cwojeski

Members
  • Content count

    12
  • Joined

  • Last visited

About cwojeski

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. Your help is greatly appreciated! I did run DeFogger, but I'm unable to locate it now. A search for it in programs comes up empty too. Any suggestions?
  2. ComboFix 10-11-23.01 - Wojo 11/23/2010 21:09:22.4.2 - x86 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1014.207 [GMT -5:00] Running from: c:\users\Wojo\Desktop\ComboFix.exe Command switches used :: c:\users\Wojo\Desktop\CFScript.txt FILE :: "c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe . ((((((((((((((((((((((((( Files Created from 2010-10-24 to 2010-11-24 ))))))))))))))))))))))))))))))) . 2010-11-24 02:41 . 2010-11-24 02:41 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-11-23 22:40 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{921DA470-DD3A-478E-B91E-55930A27C7EC}\mpengine.dll 2010-11-23 13:51 . 2010-11-23 13:51 -------- d-----w- c:\program files\ESET 2010-11-22 21:37 . 2010-11-22 21:37 -------- dc-h--w- c:\programdata\{E15A1CA7-D908-4C28-ADCF-C23723A9D28D} 2010-11-22 21:36 . 2010-11-22 21:36 -------- d-----w- c:\users\Wojo\AppData\Local\PackageAware 2010-11-22 03:30 . 2010-07-16 19:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys 2010-11-22 03:30 . 2010-07-16 19:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys 2010-11-22 03:30 . 2010-10-05 16:10 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-11-22 03:30 . 2010-08-28 17:28 102184 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys 2010-11-22 03:30 . 2010-08-18 18:51 237632 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-11-22 03:30 . 2010-09-30 13:58 159936 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-11-22 03:29 . 2010-10-05 16:11 123712 ----a-w- c:\windows\system32\drivers\pctplfw.sys 2010-11-22 03:29 . 2010-09-03 17:28 87400 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys 2010-11-22 03:29 . 2010-08-10 22:58 31960 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys 2010-11-22 03:29 . 2010-08-27 14:26 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-11-22 03:29 . 2010-11-24 02:43 -------- d-----w- c:\program files\PC Tools Security 2010-11-22 03:29 . 2010-11-22 03:43 -------- d-----w- c:\program files\Common Files\PC Tools 2010-11-22 03:29 . 2010-11-22 03:29 -------- d-----w- c:\users\Wojo\AppData\Roaming\PC Tools 2010-11-22 03:25 . 2010-11-22 03:29 -------- d-----w- c:\programdata\PC Tools 2010-11-22 02:58 . 2010-11-22 02:58 -------- d-----w- c:\users\Wojo\AppData\Roaming\Malwarebytes 2010-11-22 02:58 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-22 02:58 . 2010-11-22 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-22 02:58 . 2010-11-22 02:58 -------- d-----w- c:\programdata\Malwarebytes 2010-11-22 02:58 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-19 02:00 . 2010-11-19 02:00 -------- d-----w- c:\program files\iPod 2010-11-19 02:00 . 2010-11-19 02:01 -------- d-----w- c:\program files\iTunes 2010-11-17 01:11 . 2010-11-17 01:11 -------- d-----w- c:\program files\PowerISO 2010-11-13 23:56 . 2010-11-13 23:56 -------- d-----w- c:\program files\LSoft Technologies 2010-11-06 16:37 . 2010-11-06 16:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll 2010-10-29 19:52 . 2010-10-29 19:52 -------- d-----w- c:\programdata\Bradford Networks 2010-10-27 07:55 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll 2010-10-27 07:55 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll 2010-10-27 07:55 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax 2010-10-27 07:55 . 2010-08-04 06:15 199680 ----a-w- c:\windows\system32\mpg2splt.ax 2010-10-27 07:55 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-19 15:41 . 2009-12-15 17:53 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-09-28 20:44 . 2010-09-28 20:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2010-09-28 20:44 . 2010-09-28 20:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-09-15 09:50 . 2010-05-16 17:00 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-08 04:30 . 2010-10-12 22:50 978432 ----a-w- c:\windows\system32\wininet.dll 2010-09-08 04:28 . 2010-10-12 22:50 44544 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-08 03:22 . 2010-10-12 22:50 386048 ----a-w- c:\windows\system32\html.iec 2010-09-08 02:48 . 2010-10-12 22:50 1638912 ----a-w- c:\windows\system32\mshtml.tlb 2010-09-05 17:00 . 2010-09-05 16:40 3835624 ----a-w- c:\windows\system32\SpoonUninstall.exe 2010-09-03 22:18 . 2010-09-26 18:31 395776 ----a-w- c:\windows\system32\RCoRes.dat 2010-09-03 20:16 . 2010-09-26 18:31 3185640 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys 2010-09-03 20:16 . 2010-09-26 18:31 1084008 ----a-w- c:\windows\system32\RTSndMgr.cpl 2010-09-03 20:16 . 2010-09-26 18:31 1841768 ----a-w- c:\windows\system32\RtkPgExt.dll 2010-09-03 20:16 . 2010-09-26 18:31 66664 ----a-w- c:\windows\system32\RtkCoInst.dll 2010-09-03 20:15 . 