Fake AV infection - files hidden?

Page 1 of 2 12 LastLast

  1. gregrocker
    Posts : 50,642
       New #1

    Fake AV infection - files hidden?


    I'm trying to help a friend who's locked out of WIn7 Pro due to fake AV. All files are missing but I'm assuming they're hidden since I can transfer them in TeamViewer File Transfer.

    I can also open Task Manager to run explorer.exe to get to Program Files to run their .exe and am running Malwarebytes now with 21 infections already found and cleaned up.

    I was out of the room when Malwarebytes results came so he cleaned up the 21 infections without noting which Fake AV scan was detected. We regained no functionality after scan, so I'm running Full Scan again. Should I also run a root kit scan now?

    It's strange that Program Files are there but everything in Users is missing. I'm assuming it's hidden since I can transfer needed files out using Team Viewer, so is there a way to restore them with additional Cleanup?

    I'm just about to run SFC.
      My Computer
    Quote Quote

  3. EzioAuditore
    Posts : 1,036
    Winbdows 7 ultimate x64 | Ubuntu 12.04 x64 LTS
       New #2

    All files are missing but I'm assuming they're hidden since I can transfer them in TeamViewer File Transfer.
    Well, in that case, have you tried booting off your friend's pc with a live cd and recover those from there?

    so I'm running Full Scan again. Should I also run a root kit scan now?
    i'd wait for the scan to finish. It wouldn't hurt to do a rootkit scan though caution should be exercised as these may produce false positives.
      My Computer
    Quote Quote

  4. gregrocker
    Posts : 50,642
    Thread Starter
       New #3

    I'm across the country and he's at work so cannot boot disk to copy out files. I copied his most urgent files out using TeamViewer File Transfer Wizard which does show them even though Explorer shows entire User folder empty.

    Nothing found yet in full Malwarebytes scan. Also running SFC. Anything that can be done to unhide his files?
      My Computer
    Quote Quote

  6. Zepher
    Posts : 2,164
    Windows 7 Ultimate 64bit
       New #4

    Have him run Combofix.
    ComboFix Download

    he is probably going to have to go to the tools>folder options>view> and enable "show hidden files and folders" and manually make them not hidden anymore.
      My Computer
    Quote Quote

  7. EzioAuditore
    Posts : 1,036
    Winbdows 7 ultimate x64 | Ubuntu 12.04 x64 LTS
       New #5

    Well, ComboFix is a very advanced tool and must be run under the supervison of a security specialist. (No offence Zepher)

    @Greg- if you do decide to have it run, have him follow the steps here- (Canned Speech) Combofix XP
      My Computer
    Quote Quote

  8. gregrocker
    Posts : 50,642
    Thread Starter
       New #6

    Zepher said:
    he is probably going to have to go to the tools>folder options>view> and enable "show hidden files and folders" and manually make them not hidden anymore.
    This is how the fake AV virus hides the entire User folder?

    I'm planning to finish the Malwarebytes Full Scan (clean so far after 1 hour), then SFC, then ComboFix.

    Any other suggestions?

    Thanks! :)
      My Computer
    Quote Quote

  10. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #7

    Greg, try unhide
    Unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe) (by Grinler)
    Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run."
      My Computer
    Quote Quote

  11. gregrocker
    Posts : 50,642
    Thread Starter
       New #8

    Thanks Jacee. :) I guess this answers your question in the other thread of how he is getting infected. I opened TeamViewer to see the fake AV scanner I have warned him about repeatedly.

    Lost TeamViewer now so need to wait til he gets home from work to continue.

    Plan:
    Malwarebytes Full Scan (in progress)
    SFC /scannow (also in progress)
    Combo Fix
    Unhide
    ?
      My Computer
    Quote Quote

  12. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #9

    RKill (just incase) before Combofix ... If there's any way to capture the CF log, I would like to see it, please. :)
    Also, rename Combofix.exe to sVchost.exe during the download.

    (RKill kills the rogue/fake processes from running, so that you can download necessary tools for removal.
    The tool should run on all 32bit versions of current Windows (XP, Vista, Windows VirusTotal shows that only a few AVs flag it as anything)

    Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.
    Link 1
    Link 2
    Link 3
    Link 4
    • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
    • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
    • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
    • If nothing happens or if the tool does not run, please let me know in your next reply
      My Computer
    Quote Quote

  13. gregrocker
    Posts : 50,642
    Thread Starter
       New #10

    ComboFix log


    After running ComboFix all files appear restored.

    All of the Programs appear to be working but shortcuts in All Programs list are empty. Partially solved here: Start Menu All Programs in Windows 7 - Restore Default Shortcuts - Windows 7 Forums

    Security Center, Windows Update and MSE Services all started up after restart.

