComboFix will produce a log for you.
      Post the ComboFix login your next reply.

      NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

      Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
      Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender

      SalP

        Topic Starter


        Rookie
        • Experience: Familiar
        • OS: Windows 7
        Re: Trojans cleaned, modified windows.
        « Reply #3 on: January 12, 2012, 01:00:25 PM »
        Here's the log.  Thank you for getting back to me so quickly.  Most programs say that the registry has been marked for deletion.  Is that normal?

        Quote
        ComboFix 12-01-12.04 - Sal 01/12/2012  14:22:55.1.2 - x64
        Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6143.4680 [GMT -5:00]
        Running from: c:\users\Sal\Downloads\ComboFix.exe
        AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
        FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
        SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
        SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
        .
        .
        (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        c:\programdata\458ffeq4p6hr700641u
        c:\programdata\HjwzEGjO3hMIss
        c:\users\Sal\AppData\Local\awd.exe
        c:\users\Sal\AppData\Local\dqvy.exe
        c:\users\Sal\AppData\Local\elw.exe
        c:\users\Sal\AppData\Local\ivob.exe
        c:\users\Sal\AppData\Local\lnsy.exe
        c:\users\Sal\AppData\Local\rgbv.exe
        c:\users\Sal\AppData\Roaming\Microsoft\Windows\Templates\458ffeq4p6hr700641u
        c:\windows\SwSys1.bmp
        c:\windows\SwSys2.bmp
        c:\windows\system32\drivers\etc\hosts.ics
        c:\windows\system32\java.exe
        .
        .
        (((((((((((((((((((((((((   Files Created from 2011-12-12 to 2012-01-12  )))))))))))))))))))))))))))))))
        .
        .
        2012-01-12 19:32 . 2012-01-12 19:32   --------   d-----w-   c:\users\Default\AppData\Local\temp
        2012-01-12 17:34 . 2012-01-12 17:34   --------   d-----w-   c:\program files (x86)\Common Files\Java
        2012-01-12 16:58 . 2012-01-12 16:58   --------   d-----w-   c:\users\Sal\AppData\Roaming\SUPERAntiSpyware.com
        2012-01-12 16:58 . 2012-01-12 16:58   --------   d-----w-   c:\program files\SUPERAntiSpyware
        2012-01-12 16:58 . 2012-01-12 16:58   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
        2012-01-12 16:54 . 2012-01-12 16:54   --------   d-----w-   c:\program files\CCleaner
        2012-01-11 02:19 . 2011-10-26 05:25   1572864   ----a-w-   c:\windows\system32\quartz.dll
        2012-01-11 02:19 . 2011-10-26 04:32   1328128   ----a-w-   c:\windows\SysWow64\quartz.dll
        2012-01-11 02:19 . 2011-10-26 05:25   366592   ----a-w-   c:\windows\system32\qdvd.dll
        2012-01-11 02:19 . 2011-10-26 04:32   514560   ----a-w-   c:\windows\SysWow64\qdvd.dll
        2012-01-11 02:19 . 2011-11-17 06:41   1731920   ----a-w-   c:\windows\system32\ntdll.dll
        2012-01-11 02:19 . 2011-11-17 05:38   1292080   ----a-w-   c:\windows\SysWow64\ntdll.dll
        2012-01-11 02:19 . 2011-11-19 14:58   77312   ----a-w-   c:\windows\system32\packager.dll
        2012-01-11 02:19 . 2011-11-19 14:01   67072   ----a-w-   c:\windows\SysWow64\packager.dll