2010-09-26 18:31 408168 ----a-w- c:\windows\system32\RtkApoApi.dll 2010-09-03 20:15 . 2010-09-26 18:31 3605096 ----a-w- c:\windows\system32\RtkAPO.dll 2010-09-01 04:23 . 2010-10-12 22:39 12625408 ----a-w- c:\windows\system32\wmploc.DLL 2010-09-01 02:34 . 2010-10-12 22:38 2327552 ----a-w- c:\windows\system32\win32k.sys 2010-08-31 20:28 . 2010-09-26 18:30 1251944 ----a-w- c:\windows\RtlExUpd.dll 2010-08-31 04:32 . 2010-10-12 22:40 954752 ----a-w- c:\windows\system32\mfc40.dll 2010-08-31 04:32 . 2010-10-12 22:40 954288 ----a-w- c:\windows\system32\mfc40u.dll 2010-08-27 05:46 . 2010-10-12 22:38 168448 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-27 03:31 . 2010-10-12 22:38 310784 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-27 03:30 . 2010-10-12 22:38 308736 ----a-w- c:\windows\system32\drivers\srv2.sys 2010-08-27 03:30 . 2010-10-12 22:38 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys 2010-08-26 04:39 . 2010-10-12 22:41 109056 ----a-w- c:\windows\system32\t2embed.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-17 135664] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-29 328056] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208] "SNUVCDSM"="c:\windows\snuvcdsm.exe" [2009-08-10 27184] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440] "PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-09-03 9726568] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952] "ISTray"="c:\program files\PC Tools Security\pctsGui.exe" [2010-09-29 1588184] c:\users\Wojo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192] R3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\System32\Drivers\NSM\0200000.030\SymRdrS.SYS [2010-05-11 154672] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400] S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-08-18 237632] S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880] S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2010-07-14 3063576] S2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe [2010-05-23 126904] S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840] S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-11-21 c:\windows\Tasks\Driver Fetch.job - c:\program files\Driver Fetch\Driver Fetch.lnk [2010-08-25 22:18] 2010-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-225733379-1794320830-2180015835-1000Core.job - c:\users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 13:49] 2010-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-225733379-1794320830-2180015835-1000UA.job - c:\users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 13:49] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NOF] "ImagePath"="\"c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.0.0.71\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(3760) c:\program files\PC Tools Security\pctgmhk.dll c:\windows\system32\EXPLORERFRAME.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\taskhost.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Bradford Networks\Persistent Agent\bncsaui.exe c:\program files\PC Tools Security\pctsSvc.exe c:\windows\System32\rundll32.exe c:\windows\system32\conhost.exe c:\program files\Windows Media Player\wmpnetwk.exe . ************************************************************************** . Completion time: 2010-11-23 21:57:43 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-24 02:57 ComboFix2.txt 2010-11-23 22:47 ComboFix3.txt 2010-11-23 03:21 Pre-Run: 64,331,337,728 bytes free Post-Run: 63,935,852,544 bytes free - - End Of File - - C8E0CA4D56FB38AB1433337172D34141
  3. ComboFix 10-11-22.04 - Wojo 11/23/2010 16:36:13.2.2 - x86 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1014.395 [GMT -5:00] Running from: c:\users\Wojo\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . Infected copy of c:\windows\system32\scecli.dll was found and disinfected Restored copy from - c:\windows\ERDNT\cache\scecli.dll . ((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 ))))))))))))))))))))))))))))))) . 2010-11-23 22:29 . 2010-11-23 22:29 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-11-23 19:21 . 2010-11-23 19:21 -------- d-----w- c:\programdata\Webroot 2010-11-23 13:51 . 2010-11-23 13:51 -------- d-----w- c:\program files\ESET 2010-11-22 21:37 . 2010-11-22 21:37 -------- dc-h--w- c:\programdata\{E15A1CA7-D908-4C28-ADCF-C23723A9D28D} 2010-11-22 21:36 . 2010-11-22 21:36 -------- d-----w- c:\users\Wojo\AppData\Local\PackageAware 2010-11-22 03:30 . 2010-07-16 19:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys 2010-11-22 03:30 . 2010-07-16 19:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys 2010-11-22 03:30 . 2010-10-05 16:10 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-11-22 03:30 . 2010-08-28 17:28 102184 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys 2010-11-22 03:30 . 2010-08-18 18:51 237632 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-11-22 03:30 . 2010-09-30 13:58 159936 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-11-22 03:29 . 