    Many files were missing from external which was unplugged prior to fixes running. Tried Zepher's idea to Unhide in Control Panel and they show up. Ran UnHide which restored all files and would have restored my missing All Programs shortcuts had Recycle Bin not been emptied.

    Seems back to normal with good performance but only time will tell.

    Code:
    ComboFix 12-03-28.02 - MDuquette 03/28/2012  17:45:25.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2038.1223 [GMT -4:00]
Running from: c:\users\MDuquette\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\~7GNFxghQfiOBui
c:\programdata\~7GNFxghQfiOBuir
c:\programdata\7GNFxghQfiOBui
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}\chrome.manifest
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}\chrome\content\overlay.xul
c:\users\MDuquette\AppData\Local\{2916551A-4BF7-4AEB-82C5-FA0E02C973A5}\install.rdf
c:\users\MDuquette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check
c:\users\MDuquette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk
c:\users\MDuquette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-28 to 2012-03-28  )))))))))))))))))))))))))))))))
.
.
2012-03-24 11:42 . 2012-03-14 02:15    6582328    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{26181C00-0057-4728-BDBB-39FAD9CA378D}\mpengine.dll
2012-03-18 14:37 . 2012-03-18 14:37    --------    d--h--w-    c:\programdata\F4D55EDB006B2A9A03994D22B4EB238B
2012-03-17 03:35 . 2012-03-17 03:35    --------    d-----w-    c:\program files\Common Files\Java
2012-03-17 03:34 . 2012-03-17 03:33    472808    ----a-w-    c:\windows\system32\deployJava1.dll
2012-03-15 10:31 . 2012-02-03 03:54    2343424    ----a-w-    c:\windows\system32\win32k.sys
2012-03-15 10:31 . 2012-02-10 05:38    1077248    ----a-w-    c:\windows\system32\DWrite.dll
2012-03-15 10:31 . 2012-01-25 05:27    8192    ----a-w-    c:\windows\system32\rdrmemptylst.exe
2012-03-15 10:31 . 2012-01-25 05:32    58880    ----a-w-    c:\windows\system32\rdpwsx.dll
2012-03-15 10:31 . 2012-01-25 05:32    129536    ----a-w-    c:\windows\system32\rdpcorekmts.dll
2012-03-15 10:31 . 2012-02-17 05:34    826880    ----a-w-    c:\windows\system32\rdpcore.dll
2012-03-15 10:31 . 2012-02-17 04:13    24576    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2012-03-15 10:31 . 2012-02-17 04:14    183808    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2012-03-08 23:10 . 2012-03-08 23:10    --------    d-----w-    c:\program files\iPod
2012-03-08 23:10 . 2012-03-08 23:11    --------    d-----w-    c:\program files\iTunes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-17 02:40 . 2011-05-14 03:56    414368    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-10 11:30 . 2012-02-10 11:31    713784    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9188A78F-B458-49D5-B281-07487EF176EC}\gapaengine.dll
2012-02-08 06:03 . 2012-01-06 17:44    6552120    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-31 12:44 . 2010-04-16 21:10    237072    ------w-    c:\windows\system32\MpSigStub.exe
2012-01-11 11:17 . 2012-01-11 11:16    727647    ----a-w-    c:\windows\Windstar Demo Uninstaller.exe
2012-01-06 03:39 . 2012-02-10 11:31    703824    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-01-02 07:48 . 2012-01-02 07:48    74752    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2012-01-02 07:47 . 2012-01-02 07:47    161792    ----a-w-    c:\windows\system32\msls31.dll
2012-01-02 07:47 . 2012-01-02 07:47    110592    ----a-w-    c:\windows\system32\IEAdvpack.dll
2012-01-02 07:47 . 2012-01-02 07:47    76800    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2012-01-02 07:47 . 2012-01-02 07:47    86528    ----a-w-    c:\windows\system32\iesysprep.dll
2012-01-02 07:47 . 2012-01-02 07:47    63488    ----a-w-    c:\windows\system32\tdc.ocx
2012-01-02 07:47 . 2012-01-02 07:47    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2012-01-02 07:47 . 2012-01-02 07:47    367104    ----a-w-    c:\windows\system32\html.iec
2012-01-02 07:47 . 2012-01-02 07:47    74752    ----a-w-    c:\windows\system32\iesetup.dll
2012-01-02 07:47 . 2012-01-02 07:47    420864    ----a-w-    c:\windows\system32\vbscript.dll
2012-01-02 07:47 . 2012-01-02 07:47    23552    ----a-w-    c:\windows\system32\licmgr10.dll
2012-01-02 07:47 . 2012-01-02 07:47    152064    ----a-w-    c:\windows\system32\wextract.exe
2012-01-02 07:47 . 2012-01-02 07:47    150528    ----a-w-    c:\windows\system32\iexpress.exe
2012-01-02 07:47 . 2012-01-02 07:47    35840    ----a-w-    c:\windows\system32\imgutil.dll
2012-01-02 07:47 . 2012-01-02 07:47    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2012-01-02 07:47 . 2012-01-02 07:47    11776    ----a-w-    c:\windows\system32\mshta.exe
2012-01-02 07:47 . 2012-01-02 07:47    101888    ----a-w-    c:\windows\system32\admparse.dll
2012-02-17 17:58 . 2011-10-18 22:35    134104    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Meebo Notifier"="c:\users\MDuquette\AppData\Local\Meebo\Meebo Notifier\MeeboNotifier.exe" [2010-07-15 818888]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"AOL Fast Start"="c:\program files\AOL Desktop 9.6a\AOL.EXE" [2011-04-25 42320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Intuit Data Protect.lnk]
backup=c:\windows\pss\Intuit Data Protect.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk]
backup=c:\windows\pss\QuickBooks_Standard_21.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 16:08    935288    ----a-r-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 08:08    35696    ----a-w-    c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2009-10-28 14:38    50536    ----a-w-    c:\program files\AOL 9.5\aol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-11-02 12:51    59240    ----a-w-    c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-02-21 02:28    59240    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 19:54    91520    ----a-w-    c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2007-03-21 16:33    1548288    ----a-w-    c:\windows\System32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient]
2009-08-19 17:25    1589208    ---ha-w-    c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpy.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Software]
2009-04-24 06:57    1025320    ----a-w-    c:\program files\Common Files\SupportSoft\bin\bcont.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-03-08 07:27    41800    ----a-w-    c:\program files\Common Files\aol\1271452016\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30    173592    ----a-w-    c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30    141848    ----a-w-    c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2011-10-10 01:39    1874264    ----a-w-    c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-07 00:05    421736    ----a-w-    c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30    150552    ----a-w-    c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2010-11-20 21:29    1174016    ----a-w-    c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-09-13 19:44    405504    ----a-w-    c:\program files\Sigmatel\C-Major Audio\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02    254696    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-01-18 11:46    296056    ----a-w-    c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 136176]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-02 1343400]
R4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [2009-06-17 616408]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-02-15 229376]
R4 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-08-30 1255936]
R4 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2010-12-07 2228008]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [2012-01-19 3027840]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 11:44]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-18 11:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://68.153.220.28:8080/activex/AMC.cab
FF - ProfilePath - c:\users\MDuquette\AppData\Roaming\Mozilla\Firefox\Profiles\sqg9g1mm.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Gwofuzozawufi - c:\users\MDuquette\AppData\Local\axidiruvupoqoxe.dll
MSConfigStartUp-Vsofezi - c:\users\MDuquette\AppData\Local\wisdsk.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-28  17:58:20
ComboFix-quarantined-files.txt  2012-03-28 21:58
.
Pre-Run: 9,785,036,800 bytes free
Post-Run: 10,061,418,496 bytes free
.
- - End Of File - - 599A00B8C4870EE77F23957CB2F4750E
    We are considering replacing MSE with Webroot Secure Anywhere AV. Opinions?