        2012-01-07 19:38 . 2012-01-07 19:38   --------   d-----w-   c:\program files (x86)\Educational Simulations
        2012-01-07 00:26 . 2012-01-07 00:26   479232   ----a-w-   c:\program files (x86)\Mozilla Firefox\msvcm80.dll
        2012-01-07 00:26 . 2012-01-07 00:26   43992   ----a-w-   c:\program files (x86)\Mozilla Firefox\mozutils.dll
        2012-01-07 00:26 . 2012-01-07 00:26   626688   ----a-w-   c:\program files (x86)\Mozilla Firefox\msvcr80.dll
        2012-01-07 00:26 . 2012-01-07 00:26   548864   ----a-w-   c:\program files (x86)\Mozilla Firefox\msvcp80.dll
        2011-12-30 04:37 . 2011-12-30 08:53   --------   d-----w-   c:\users\Sal\AppData\Roaming\Pamela Call Recorder
        2011-12-30 04:37 . 2011-12-30 04:37   --------   d-----w-   c:\users\Sal\AppData\Roaming\Pamela
        2011-12-30 04:37 . 2011-12-30 04:37   172544   ----a-w-   c:\windows\SysWow64\RemoteControl.dll
        2011-12-30 04:37 . 2011-12-30 04:37   --------   d-----w-   c:\program files (x86)\PamelaPCR
        2011-12-29 02:31 . 2011-12-29 02:31   --------   d-----w-   c:\program files (x86)\Free M4a to MP3 Converter
        2011-12-29 02:00 . 2011-12-29 02:00   --------   d-----w-   c:\program files (x86)\pazera-software
        2011-12-29 01:58 . 2011-12-29 01:58   --------   d-----w-   C:\MTV_OUTPUT
        2011-12-29 01:58 . 2011-12-29 01:58   --------   d-----w-   c:\program files (x86)\Video Convert
        2011-12-29 01:57 . 2001-09-05 10:18   77824   ----a-w-   c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
        2011-12-29 01:57 . 2001-09-05 10:18   225280   ----a-w-   c:\program files (x86)\Common Files\InstallShield\IScript\iscript.dll
        2011-12-29 01:57 . 2001-09-05 10:14   176128   ----a-w-   c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
        2011-12-29 01:57 . 2001-09-05 10:13   32768   ----a-w-   c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
        2011-12-29 01:57 . 2002-07-26 13:07   614532   ----a-w-   c:\program files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
        2011-12-29 01:46 . 2011-12-29 01:46   --------   d-----w-   c:\users\Sal\AppData\Local\*SPAM URL* Studio
        2011-12-14 17:52 . 2011-10-26 05:21   43520   ----a-w-   c:\windows\system32\csrsrv.dll
        2011-12-14 17:52 . 2011-11-05 05:41   1188864   ----a-w-   c:\windows\system32\wininet.dll
        2011-12-14 17:52 . 2011-11-05 04:35   981504   ----a-w-   c:\windows\SysWow64\wininet.dll
        .
        .
        .
        ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2011-12-10 20:24 . 2011-03-23 17:25   23152   ----a-w-   c:\windows\system32\drivers\mbam.sys
        2011-11-10 10:54 . 2011-03-17 01:08   472808   ----a-w-   c:\windows\SysWow64\deployJava1.dll
        2011-11-06 03:48 . 2011-06-27 04:34   414368   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
        2011-10-24 19:29 . 2011-10-24 19:29   94208   ----a-w-   c:\windows\SysWow64\QuickTimeVR.qtx
        2011-10-24 19:29 . 2011-10-24 19:29   69632   ----a-w-   c:\windows\SysWow64\QuickTime.qts
        2011-10-18 19:32 . 2011-03-17 01:27   161168   ----a-w-   c:\windows\system32\mfevtps.exe
        2011-10-15 18:16 . 2011-03-17 01:27   10248   ----a-w-   c:\windows\system32\drivers\mfeclnk.sys
        2011-10-15 18:16 . 2010-10-14 03:28   75808   ----a-w-   c:\windows\system32\drivers\mfenlfk.sys