2010-10-05 16:11 123712 ----a-w- c:\windows\system32\drivers\pctplfw.sys 2010-11-22 03:29 . 2010-09-03 17:28 87400 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys 2010-11-22 03:29 . 2010-08-10 22:58 31960 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys 2010-11-22 03:29 . 2010-08-27 14:26 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-11-22 03:29 . 2010-11-23 22:31 -------- d-----w- c:\program files\PC Tools Security 2010-11-22 03:29 . 2010-11-22 03:43 -------- d-----w- c:\program files\Common Files\PC Tools 2010-11-22 03:29 . 2010-11-22 03:29 -------- d-----w- c:\users\Wojo\AppData\Roaming\PC Tools 2010-11-22 03:25 . 2010-11-22 03:29 -------- d-----w- c:\programdata\PC Tools 2010-11-22 02:58 . 2010-11-22 02:58 -------- d-----w- c:\users\Wojo\AppData\Roaming\Malwarebytes 2010-11-22 02:58 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-22 02:58 . 2010-11-22 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-22 02:58 . 2010-11-22 02:58 -------- d-----w- c:\programdata\Malwarebytes 2010-11-22 02:58 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-19 09:56 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0F537D84-0946-4972-BC7F-21830E1FD0C1}\mpengine.dll 2010-11-19 02:00 . 2010-11-19 02:00 -------- d-----w- c:\program files\iPod 2010-11-19 02:00 . 2010-11-19 02:01 -------- d-----w- c:\program files\iTunes 2010-11-17 01:11 . 2010-11-17 01:11 -------- d-----w- c:\program files\PowerISO 2010-11-13 23:56 . 2010-11-13 23:56 -------- d-----w- c:\program files\LSoft Technologies 2010-11-06 16:37 . 2010-11-06 16:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll 2010-10-29 19:52 . 2010-10-29 19:52 -------- d-----w- c:\programdata\Bradford Networks 2010-10-27 07:55 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll 2010-10-27 07:55 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll 2010-10-27 07:55 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax 2010-10-27 07:55 . 2010-08-04 06:15 199680 ----a-w- c:\windows\system32\mpg2splt.ax 2010-10-27 07:55 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-19 15:41 . 2009-12-15 17:53 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-09-28 20:44 . 2010-09-28 20:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2010-09-28 20:44 . 2010-09-28 20:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-09-15 09:50 . 2010-05-16 17:00 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-08 04:30 . 2010-10-12 22:50 978432 ----a-w- c:\windows\system32\wininet.dll 2010-09-08 04:28 . 2010-10-12 22:50 44544 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-08 03:22 . 2010-10-12 22:50 386048 ----a-w- c:\windows\system32\html.iec 2010-09-08 02:48 . 2010-10-12 22:50 1638912 ----a-w- c:\windows\system32\mshtml.tlb 2010-09-05 17:00 . 2010-09-05 16:40 3835624 ----a-w- c:\windows\system32\SpoonUninstall.exe 2010-09-03 22:18 . 2010-09-26 18:31 395776 ----a-w- c:\windows\system32\RCoRes.dat 2010-09-03 20:16 . 2010-09-26 18:31 3185640 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys 2010-09-03 20:16 . 2010-09-26 18:31 1084008 ----a-w- c:\windows\system32\RTSndMgr.cpl 2010-09-03 20:16 . 2010-09-26 18:31 1841768 ----a-w- c:\windows\system32\RtkPgExt.dll 2010-09-03 20:16 . 2010-09-26 18:31 66664 ----a-w- c:\windows\system32\RtkCoInst.dll 2010-09-03 20:15 . 2010-09-26 18:31 408168 ----a-w- c:\windows\system32\RtkApoApi.dll 2010-09-03 20:15 . 2010-09-26 18:31 3605096 ----a-w- c:\windows\system32\RtkAPO.dll 2010-09-01 04:23 . 2010-10-12 22:39 12625408 ----a-w- c:\windows\system32\wmploc.DLL 2010-09-01 02:34 . 2010-10-12 22:38 2327552 ----a-w- c:\windows\system32\win32k.sys 2010-08-31 20:28 . 2010-09-26 18:30 1251944 ----a-w- c:\windows\RtlExUpd.dll 2010-08-31 04:32 . 2010-10-12 22:40 954752 ----a-w- c:\windows\system32\mfc40.dll 2010-08-31 04:32 . 2010-10-12 22:40 954288 ----a-w- c:\windows\system32\mfc40u.dll 2010-08-27 05:46 . 2010-10-12 22:38 168448 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-27 03:31 . 2010-10-12 22:38 310784 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-27 03:30 . 2010-10-12 22:38 308736 ----a-w- c:\windows\system32\drivers\srv2.sys 2010-08-27 03:30 . 2010-10-12 22:38 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys 2010-08-26 04:39 . 2010-10-12 22:41 109056 ----a-w- c:\windows\system32\t2embed.