Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Fake AV infection - files hidden?

28 Mar 2012   #1
Microsoft MVP

 
Fake AV infection - files hidden?

I'm trying to help a friend who's locked out of Windows 7 Pro due to fake AV. All files are missing but I'm assuming they're hidden since I can transfer them in TeamViewer File Transfer.

I can also open Task Manager to run explorer.exe to get to Program Files to run their .exe and am running Malwarebytes now with 21 infections already found and cleaned up.

I was out of the room when Malwarebytes results came so he cleaned up the 21 infections without noting which Fake AV scan was detected. We regained no functionality after scan, so I'm running Full Scan again. Should I also run a root kit scan now?

It's strange that Program Files are there but everything in Users is missing. I'm assuming it's hidden since I can transfer needed files out using Team Viewer, so is there a way to restore them with additional Cleanup?

I'm just about to run SFC.

My System SpecsSystem Spec
.

28 Mar 2012   #2

Winbdows 7 ultimate x64 | Ubuntu 12.04 x64 LTS
 
 

Quote:
All files are missing but I'm assuming they're hidden since I can transfer them in TeamViewer File Transfer.
Well, in that case, have you tried booting off your friend's pc with a live cd and recover those from there?

Quote:
so I'm running Full Scan again. Should I also run a root kit scan now?
i'd wait for the scan to finish. It wouldn't hurt to do a rootkit scan though caution should be exercised as these may produce false positives.
My System SpecsSystem Spec
28 Mar 2012   #3
Microsoft MVP

 

I'm across the country and he's at work so cannot boot disk to copy out files. I copied his most urgent files out using TeamViewer File Transfer Wizard which does show them even though Explorer shows entire User folder empty.

Nothing found yet in full Malwarebytes scan. Also running SFC. Anything that can be done to unhide his files?
My System SpecsSystem Spec
.


28 Mar 2012   #4

Windows 7 Ultimate 64bit
 
 

Have him run Combofix.
ComboFix Download

he is probably going to have to go to the tools>folder options>view> and enable "show hidden files and folders" and manually make them not hidden anymore.
My System SpecsSystem Spec
28 Mar 2012   #5

Winbdows 7 ultimate x64 | Ubuntu 12.04 x64 LTS
 
 

Well, ComboFix is a very advanced tool and must be run under the supervison of a security specialist. (No offence Zepher)

@Greg- if you do decide to have it run, have him follow the steps here- (Canned Speech) Combofix XP
My System SpecsSystem Spec
28 Mar 2012   #6
Microsoft MVP

 

Quote   Quote: Originally Posted by Zepher View Post
he is probably going to have to go to the tools>folder options>view> and enable "show hidden files and folders" and manually make them not hidden anymore.
This is how the fake AV virus hides the entire User folder?

I'm planning to finish the Malwarebytes Full Scan (clean so far after 1 hour), then SFC, then ComboFix.

Any other suggestions?

Thanks!
My System SpecsSystem Spec
28 Mar 2012   #7
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Greg, try unhide
Unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe) (by Grinler)
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run."
My System SpecsSystem Spec
28 Mar 2012   #8
Microsoft MVP

 

Thanks Jacee. I guess this answers your question in the other thread of how he is getting infected. I opened TeamViewer to see the fake AV scanner I have warned him about repeatedly.

Lost TeamViewer now so need to wait til he gets home from work to continue.

Plan:
Malwarebytes Full Scan (in progress)
SFC /scannow (also in progress)
Combo Fix
Unhide
?
My System SpecsSystem Spec
28 Mar 2012   #9
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

RKill (just incase) before Combofix ... If there's any way to capture the CF log, I would like to see it, please.
Also, rename Combofix.exe to sVchost.exe during the download.

(RKill kills the rogue/fake processes from running, so that you can download necessary tools for removal.
The tool should run on all 32bit versions of current Windows (XP, Vista, Windows VirusTotal shows that only a few AVs flag it as anything)

Download and Run RKill
Please download RKill by Grinler from one of the 4 links below and save it to your desktop.
Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
My System SpecsSystem Spec
28 Mar 2012   #10
Microsoft MVP

 
ComboFix log

After running ComboFix all files appear restored.