        2011-10-15 18:16 . 2010-10-14 03:28   65264   ----a-w-   c:\windows\system32\drivers\cfwids.sys
        2011-10-15 18:16 . 2010-10-14 03:28   647080   ----a-w-   c:\windows\system32\drivers\mfehidk.sys
        2011-10-15 18:16 . 2010-10-14 03:28   481768   ----a-w-   c:\windows\system32\drivers\mfefirek.sys
        2011-10-15 18:16 . 2010-10-14 03:28   284648   ----a-w-   c:\windows\system32\drivers\mfewfpk.sys
        2011-10-15 18:16 . 2010-10-14 03:28   229528   ----a-w-   c:\windows\system32\drivers\mfeavfk.sys
        2011-10-15 18:16 . 2010-10-14 03:28   160280   ----a-w-   c:\windows\system32\drivers\mfeapfk.sys
        2011-10-15 18:16 . 2010-10-14 03:28   100912   ----a-w-   c:\windows\system32\drivers\mferkdet.sys
        .
        .
        (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        *Note* empty entries & legit default entries are not shown
        REGEDIT4
        .
        [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
        @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
        [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
        2011-02-18 05:12   94208   ----a-w-   c:\users\Sal\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
        .
        [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
        @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
        [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
        2011-02-18 05:12   94208   ----a-w-   c:\users\Sal\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
        .
        [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
        @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
        [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
        2011-02-18 05:12   94208   ----a-w-   c:\users\Sal\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
        .
        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "Spotify"="c:\users\Sal\AppData\Roaming\Spotify\spotify.exe" [2011-12-20 4010160]
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
        "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
        "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1675160]
        "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
        "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
        "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
        "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
        "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
        .
        c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
        Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
        "ConsentPromptBehaviorAdmin"= 5 (0x5)
        "ConsentPromptBehaviorUser"= 3 (0x3)
        "EnableUIADesktopToggle"= 0 (0x0)
        .
        [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
        "aux3"=wdmaud.drv
        .
        [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
        Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
        @=""
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
        @=""
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
        @=""
        .
        R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
        R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
        R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
        R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus64.sys