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-17 135664] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-29 328056] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208] "SNUVCDSM"="c:\windows\snuvcdsm.exe" [2009-08-10 27184] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440] "PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-09-03 9726568] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952] "ISTray"="c:\program files\PC Tools Security\pctsGui.exe" [2010-09-29 1588184] c:\users\Wojo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-12-25 66864] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192] R3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\System32\Drivers\NSM\0200000.030\SymRdrS.SYS [2010-05-11 154672] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400] S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-08-18 237632] S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880] S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2010-07-14 3063576] S2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe [2010-05-23 126904] S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840] S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632] --- Other Services/Drivers In Memory --- *Deregistered* - PCTSDInjDriver32 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-11-21 c:\windows\Tasks\Driver Fetch.job - c:\program files\Driver Fetch\Driver Fetch.lnk [2010-08-25 22:18] 2010-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-225733379-1794320830-2180015835-1000Core.job - c:\users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 13:49] 2010-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-225733379-1794320830-2180015835-1000UA.job - c:\users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 13:49] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NOF] "ImagePath"="\"c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.0.0.71\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(3456) c:\program files\PC Tools Security\pctgmhk.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\taskhost.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Bradford Networks\Persistent Agent\bncsaui.exe c:\program files\PC Tools Security\pctsSvc.exe c:\windows\system32\conhost.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\windows\servicing\TrustedInstaller.exe c:\windows\System32\rundll32.exe . ************************************************************************** . Completion time: 2010-11-23 17:47:47 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-23 22:47 ComboFix2.txt 2010-11-23 03:21 Pre-Run: 64,547,237,888 bytes free Post-Run: 64,456,757,248 bytes free - - End Of File - - B0EC898BAD7B798589EC74406D0D305C
  4. I removed one program called "Webroot". Upon restart System Tools did not appear. Is there anything else I can/should do to ensure that this infection is removed?
  5. ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=3c19d355c6a41b4b9cdd62cdf02158f1 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-11-23 04:23:44 # local_time=2010-11-23 11:23:44 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=6.1.7600 NT # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=2560 16777215 100 0 0 0 0 0 # compatibility_mode=5893 16776573 100 94 0 42065478 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=115140 # found=1 # cleaned=1 # scan_time=8738 C:\Qoobox\Quarantine\C\ProgramData\eFeDm01834\eFeDm01834.exe.vir a variant of Win32/Kryptik.IIX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  6. At present, my machine is only able to run in safe mode. I'm hoping ComboFix will signal the beginning of the end. ComboFix 10-11-22.04 - Wojo 11/22/2010 21:54:37.1.2 - x86 NETWORK Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1014.351 [GMT -5:00] Running from: c:\users\Wojo\Music\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\programdata\eFeDm01834 c:\programdata\eFeDm01834\eFeDm01834 c:\programdata\eFeDm01834\eFeDm01834.exe c:\users\Wojo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tool c:\users\Wojo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tool\System Tool 2011.lnk c:\windows\system32\ps2.bat . ((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 ))))))))))))))))))))))))))))))) . 2010-11-23 03:09 . 2010-11-23 03:09 -------- d-----w- c:\users\Default\AppData\Local\temp 2010-11-22 21:38 . 2010-06-17 19:49 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys 2010-11-22 21:38 . 2010-06-17 19:49 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys 2010-11-22 21:38 . 2010-06-17 19:49 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys 2010-11-22 21:37 . 2010-11-22 21:37 -------- dc-h--w- c:\programdata\{E15A1CA7-D908-4C28-ADCF-C23723A9D28D} 2010-11-22 21:37 . 2010-11-22 21:37 -------- d-----w- c:\program files\Webroot 2010-11-22 21:36 . 2010-11-23 00:53 -------- d-----w- c:\programdata\Webroot 2010-11-22 21:36 . 2010-11-22 21:36 -------- d-----w- c:\users\Wojo\AppData\Local\PackageAware 2010-11-22 03:30 . 2010-07-16 19:59 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys 2010-11-22 03:30 . 2010-07-16 19:59 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys 2010-11-22 03:30 . 2010-10-05 16:10 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-11-22 03:30 . 2010-08-28 17:28 102184 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys 2010-11-22 03:30 . 2010-08-18 18:51 237632 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-11-22 03:30 . 2010-09-30 13:58 159936 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-11-22 03:29 . 2010-10-05 16:11 123712 ----a-w- c:\windows\system32\drivers\pctplfw.sys 2010-11-22 03:29 . 