All of the Programs appear to be working but shortcuts in All Programs list are empty. Partially solved here: Start Menu All Programs in Windows 7 - Restore Default Shortcuts - Windows 7 Forums

Security Center, Windows Update and MSE Services all started up after restart.

Many files were missing from external which was unplugged prior to fixes running. Tried Zepher's idea to Unhide in Control Panel and they show up. Ran UnHide which restored all files and would have restored my missing All Programs shortcuts had Recycle Bin not been emptied.

Seems back to normal with good performance but only time will tell.

Code:
ComboFix 12-03-28.02 - MDuquette 03/28/2012  17:45:25.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2038.1223 [GMT -4:00]
Running from: c:\users\MDuquette\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~7GNFxghQfiOBui
c:\programdata\~7GNFxghQfiOBuir
c:\programdata\7GNFxghQfiOBui
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}\chrome.manifest
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}\chrome\content\overlay.xul
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}\install.rdf
c:\users\MDuquette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\MDuquette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\MDuquette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-28 to 2012-03-28  )))))))))))))))))))))))))))))))
.
.
2012-03-24 11:42 . 2012-03-14 02:15    6582328    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{26181C00-0057-4728-BDBB-39FAD9CA378D}\mpengine.dll
2012-03-18 14:37 . 2012-03-18 14:37    --------    d--h--w-    c:\programdata\F4D55EDB006B2A9A03994D22B4EB238B
2012-03-17 03:35 . 2012-03-17 03:35    --------    d-----w-    c:\program files\Common Files\Java
2012-03-17 03:34 . 2012-03-17 03:33    472808    ----a-w-    c:\windows\system32\deployJava1.dll
2012-03-15 10:31 . 2012-02-03 03:54    2343424    ----a-w-    c:\windows\system32\win32k.sys
2012-03-15 10:31 . 2012-02-10 05:38    1077248    ----a-w-    c:\windows\system32\DWrite.dll
2012-03-15 10:31 . 2012-01-25 05:27    8192    ----a-w-    c:\windows\system32\rdrmemptylst.exe
2012-03-15 10:31 . 2012-01-25 05:32    58880    ----a-w-    c:\windows\system32\rdpwsx.dll
2012-03-15 10:31 . 2012-01-25 05:32    129536    ----a-w-    c:\windows\system32\rdpcorekmts.dll
2012-03-15 10:31 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2012-03-15 10:31 . 2012-02-17 04:13    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2012-03-15 10:31 . 2012-02-17 04:14    183808    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2012-03-08 23:10 . 2012-03-08 23:10    --------    d-----w-    c:\program files\iPod
2012-03-08 23:10 . 2012-03-08 23:11    --------    d-----w-    c:\program files\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-17 02:40 . 2011-05-14 03:56    414368    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-10 11:30 . 2012-02-10 11:31    713784    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9188A78F-B458-49D5-B281-07487EF176EC}\gapaengine.dll
2012-02-08 06:03 . 2012-01-06 17:44    6552120    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-31 12:44 . 2010-04-16 21:10    237072    ------w-    c:\windows\system32\MpSigStub.exe
2012-01-11 11:17 . 2012-01-11 11:16    727647    ----a-w-    c:\windows\Windstar Demo Uninstaller.exe
2012-01-06 03:39 . 2012-02-10 11:31    703824    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-01-02 07:48 . 2012-01-02 07:48    74752    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2012-01-02 07:47 . 2012-01-02 07:47    161792    ----a-w-    c:\windows\system32\msls31.dll
2012-01-02 07:47 . 2012-01-02 07:47    110592    ----a-w-    c:\windows\system32\IEAdvpack.dll
2012-01-02 07:47 . 2012-01-02 07:47    76800    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2012-01-02 07:47 . 2012-01-02 07:47    86528    ----a-w-    c:\windows\system32\iesysprep.dll
2012-01-02 07:47 . 2012-01-02 07:47    63488    ----a-w-    c:\windows\system32\tdc.ocx
2012-01-02 07:47 . 2012-01-02 07:47    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2012-01-02 07:47 . 2012-01-02 07:47    367104    ----a-w-    c:\windows\system32\html.iec
2012-01-02 07:47 . 2012-01-02 07:47    74752    ----a-w-    c:\windows\system32\iesetup.dll
2012-01-02 07:47 . 2012-01-02 07:47    420864    ----a-w-    c:\windows\system32\vbscript.dll
2012-01-02 07:47 . 2012-01-02 07:47    23552    ----a-w-    c:\windows\system32\licmgr10.dll
2012-01-02 07:47 . 2012-01-02 07:47    152064    ----a-w-    c:\windows\system32\wextract.exe
2012-01-02 07:47 . 2012-01-02 07:47    150528    ----a-w-    c:\windows\system32\iexpress.exe