        R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag64.sys

        R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps64.sys

        R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem64.sys

        R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\steam\steamapps\common\ava\Binaries\GameGuard\dump_wmimmc.sys

        R3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [2010-08-30 220528]
        R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys

        R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
        R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
        R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

        R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys

        R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

        R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
        R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
        S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys

        S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys

        S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys

        S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
        S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
        S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

        S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
        S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
        S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
        S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
        S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
        S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
        S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
        S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-10-18 208536]
        S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe

        S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE

        S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
        S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
        S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000w7.sys

        S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys

        S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys

        S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys

        S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys

        S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys

        S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys

        S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys

        S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys

        S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
        .
        .
        --- Other Services/Drivers In Memory ---
        .
        *NewlyCreated* - SASDIFSV
        *NewlyCreated* - WS2IFSL
        *Deregistered* - mfeavfk01
        .
        [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
        hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
        .
        Contents of the 'Scheduled Tasks' folder
        .
        2012-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3871039636-1935808284-3132821144-1000Core.job
        - c:\users\Sal\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-18 04:32]
        .
        2012-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3871039636-1935808284-3132821144-1000UA.job
        - c:\users\Sal\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-18 04:32]
        .
        .
        --------- x86-64 -----------
        .
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
        @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
        [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
        2011-02-18 05:12   97792   ----a-w-   c:\users\Sal\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
        @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
        [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
        2011-02-18 05:12   97792   ----a-w-   c:\users\Sal\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
        @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
        [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
        2011-02-18 05:12   97792   ----a-w-   c:\users\Sal\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
        .
        [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
        @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
        [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
        2011-02-18 05:12   97792   ----a-w-   c:\users\Sal\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-21 8306208]
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
        "LoadAppInit_DLLs"=0x0
        .
        ------- Supplementary Scan -------
        .
        uLocal Page = c:\windows\system32\blank.htm
        mLocal Page = c:\windows\SysWOW64\blank.htm
        uInternet Settings,ProxyOverride = *.local
        IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
        TCP: DhcpNameServer = 192.168.1.1
        FF - ProfilePath - c:\users\Sal\AppData\Roaming\Mozilla\Firefox\Profiles\bc6vgme3.default\
        FF - prefs.js: browser.search.selectedEngine - Google
        FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=utf-8&q=
        FF - user.js: network.protocol-handler.warn-external.dnupdate - false
        .
        - - - - ORPHANS REMOVED - - - -
        .
        Toolbar-Locked - (no file)
        Toolbar-Locked - (no file)
        .
        .
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
        "ImagePath"="c:\windows\system32\GameMon.des -service"
        .
        --------------------- LOCKED REGISTRY KEYS ---------------------
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
        @Denied: (A 2) (Everyone)
        @="FlashBroker"
        "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
        "Enabled"=dword:00000001
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
        @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
        @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
        @Denied: (A 2) (Everyone)
        @="Shockwave Flash Object"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
        @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
        "ThreadingModel"="Apartment"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
        @="0"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
        @="ShockwaveFlash.ShockwaveFlash.10"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
        @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
        @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
        @="1.0"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
        @="ShockwaveFlash.ShockwaveFlash"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
        @Denied: (A 2) (Everyone)
        @="Macromedia Flash Factory Object"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
        @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
        "ThreadingModel"="Apartment"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
        @="FlashFactory.FlashFactory.1"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
        @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
        @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
        @="1.0"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
        @="FlashFactory.FlashFactory"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
        @Denied: (A 2) (Everyone)
        @="IFlashBroker4"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
        @="{00020424-0000-0000-C000-000000000046}"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
        @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
        "Version"="1.0"
        .
        [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
        "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
           00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
        @Denied: (A) (Users)
        @Denied: (A) (Everyone)
        @Allowed: (B 1 2 3 4 5) (S-1-5-20)
        "BlindDial"=dword:00000000
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
        @Denied: (A) (Users)
        @Denied: (A) (Everyone)
        @Allowed: (B 1 2 3 4 5) (S-1-5-20)
        "BlindDial"=dword:00000000
        .
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
        @Denied: (Full) (Everyone)
        .
        ------------------------ Other Running Processes ------------------------
        .
        c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
        c:\windows\SysWOW64\rundll32.exe
        .
        **************************************************************************
        .
        Completion time: 2012-01-12  14:47:09 - machine was rebooted
        ComboFix-quarantined-files.txt  2012-01-12 19:47
        .
        Pre-Run: 546,774,183,936 bytes free
        Post-Run: 546,164,207,616 bytes free
        .
        - - End Of File - - 455D748F45DC643E7F03D557D20B6C31


        SuperDave

        • Malware Removal Specialist


        • Sage
        • Thanked: 858
        • Certifications: List
        • Experience: Expert
        • OS: Windows 8
        Re: Trojans cleaned, modified windows.
        « Reply #4 on: January 12, 2012, 04:39:04 PM »
        Quote
        Most programs say that the registry has been marked for deletion.  Is that normal?
        I've seen that warning before but not in the same context. When do you receive that warning?

        Please download Rooter and Save it to your desktop.
        • Double click it to start the tool.Vista and Windows7 run as administrator.
        • Click Scan.
        • Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
        Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender

        SalP

          Topic Starter


          Rookie
          • Experience: Familiar
          • OS: Windows 7
          Re: Trojans cleaned, modified windows.
          « Reply #5 on: January 12, 2012, 04:54:36 PM »
          Upon the initial reboot, all programs gave me that response.  Upon a restart, they were functional.  The internet is connected, but no web pages come up.