2010-09-03 17:28 87400 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys 2010-11-22 03:29 . 2010-08-10 22:58 31960 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys 2010-11-22 03:29 . 2010-08-27 14:26 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-11-22 03:29 . 2010-11-23 00:32 -------- d-----w- c:\program files\PC Tools Security 2010-11-22 03:29 . 2010-11-22 03:43 -------- d-----w- c:\program files\Common Files\PC Tools 2010-11-22 03:29 . 2010-11-22 03:29 -------- d-----w- c:\users\Wojo\AppData\Roaming\PC Tools 2010-11-22 03:25 . 2010-11-22 03:29 -------- d-----w- c:\programdata\PC Tools 2010-11-22 02:58 . 2010-11-22 02:58 -------- d-----w- c:\users\Wojo\AppData\Roaming\Malwarebytes 2010-11-22 02:58 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-22 02:58 . 2010-11-22 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-22 02:58 . 2010-11-22 02:58 -------- d-----w- c:\programdata\Malwarebytes 2010-11-22 02:58 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-19 09:56 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{0F537D84-0946-4972-BC7F-21830E1FD0C1}\mpengine.dll 2010-11-19 02:00 . 2010-11-19 02:00 -------- d-----w- c:\program files\iPod 2010-11-19 02:00 . 2010-11-19 02:01 -------- d-----w- c:\program files\iTunes 2010-11-17 01:11 . 2010-11-17 01:11 -------- d-----w- c:\program files\PowerISO 2010-11-13 23:56 . 2010-11-13 23:56 -------- d-----w- c:\program files\LSoft Technologies 2010-11-06 16:37 . 2010-11-06 16:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll 2010-10-29 19:52 . 2010-10-29 19:52 -------- d-----w- c:\programdata\Bradford Networks 2010-10-27 07:55 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll 2010-10-27 07:55 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll 2010-10-27 07:55 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax 2010-10-27 07:55 . 2010-08-04 06:15 199680 ----a-w- c:\windows\system32\mpg2splt.ax 2010-10-27 07:55 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-19 15:41 . 2009-12-15 17:53 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-09-28 20:44 . 2010-09-28 20:44 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2010-09-28 20:44 . 2010-09-28 20:44 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-09-15 09:50 . 2010-05-16 17:00 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-08 04:30 . 2010-10-12 22:50 978432 ----a-w- c:\windows\system32\wininet.dll 2010-09-08 04:28 . 2010-10-12 22:50 44544 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-08 03:22 . 2010-10-12 22:50 386048 ----a-w- c:\windows\system32\html.iec 2010-09-08 02:48 . 2010-10-12 22:50 1638912 ----a-w- c:\windows\system32\mshtml.tlb 2010-09-05 17:00 . 2010-09-05 16:40 3835624 ----a-w- c:\windows\system32\SpoonUninstall.exe 2010-09-03 22:18 . 2010-09-26 18:31 395776 ----a-w- c:\windows\system32\RCoRes.dat 2010-09-03 20:16 . 2010-09-26 18:31 3185640 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys 2010-09-03 20:16 . 2010-09-26 18:31 1084008 ----a-w- c:\windows\system32\RTSndMgr.cpl 2010-09-03 20:16 . 2010-09-26 18:31 1841768 ----a-w- c:\windows\system32\RtkPgExt.dll 2010-09-03 20:16 . 2010-09-26 18:31 66664 ----a-w- c:\windows\system32\RtkCoInst.dll 2010-09-03 20:15 . 2010-09-26 18:31 408168 ----a-w- c:\windows\system32\RtkApoApi.dll 2010-09-03 20:15 . 2010-09-26 18:31 3605096 ----a-w- c:\windows\system32\RtkAPO.dll 2010-09-01 04:23 . 2010-10-12 22:39 12625408 ----a-w- c:\windows\system32\wmploc.DLL 2010-09-01 02:34 . 2010-10-12 22:38 2327552 ----a-w- c:\windows\system32\win32k.sys 2010-08-31 20:28 . 2010-09-26 18:30 1251944 ----a-w- c:\windows\RtlExUpd.dll 2010-08-31 04:32 . 2010-10-12 22:40 954752 ----a-w- c:\windows\system32\mfc40.dll 2010-08-31 04:32 . 2010-10-12 22:40 954288 ----a-w- c:\windows\system32\mfc40u.dll 2010-08-27 05:46 . 2010-10-12 22:38 168448 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-27 03:31 . 2010-10-12 22:38 310784 ----a-w- c:\windows\system32\drivers\srv.sys 2010-08-27 03:30 . 2010-10-12 22:38 308736 ----a-w- c:\windows\system32\drivers\srv2.sys 2010-08-27 03:30 . 2010-10-12 22:38 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys 2010-08-26 04:39 . 2010-10-12 22:41 109056 ----a-w- c:\windows\system32\t2embed.