    Thank you, Security experts!
    Last edited by gregrocker; 28 Mar 2012 at 21:03.
      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
1. I still have leftover files... from Adobe Acrobat 9, that I uninstalled/deleted Folder in 2013 (CCleaner still sees it)- a. In the past to get rid of Firefox (CCleaner shows)- I Show Hidden on C:, shift/delete everything..., Hide, closed Explorer, waited 30 min, and reboot 3 times (I did the...
Fake AV infection??
in System Security

Hi! I was lead to this forum after googling my problem with this virus, which hid all my startup programs and destop icons... after looking at other threads and downloading malware and unhide I got my files to come back but like most people not the user file folders on my startup. Also, when I ran...
Infection by fake AV virus
in System Security

Visiting a friend who is massively infected by fake AV scan. All of his files are hidden and nothing will run. I just ran bootable Windows Defender Offline which appears to have found nothing. System Restore is infected back a few days although there are more points to go back further. Any...
Some of my important system files are no longer hidden and I can't hide them even with the Command Prompt "attrib" command. Files such as bootmgr and ntldr are shown and I can't hide them. Also, show Protected System files is unchecked and show hidden files is also unchecked so they shouldn't be...
More at: Fake 'Conficker.B Infection Alert' spam campaign drops scareware | Zero Day | ZDNet.com
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 04:34.
Find Us