          Quote
          Rooter.exe (v1.0.2) by Eric_71
          .
          SeDebugPrivilege granted successfully ...
          .
          Windows 7 Home Edition (6.1.7601) Service Pack 1
          [32_bits] - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
          .
          [wscsvc] (Security Center) RUNNING (state:4)
          [MpsSvc] RUNNING (state:4)
          Windows Firewall -> Enabled
          Windows Defender -> Enabled
          User Account Control (UAC) -> Enabled
          .
          Internet Explorer 8.0.7601.17514
          Mozilla Firefox 9.0.1 (en-US)
          .
          C:\  [Fixed-NTFS] .. ( Total:917 Go - Free:508 Go )
          D:\  [CD_Rom]
          E:\  [Removable]
          F:\  [Removable]
          G:\  [Removable]
          H:\  [Removable]
          Q:\  [Fixed-UDF] .. ( Total:0 Go - Free:0 Go )
          .
          Scan : 18:52.31
          Path : C:\Users\Sal\Desktop\Rooter.exe
          User : Sal ( Administrator -> YES )
          .
          ----------------------\\ Processes
          .
          Locked [System Process] (0)
          Locked System (4)
          ______ ???·?????? (284)
          ______ ???·?????? (508)
          ______ ???·?????? (564)
          ______ ???·?????? (576)
          ______ ???·?????? (620)
          ______ ???·?????? (636)
          ______ ???·?????? (644)
          ______ ???·?????? (752)
          ______ ???·?????? (780)
          ______ ???·?????? (844)
          ______ ???·?????? (884)
          ______ ???·?????? (932)
          ______ ???·?????? (180)
          ______ ???·?????? (448)
          ______ ???·?????? (316)
          ______ ???·?????? (1112)
          ______ C:\Program Files\Dell\DellDock\DockLogin.exe (1128)
          ______ ???·?????? (1216)
          ______ ???·?????? (1376)
          ______ ???·?????? (1416)
          ______ ???·?????? (1540)
          ______ C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (1564)
          ______ ???·?????? (1616)
          ______ C:\Windows\SysWOW64\svchost.exe (1664)
          ______ ???·?????? (1692)
          ______ ???·?????? (1736)
          ______ ???·?????? (1756)
          ______ ???·?????? (1860)
          ______ ???·?????? (1936)
          ______ ???·?????? (1240)
          ______ C:\Windows\SysWOW64\rundll32.exe (1160)
          ______ C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE (1840)
          ______ C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (1612)
          ______ ???·?????? (2068)
          ______ ???·?????? (2184)
          ______ ???·?????? (2308)
          ______ ???·?????? (2320)
          ______ ???·?????? (2440)
          ______ C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (2620)
          ______ C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE (3088)
          ______ ???·?????? (3164)
          ______ ???·?????? (3352)
          ______ ???·?????? (3388)
          ______ ???·?????? (3852)
          ______ ???·?????? (3988)
          ______ ???·?????? (4040)
          ______ ???·?????? (3504)
          ______ C:\Users\Sal\AppData\Roaming\Spotify\spotify.exe (3528)
          ______ C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (3576)
          ______ ???·?????? (3584)
          ______ C:\Program Files (x86)\iTunes\iTunesHelper.exe (3552)
          ______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (4272)
          ______ ???·?????? (4356)
          ______ ???·?????? (4144)
          ______ C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (4088)
          Locked audiodg.exe (4816)
          ______ ???·?????? (6168)
          ______ ???·?????? (6968)
          ______ C:\Users\Sal\Desktop\Rooter.exe (6140)
          .
          ----------------------\\ Device\Harddisk0\
          .
          \Device\Harddisk0 [Sectors : 63 x 512 Bytes]
          .
          \Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:41094144)
          \Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:41943040 | Length:14828961792)
          \Device\Harddisk0\Partition3 (Start_Offset:14870904832 | Length:985332187136)
          .
          ----------------------\\ Scheduled Tasks
          .
          C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3871039636-1935808284-3132821144-1000Core.job
          C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3871039636-1935808284-3132821144-1000UA.job
          C:\Windows\Tasks\SA.DAT
          C:\Windows\Tasks\SCHEDLGU.TXT
          .
          ----------------------\\ Registry
          .
          .
          ----------------------\\ Files & Folders
          .
          ----------------------\\ Scan completed at 18:52.52
          .
          C:\Rooter$\Rooter_1.txt - (12/01/2012 | 18:52.52)

          SuperDave

          • Malware Removal Specialist


          • Sage
          • Thanked: 858
          • Certifications: List
          • Experience: Expert
          • OS: Windows 8
          Re: Trojans cleaned, modified windows.
          « Reply #6 on: January 13, 2012, 01:31:54 PM »
          Please download MiniToolBox to Desktop and run it.