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-12-17 135664] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-09-29 328056] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208] "SNUVCDSM"="c:\windows\snuvcdsm.exe" [2009-08-10 27184] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "KBD"="c:\hp\KBD\KBD.EXE" [2001-07-06 61440] "PS2"="c:\windows\system32\ps2.exe" [2001-07-03 81920] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592] "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-09-03 9726568] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952] "ISTray"="c:\program files\PC Tools Security\pctsGui.exe" [2010-09-29 1588184] "WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2010-11-22 1286960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "GrpConv"="grpconv -o" [X] c:\users\Wojo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-12-25 66864] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService] @="Service" R2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2010-07-14 3063576] R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] R2 NOF;Norton Online;c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe [2010-05-23 126904] R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [2010-03-15 366840] R2 ssfmonm;ssfmonm;c:\windows\system32\DRIVERS\ssfmonm.sys [2010-06-17 45072] R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\DRIVERS\ManyCam.sys [2008-01-14 21632] R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192] R3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\System32\Drivers\NSM\0200000.030\SymRdrS.SYS [2010-05-11 154672] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-27 1343400] S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-08-18 237632] S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-07-16 338880] S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-07-16 656320] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128] S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [2010-11-22 3066528] --- Other Services/Drivers In Memory --- *Deregistered* - kxldqpog [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-11-21 c:\windows\Tasks\Driver Fetch.job - c:\program files\Driver Fetch\Driver Fetch.lnk [2010-08-25 22:18] 2010-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-225733379-1794320830-2180015835-1000Core.job - c:\users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 13:49] 2010-11-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-225733379-1794320830-2180015835-1000UA.job - c:\users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 13:49] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll . - - - - ORPHANS REMOVED - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKLM-Run-bncsaui.exe - %ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe HKLM-RunOnce-<NO NAME> - (no file) [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NOF] "ImagePath"="\"c:\program files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe\" /s \"NOF\" /m \"c:\program files\Norton Online\Engine\2.0.0.71\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2010-11-22 22:21:26 ComboFix-quarantined-files.txt 2010-11-23 03:21 Pre-Run: 61,387,694,080 bytes free Post-Run: 63,638,061,056 bytes free - - End Of File - - 5CE0FB4430DDDB407BB7EF5522E0B04A
  7. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: eFeDm01834.exe Submission date: 2010-11-23 02:26:57 (UTC) Current status: finished Result: 5/ 43 (11.6%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2010.11.21.01 2010.11.21 - AntiVir 7.10.14.56 2010.11.21 - Antiy-AVL 2.0.3.7 2010.11.22 - Avast 4.8.1351.0 2010.11.21 - Avast5 5.0.594.0 2010.11.21 - AVG 9.0.0.851 2010.11.21 - BitDefender 7.2 2010.11.22 - CAT-QuickHeal 11.00 2010.11.09 (Suspicious) - DNAScan ClamAV 0.96.4.0 2010.11.21 - Command 5.2.11.5 2010.11.21 - Comodo 6802 2010.11.22 - DrWeb 5.0.2.03300 2010.11.22 - Emsisoft 5.0.0.50 2010.11.22 - eSafe 7.0.17.0 2010.11.21 - eTrust-Vet 36.1.7992 2010.11.22 - F-Prot 4.6.2.117 2010.11.21 - F-Secure 9.0.16160.0 2010.11.22 - Fortinet 4.2.254.0 2010.11.20 - GData 21 2010.11.22 - Ikarus T3.1.1.90.0 2010.11.22 - Jiangmin 13.0.900 2010.11.20 - K7AntiVirus 9.68.3041 2010.11.20 - Kaspersky 7.0.0.125 2010.11.22 - McAfee 5.400.0.1158 2010.11.22 - McAfee-GW-Edition 2010.1C 2010.11.22 - Microsoft 1.6402 2010.11.22 - NOD32 5637 2010.11.21 - Norman 6.06.10 2010.11.21 - nProtect 2010-11-22.01 2010.11.22 - Panda 10.0.2.7 2010.11.21 - PCTools 7.0.3.5 2010.11.22 - Prevx 3.0 2010.11.23 High Risk Cloaked Malware Rising 22.74.06.03 2010.11.22 - Sophos 4.59.0 2010.11.22 Sus/UnkPack-C SUPERAntiSpyware 4.40.0.1006 2010.11.22 Rogue.SecurityAV Symantec 20101.2.0.161 2010.11.22 - TheHacker 6.7.0.1.087 2010.11.20 - TrendMicro 9.120.0.1004 2010.11.22 - TrendMicro-HouseCall 9.120.0.1004 2010.11.22 - VBA32 3.12.14.2 2010.11.19 - VIPRE 7376 2010.11.22 FraudTool.Win32.FakeVimes!delf (v) ViRobot 2010.11.20.4158 2010.11.22 - VirusBuster 13.6.52.1 2010.11.21 - Additional informationShow all MD5 : b1f461d78d65645ab18451700db57eda SHA1 : 4c34149866da5f0b96f38b9ac14e77eb6ad5a213 SHA256: a0b67c6947f171c73c0d1148449a7bc02d7da02feb3b34361d39ea9cc453104d
  8. This is the original mbam scan, which located and deleted the system tools 2011 infection . However, the issue continues to resurface. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5166 Windows 6.1.7600 (Safe Mode) Internet Explorer 8.0.7600.16385 11/21/2010 10:10:04 PM mbam-log-2010-11-21 (22-10-04).txt Scan type: Quick scan Objects scanned: 143287 Time elapsed: 10 minute(s), 12 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Users\Wojo\Desktop\System Tool 2011.LNK (Rogue.SystemTool) -> Quarantined and deleted successfully.