2012-01-02 07:47 . 2012-01-02 07:47    35840    ----a-w-    c:\windows\system32\imgutil.dll
2012-01-02 07:47 . 2012-01-02 07:47    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2012-01-02 07:47 . 2012-01-02 07:47    11776    ----a-w-    c:\windows\system32\mshta.exe
2012-01-02 07:47 . 2012-01-02 07:47    101888    ----a-w-    c:\windows\system32\admparse.dll
2012-02-17 17:58 . 2011-10-18 22:35    134104    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Meebo Notifier"="c:\users\MDuquette\AppData\Local\Meebo\Meebo Notifier\MeeboNotifier.exe" [2010-07-15 818888]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"AOL Fast Start"="c:\program files\AOL Desktop 9.6a\AOL.EXE" [2011-04-25 42320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Intuit Data Protect.lnk]
backup=c:\windows\pss\Intuit Data Protect.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk]
backup=c:\windows\pss\QuickBooks_Standard_21.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 16:08    935288    ----a-r-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08    35696    ----a-w-    c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2009-10-28 14:38    50536    ----a-w-    c:\program files\AOL 9.5\aol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-11-02 12:51    59240    ----a-w-    c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28    59240    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 19:54    91520    ----a-w-    c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2007-03-21 16:33    1548288    ----a-w-    c:\windows\System32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient]
2009-08-19 17:25    1589208    ---ha-w-    c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Software]
2009-04-24 06:57    1025320    ----a-w-    c:\program files\Common Files\SupportSoft\bin\bcont.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-03-08 07:27    41800    ----a-w-    c:\program files\Common Files\aol\1271452016\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30    173592    ----a-w-    c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30    141848    ----a-w-    c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2011-10-10 01:39    1874264    ----a-w-    c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-07 00:05    421736    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30    150552    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2010-11-20 21:29    1174016    ----a-w-    c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-09-13 19:44    405504    ----a-w-    c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02    254696    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-01-18 11:46    296056    ----a-w-    c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 136176]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-02 1343400]
R4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-02-15 229376]
R4 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-08-30 1255936]
R4 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2010-12-07 2228008]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-01-19 3027840]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 11:44]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 11:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://68.153.220.28:8080/activex/AMC.cab
FF - ProfilePath - c:\users\MDuquette\AppData\Roaming\Mozilla\Firefox\Profiles\sqg9g1mm.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Gwofuzozawufi - c:\users\MDuquette\AppData\Local\axidiruvupoqoxe.dll
MSConfigStartUp-Vsofezi - c:\users\MDuquette\AppData\Local\wisdsk.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-28  17:58:20
ComboFix-quarantined-files.txt  2012-03-28 21:58
.
Pre-Run: 9,785,036,800 bytes free
Post-Run: 10,061,418,496 bytes free
.
- - End Of File - - 599A00B8C4870EE77F23957CB2F4750E
We are considering replacing MSE with Webroot Secure Anywhere AV. Opinions?

Thank you, Security experts!
My System SpecsSystem Spec
Reply

 Fake AV infection - files hidden?




Thread Tools



Similar help and support threads for2: Fake AV infection - files hidden?
Thread Forum
Solved Show hidden files --> Files now missing Backup and Restore
Solved show hidden files folders (exclude files) General Discussion
What are ~$ files that appear on desktop when hidden files show General Discussion
Fake AV infection?? System Security
Solved Infection by fake AV virus System Security
Hidden System files are no longer hidden General Discussion
Fake 'Conficker.B Infection Alert' spam campaign drops System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 08:42 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33