          Checkmark the following boxes:

            • Flush DNS
            • Report IE Proxy Settings
            • Reset IE Proxy Settings
            • List content of Hosts
            • List IP Configuration
            • Lst Last 10 Event Viewer Errors
            • List Users, Partitions and Memory Size
            • [/b]
            Click Go and copy/paste the log (Result.txt) into your next post. .
            Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender

            SalP

              Topic Starter


              Rookie
              • Experience: Familiar
              • OS: Windows 7
              Re: Trojans cleaned, modified windows.
              « Reply #7 on: January 13, 2012, 01:44:58 PM »
              Quote
              MiniToolBox by Farbar
              Ran by Sal (administrator) on 13-01-2012 at 15:42:46
              Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
              Boot Mode: Normal
              ***************************************************************************

              ========================= Flush DNS: ===================================

              Windows IP Configuration

              Successfully flushed the DNS Resolver Cache.

              ========================= IE Proxy Settings: ==============================

              Proxy is not enabled.
              No Proxy Server is set.

              "Reset IE Proxy Settings": IE Proxy Settings were reset.
              ========================= Hosts content: =================================

              127.0.0.1       localhost

              ========================= IP Configuration: ================================

              MAC Bridge Miniport = Network Bridge (Disconnected)
              Linksys AE1000 = Wireless Network Connection 3 (Connected)
              Realtek PCIe GBE Family Controller = Local Area Connection (Media disconnected)


              # ----------------------------------
              # IPv4 Configuration
              # ----------------------------------
              pushd interface ipv4

              reset
              set global


              popd
              # End of IPv4 configuration



              Windows IP Configuration

                 Host Name . . . . . . . . . . . . : Sal-PC
                 Primary Dns Suffix  . . . . . . . :
                 Node Type . . . . . . . . . . . . : Mixed
                 IP Routing Enabled. . . . . . . . : No
                 WINS Proxy Enabled. . . . . . . . : No

              Tunnel adapter Teredo Tunneling Pseudo-Interface:

                 Media State . . . . . . . . . . . : Media disconnected
                 Connection-specific DNS Suffix  . :
                 Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
                 Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
                 DHCP Enabled. . . . . . . . . . . : No
                 Autoconfiguration Enabled . . . . : Yes
              Server:  UnKnown
              Address:  127.0.0.1

              Ping request could not find host google.com. Please check the name and try again.
              Server:  UnKnown
              Address:  127.0.0.1

              Ping request could not find host yahoo.com. Please check the name and try again.
              Server:  UnKnown
              Address:  127.0.0.1

              Ping request could not find host bleepingcomputer.com. Please check the name and try again.

              Pinging 127.0.0.1 with 32 bytes of data:
              Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
              Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

              Ping statistics for 127.0.0.1:
                  Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
              Approximate round trip times in milli-seconds:
                  Minimum = 0ms, Maximum = 0ms, Average = 0ms
              ===========================================================================
              Interface List
                1...........................Software Loopback Interface 1
               17...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
              ===========================================================================

              IPv4 Route Table
              ===========================================================================
              Active Routes:
              Network Destination        Netmask          Gateway       Interface  Metric
                      127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
                      127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
                127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
                      224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
                255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
              ===========================================================================
              Persistent Routes:
                None

              IPv6 Route Table
              ===========================================================================
              Active Routes:
               If Metric Network Destination      Gateway
                1    306 ::1/128                  On-link
                1    306 ff00::/8                 On-link
              ===========================================================================
              Persistent Routes:
                None

              ========================= Event log errors: ===============================

              Application errors:
              ==================
              Error: (01/13/2012 02:31:25 PM) (Source: CVHSVC) (User: )
              Description: Information only.
              (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

              Error: (01/12/2012 11:54:05 PM) (Source: Bonjour Service) (User: )
              Description: Task Scheduling Error: m->NextScheduledSPRetry 7925

              Error: (01/12/2012 11:54:05 PM) (Source: Bonjour Service) (User: )
              Description: Task Scheduling Error: m->NextScheduledEvent 7925

              Error: (01/12/2012 11:54:05 PM) (Source: Bonjour Service) (User: )
              Description: Task Scheduling Error: Continuously busy for more than a second

              Error: (01/12/2012 03:40:10 PM) (Source: CVHSVC) (User: )
              Description: Information only.
              (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

              Error: (01/12/2012 03:01:43 PM) (Source: CVHSVC) (User: )
              Description: Information only.
              (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

              Error: (01/12/2012 02:43:44 PM) (Source: CVHSVC) (User: )
              Description: Information only.
              (Patch task for {90140011-0066-0409-0000-0000000FF1CE}): DownloadLatest Failed: There are currently no active network connections. Background Intelligent Transfer Service (BITS) will try again when an adapter is connected.