  9. System Tool reappears after mbam removes and after restart. Requested software will not run in regular mode. Requested software was run in safe mode. Defogger <disabled> Mbam log below (no infection found) DDS log below attach.txt zip attached ark.txt zip attached Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5167 Windows 6.1.7600 (Safe Mode) Internet Explorer 8.0.7600.16385 11/22/2010 8:18:44 PM mbam-log-2010-11-22 (20-18-44).txt Scan type: Quick scan Objects scanned: 146451 Time elapsed: 16 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS (Ver_10-11-10.01) - NTFSx86 NETWORK Run by Wojo at 19:36:50.58 on Mon 11/22/2010 Internet Explorer: 8.0.7600.16385 Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1014.367 [GMT -5:00] ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\Explorer.EXE C:\Windows\system32\ctfmon.exe C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\Music\Defogger (1).exe C:\Windows\system32\conhost.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Windows\System32\svchost.exe -k secsvcs C:\Users\Wojo\Music\dds (1).scr C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uInternet Settings,ProxyOverride = *.local uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll uURLSearchHooks: H - No File BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Norton Safety Minder: {b8e07826-0971-4f16-b133-047b88034e89} - c:\program files\norton online\addons\norton safety minder\engine\2.0.0.48\coIEPlg.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll uRun: [Google Update] "c:\users\wojo\appdata\local\google\update\GoogleUpdate.exe" /c uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" uRunOnce: [eFeDm01834] c:\programdata\efedm01834\eFeDm01834.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [PLFSetL] "c:\windows\PLFSetL.exe" mRun: [sNUVCDSM] "c:\windows\snuvcdsm.exe" mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "c:\program files\google\gmail notifier\gnotify.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [KBD] "c:\hp\kbd\KBD.EXE" mRun: [PS2] "c:\windows\system32\ps2.exe" mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe" mRun: [hpqSRMon] "c:\program files\hp\digital imaging\bin\hpqSRMon.exe" mRun: [igfxTray] "c:\windows\system32\igfxtray.exe" mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe" mRun: [Persistence] "c:\windows\system32\igfxpers.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [RtHDVCpl] "c:\program files\realtek\audio\hda\RtHDVCpl.exe" -s mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [bncsaui.exe] "%ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe" mRun: [PWRISOVM.EXE] "c:\program files\poweriso\PWRISOVM.EXE" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [iSTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe" StartupFolder: c:\users\wojo\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5) mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: igfxcui - igfxdev.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ============= SERVICES / DRIVERS =============== R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-11-21 237632] R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2010-11-21 338880] R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2010-11-21 656320] R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128] R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\security\current\plugins\antimalware\AEI.exe [2010-11-22 3872776] R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\security\current\framework\WRConsumerService.exe [2010-11-22 3066528] S2 BNPagent;Bradford Persistent Agent Service;c:\program files\bradford networks\persistent agent\bndaemon.exe [2010-7-14 3063576] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 NOF;Norton Online;c:\program files\norton online\engine\2.0.0.71\ccsvchst.exe [2010-7-6 126904] S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2010-11-22 366840] S2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2010-11-22 1145304] S2 ssfmonm;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [2010-11-22 45072] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888] S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632] S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-1-13 27192] S3 SYMRDR_{78CA3BF0-9C3B-40e1-B46D-38C877EF059A};Symantec Redirector - Norton Safety Minder;c:\windows\system32\drivers\nsm\0200000.030\symrdrs.sys [2010-7-6 154672] S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-27 1343400] =============== Created Last 30 ================ 2010-11-22 21:38:44 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys 2010-11-22 21:38:44 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys 2010-11-22 21:38:44 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys 2010-11-22 21:37:24 -------- dc-h--w- c:\progra~2\{E15A1CA7-D908-4C28-ADCF-C23723A9D28D} 2010-11-22 21:37:12 -------- d-----w- c:\program files\Webroot 2010-11-22 21:36:32 -------- d-----w- c:\progra~2\Webroot 2010-11-22 21:36:29 -------- d-----w- c:\users\wojo\appdata\local\PackageAware 2010-11-22 03:30:07 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys 2010-11-22 03:30:07 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys 2010-11-22 03:30:06 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2010-11-22 03:30:06 102184 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys 2010-11-22 03:30:01 237632 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2010-11-22 03:30:00 159936 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2010-11-22 03:29:42 87400 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys 2010-11-22 03:29:42 31960 