              Error: (01/10/2012 09:14:09 PM) (Source: Application Hang) (User: )
              Description: The program wmplayer.exe version 12.0.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

              Process ID: 214c

              Start Time: 01ccd0058ff12428

              Termination Time: 110

              Application Path: C:\Program Files (x86)\Windows Media Player\wmplayer.exe

              Report Id: e841b80f-3bf9-11e1-81b5-b8ac6fe30819

              Error: (01/06/2012 02:48:44 AM) (Source: Bonjour Service) (User: )
              Description: Task Scheduling Error: m->NextScheduledSPRetry 6848

              Error: (01/06/2012 02:48:44 AM) (Source: Bonjour Service) (User: )
              Description: Task Scheduling Error: m->NextScheduledEvent 6848


              System errors:
              =============
              Error: (01/13/2012 02:29:00 PM) (Source: Service Control Manager) (User: )
              Description: The Windows Update service hung on starting.

              Error: (01/13/2012 02:20:45 PM) (Source: BridgeMP) (User: )
              Description: Bridge: The bridge failed to create its virtual miniport.

              Error: (01/12/2012 03:29:33 PM) (Source: BridgeMP) (User: )
              Description: Bridge: The bridge failed to create its virtual miniport.

              Error: (01/12/2012 03:09:18 PM) (Source: Service Control Manager) (User: )
              Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
              %%1068

              Error: (01/12/2012 03:09:18 PM) (Source: Service Control Manager) (User: )
              Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
              %%1068

              Error: (01/12/2012 03:09:18 PM) (Source: Service Control Manager) (User: )
              Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
              %%1068

              Error: (01/12/2012 03:09:18 PM) (Source: Service Control Manager) (User: )
              Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
              %%1068

              Error: (01/12/2012 03:09:18 PM) (Source: Service Control Manager) (User: )
              Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
              %%1068

              Error: (01/12/2012 03:09:18 PM) (Source: Service Control Manager) (User: )
              Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
              %%1068

              Error: (01/12/2012 03:09:18 PM) (Source: Service Control Manager) (User: )
              Description: The Computer Browser service depends on the Server service which failed to start because of the following error:
              %%1068


              Microsoft Office Sessions:
              =========================

              ========================= Memory info: ===================================

              Percentage of memory in use: 31%
              Total physical RAM: 6142.99 MB
              Available physical RAM: 4179.22 MB
              Total Pagefile: 12284.18 MB
              Available Pagefile: 9937.4 MB
              Total Virtual: 4095.88 MB
              Available Virtual: 3977.09 MB

              ========================= Partitions: =====================================

              1 Drive c: (OS) (Fixed) (Total:917.66 GB) (Free:508.53 GB) NTFS
              2 Drive d: (Jan 12 2012) (CDROM) (Total:0.69 GB) (Free:0.63 GB) UDF

              ========================= Users: ========================================

              User accounts for \\SAL-PC

              Administrator            Guest                    Sal                     


              **** End of log ****

              SuperDave

              • Malware Removal Specialist


              • Sage
              • Thanked: 858
              • Certifications: List
              • Experience: Expert
              • OS: Windows 8
              Re: Trojans cleaned, modified windows.
              « Reply #8 on: January 13, 2012, 07:39:40 PM »
              Please download Farbar Service Scanner and run it on the computer with the issue.
              • Press "Scan".
              • It will create a log (FSS.txt) in the same directory the tool is run.
              • Please copy and paste the log to your reply.
              Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender

              SalP

                Topic Starter


                Rookie
                • Experience: Familiar
                • OS: Windows 7
                Re: Trojans cleaned, modified windows.
                « Reply #9 on: January 13, 2012, 07:44:31 PM »
                Quote
                Farbar Service Scanner
                Ran by Sal (administrator) on 13-01-2012 at 21:42:59
                Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
                Boot Mode: Normal
                ****************************************************************

                Internet Services:
                ============

                Connection Status:
                ==============
                Localhost is accessible.
                There is no connection to network.
                Google IP is accessible.
                Yahoo IP is accessible.


                File Check:
                ========
                C:\Windows\System32\nsisvc.dll => MD5 is legit
                C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
                C:\Windows\System32\dhcpcore.dll => MD5 is legit
                C:\Windows\System32\drivers\afd.sys => MD5 is legit
                C:\Windows\System32\drivers\tdx.sys => MD5 is legit
                C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
                C:\Windows\System32\dnsrslvr.dll => MD5 is legit
                C:\Windows\System32\svchost.exe => MD5 is legit
                C:\Windows\System32\rpcss.dll => MD5 is legit


                **** End of log ****

                SuperDave

                • Malware Removal Specialist


                • Sage
                • Thanked: 858
                • Certifications: List
                • Experience: Expert
                • OS: Windows 8
                Re: Trojans cleaned, modified windows.
                « Reply #10 on: January 14, 2012, 11:05:01 AM »
                How is your computer connected to the modem; hard wired or wireless? Did you try resetting the modem? Disconnect the power supply for at least 30 secs.
                Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender

                SalP

                  Topic Starter


                  Rookie
                  • Experience: Familiar
                  • OS: Windows 7
                  Re: Trojans cleaned, modified windows.
                  « Reply #11 on: January 14, 2012, 11:39:04 AM »
                  It's wireless.  I tried resetting the computer.  The computer detects the network and says connected, but when I attempt to connect to a webpage, it says "Server not found."

                  If I click "Troubleshoot problems," it suggests that there may be a problem with "the driver for the Network Bridge adapter."

                  SalP

                    Topic Starter


                    Rookie
                    • Experience: Familiar
                    • OS: Windows 7
                    Re: Trojans cleaned, modified windows.
                    « Reply #12 on: January 14, 2012, 11:48:37 AM »
                    It appears I fixed the problem.

                    Some time ago, I had set up a network bridge.  Since my computer does use the wireless adapter, I had set up a network bridge so I could connect my Xbox 360 via ethernet to the ethernet port, effectively allowing the 360 to connect to the internet.  Apparently, that bridge was causing problems now.  Once I disabled the bridge, everything appears to be working now.

                    Though, I did do one final scan with McAfee and it did find a Generic Exploit Trojan.  Perhaps I'm not out of the woods yet.  Running another MBAM scan as we speak.

                    SalP

                      Topic Starter


                      Rookie
                      • Experience: Familiar
                      • OS: Windows 7
                      Re: Trojans cleaned, modified windows.
                      « Reply #13 on: January 14, 2012, 01:36:08 PM »
                      The MBAM scan came up clean.  Everything seems to be running okay.  I could just use some help in cleanup.

                      SuperDave

                      • Malware Removal Specialist


                      • Sage
                      • Thanked: 858
                      • Certifications: List
                      • Experience: Expert
                      • OS: Windows 8
                      Re: Trojans cleaned, modified windows.
                      « Reply #14 on: January 14, 2012, 01:39:58 PM »
                      One more scan and we can then do some cleanup.

                      I'd like to scan your machine with ESET OnlineScan

                      •Hold down Control and click on the following link to open ESET OnlineScan in a new window.
                      ESET OnlineScan
                      •Click the button.
                      •For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
                      • Click on to download the ESET Smart Installer. Save it to your desktop.
                      • Double click on the icon on your desktop.
                      •Check
                      •Click the button.
                      •Accept any security warnings from your browser.
                      •Check
                      •Push the Start button.
                      •ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
                      •When the scan completes, push
                      •Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
                      •Push the button.
                      •Push
                      A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
                      Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8 with a dual boot to Windows XP  Home with SP3, Avira  with Windows Firewall & Windows Defender