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys 2010-11-22 03:29:42 123712 ----a-w- c:\windows\system32\drivers\pctplfw.sys 2010-11-22 03:29:38 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2010-11-22 03:29:13 -------- d-----w- c:\users\wojo\appdata\roaming\PC Tools 2010-11-22 03:29:13 -------- d-----w- c:\program files\PC Tools Security 2010-11-22 03:29:13 -------- d-----w- c:\program files\common files\PC Tools 2010-11-22 03:25:01 -------- d-----w- c:\progra~2\PC Tools 2010-11-22 02:58:52 -------- d-----w- c:\users\wojo\appdata\roaming\Malwarebytes 2010-11-22 02:58:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-11-22 02:58:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-11-22 02:58:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-11-22 02:58:43 -------- d-----w- c:\progra~2\Malwarebytes 2010-11-22 01:44:43 -------- d-----w- c:\progra~2\eFeDm01834 2010-11-19 09:56:30 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{0f537d84-0946-4972-bc7f-21830e1fd0c1}\mpengine.dll 2010-11-19 02:00:50 -------- d-----w- c:\program files\iPod 2010-11-19 02:00:45 -------- d-----w- c:\program files\iTunes 2010-11-17 01:11:28 -------- d-----w- c:\program files\PowerISO 2010-11-13 23:56:39 -------- d-----w- c:\program files\LSoft Technologies 2010-11-06 16:37:34 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll 2010-10-29 19:52:17 -------- d-----w- c:\progra~2\Bradford Networks 2010-10-27 07:55:15 641536 ----a-w- c:\windows\system32\CPFilters.dll 2010-10-27 07:55:15 417792 ----a-w- c:\windows\system32\msdri.dll 2010-10-27 07:55:14 204288 ----a-w- c:\windows\system32\MSNP.ax 2010-10-27 07:55:14 199680 ----a-w- c:\windows\system32\mpg2splt.ax 2010-10-27 07:55:05 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys ==================== Find3M ==================== 2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-09-28 20:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-09-15 09:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts 2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll 2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec 2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb 2010-09-05 17:00:34 3835624 ----a-w- c:\windows\system32\SpoonUninstall.exe 2010-09-03 22:18:50 395776 ----a-w- c:\windows\system32\RCoRes.dat 2010-09-03 20:16:18 1084008 ----a-w- c:\windows\system32\RTSndMgr.cpl 2010-09-03 20:16:08 66664 ----a-w- c:\windows\system32\RtkCoInst.dll 2010-09-03 20:16:08 1841768 ----a-w- c:\windows\system32\RtkPgExt.dll 2010-09-03 20:15:56 408168 ----a-w- c:\windows\system32\RtkApoApi.dll 2010-09-03 20:15:56 3605096 ----a-w- c:\windows\system32\RtkAPO.dll 2010-09-01 04:23:49 12625408 ----a-w- c:\windows\system32\wmploc.DLL 2010-09-01 02:34:52 2327552 ----a-w- c:\windows\system32\win32k.sys 2010-08-31 20:28:46 1251944 ----a-w- c:\windows\RtlExUpd.dll 2010-08-31 04:32:30 954752 ----a-w- c:\windows\system32\mfc40.dll 2010-08-31 04:32:30 954288 ----a-w- c:\windows\system32\mfc40u.dll 2010-08-27 05:46:48 168448 ----a-w- c:\windows\system32\srvsvc.dll 2010-08-26 04:39:58 109056 ----a-w- c:\windows\system32\t2embed.dll ============= FINISH: 19:40:09.51 =============== Attach.zip ark.zip
  10. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 5:33:41 PM, on 11/22/2010 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16671) Boot mode: Safe mode with network support Running processes: C:\Windows\Explorer.EXE C:\Windows\system32\ctfmon.exe C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe C:\Program Files\Webroot\Security\Current\Framework\WRFrame.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Program Files\PC Tools Security\pctsGui.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\AppData\Local\Google\Chrome\Application\chrome.exe C:\Users\Wojo\Music\HijackThis (2).exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file) O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Norton Safety Minder BHO - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files\Norton Online\AddOns\Norton Safety Minder\Engine\2.0.0.48\coIEPlg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [PLFSetL] "C:\Windows\PLFSetL.exe" O4 - HKLM\..\Run: [sNUVCDSM] "C:\Windows\snuvcdsm.exe" O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [KBD] "C:\HP\KBD\KBD.EXE" O4 - HKLM\..\Run: [PS2] "C:\Windows\system32\ps2.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" O4 - HKLM\..\Run: [igfxTray] "C:\Windows\system32\igfxtray.exe" O4 - HKLM\..\Run: [HotKeysCmds] "C:\Windows\system32\hkcmd.exe" O4 - HKLM\..\Run: [Persistence] "C:\Windows\system32\igfxpers.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [RtHDVCpl] "C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe" -s O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [bncsaui.exe] "%ProgramFiles%\Bradford Networks\Persistent Agent\bncsaui.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [iSTray] "C:\Program Files\PC Tools Security\pctsGui.exe" /hideGUI O4 - HKLM\..\Run: [WebrootTrayApp] "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe" O4 - HKCU\..\Run: [Google Update] "C:\Users\Wojo\AppData\Local\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\RunOnce: [eFeDm01834] C:\ProgramData\eFeDm01834\eFeDm01834.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bradford Persistent Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Persistent Agent\bndaemon.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton Online (NOF) - Symantec Corporation - C:\Program Files\Norton Online\Engine\2.0.0.71\ccSvcHst.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security\pctsSvc.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe -- End of file - 8980 bytes