Jump to content

DaveFL

Members
 View Profile  See their activity

  • Posts

    18

  • Joined

  • Last visited

Reputation

0 Neutral
  1. DaveFL
    Thanks MrC! Sorry for the delayed reply but SP1 didn't want to install. Microsoft's Update Readiness Tool, or whatever Microsoft sent me to, ran a hotfix, then SP1 cooperated nicely. The Clean up went as advertised. Everything seems to be holding together nicely!! I suppose the next 24 hrs or so will tell.... Thanks again for all your help! You are the Best, Mr Charlie! DaveFL
  2. DaveFL
    Things still look good... Security check log: Results of screen317's Security Check version 0.99.84 Windows 7 x64 (UAC is disabled!) Out of date service pack!! Internet Explorer 11 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Disabled! McAfee Anti-Virus and Anti-Spyware WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Java version out of Date! Adobe Reader XI ````````Process Check: objlist.exe by Laurent```````` `````````````````System Health check````````````````` Total Fragmentation on Drive C: 4% ````````````````````End of Log`````````````````````` Thanks MrC! DaveFL
  3. DaveFL
    Thanks MrC! the new roguekiller report: RogueKiller V9.0.2.0 (x64) [Jun 3 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User : Marty [Admin rights] Mode : Scan -- Date : 06/14/2014 11:28:16 ¤¤¤ Bad processes : 1 ¤¤¤ [ZeroAccess] mcshield.exe -- [x] -> ERROR [12] ¤¤¤ Registry Entries : 23 ¤¤¤ [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GetSusp -> FOUND [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GetSusp -> FOUND [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GetSusp -> FOUND [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X64) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X86) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorUser : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorUser : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND [PUM.Desktop] (X64) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper : 0 -> FOUND [PUM.Desktop] (X86) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper : 0 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND ¤¤¤ Scheduled tasks : 1 ¤¤¤ [suspicious.Path] \\{9AD52BE1-60AA-41B8-8FC4-A4290EB10F3A} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Marty\AppData\Roaming\v9\UninstallManager.exe -c -ptid=tugs) -> FOUND ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ HOSTS File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: SAMSUNG HD103SJ +++++ --- User --- [MBR] 339053ccd380888a513d4babe099a448 [bSP] 2dfa851a71cb3d932cd438f3fdc85c0d : Unknown MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB 1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 14142 MB 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 29044736 | Size: 939686 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: Generic- SM/xD Picture USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) ============================================ RKreport_SCN_06132014_223919.log - RKreport_SCN_06132014_224621.log - RKreport_SCN_06142014_112316.log I've been surfing around and opening and closing IE and so far so good! I'll keep 'test driving' it a little here... DaveFL
  4. DaveFL
    Thanks, MrC, for your clear and detailed instructions. Guys like me need that :-). Everything ran as advertised. The mbam scans were clean (but that's probably not a surprise since the computer has been idle except for what we are doing here, and I have no idea what caused the re-emergence of the malware...) I let AdwCleaner remove everything it found. the Logs: Fixlog: Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-06-2014 02 Ran by Marty at 2014-06-14 10:01:43 Run:1 Running from C:\Users\Marty\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** HKLM\...\Run: [Qoyvf] => "C:\Users\Marty\AppData\Roaming\Foyxheon\haefp.exe" HKLM-x32\...\Run: [] => [X] GroupPolicy: Group Policy on Chrome detected HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.v9.com...&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://search.v9.com...&q={searchTerms} SearchScopes: HKLM-x32 - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.mywebs...or={searchTerms} SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File Hosts: 54.221.22.25 dmcecclamecbinmplcolhaljlclhbgah FF HKCU\...\Firefox\Extensions: [{54529188-D165-76FA-72F3-FD3CCD7D5709}] - C:\Program Files (x86)\Re-Markable-soft\161.xpi FF HKCU\...\Firefox\Extensions: [ConsumerInput@Compete] - C:\Program Files (x86)\Consumer Input\Firefox\ciff-3.2.0-12171.xpi S3 MFE_RR; \??\C:\Users\Marty\AppData\Local\Temp\mfe_rr.sys [X] C:\Users\Marty\jagex_cl_runescape_LIVE.dat C:\Users\Marty\random.dat C:\Users\Marty\AppData\Roaming\Foyxheon C:\Program Files\pcreg DeleteJunctionsIndirectory: C:\Program Files\Windows Defender Task: {2A6240B5-229F-4878-B21F-888BF9F38E12} - System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-7 => C:\Program Files (x86)\HQvidPv1.12\HQvidPv1.12-nova.exe Task: {9FCCD69D-7C99-454E-8D80-7284B6B77B3C} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe Task: {A21EB3E3-4E0C-489E-A560-6318A05D3519} - System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-1 => C:\Program Files (x86)\HQvidPv1.12\HQvidPv1.12-codedownloader.exe ***************** HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Qoyvf => value deleted successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully. C:\Windows\system32\GroupPolicy\Machine => Moved successfully. C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully. HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully. HKLM\Software\\Microsoft\Internet Explorer\Main\\Secondary Start Pages => value deleted successfully. HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully. 'HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}' => Key deleted successfully. 'HKCR\Wow6432Node\CLSID\{b0441a0e-a49a-4e16-afc1-74ecced1921f}'=> Key not found. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully. HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully. 'HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}'=> Key not found. 'HKCR\PROTOCOLS\Handler\skype-ie-addon-data' => Key deleted successfully. 'HKCR\CLSID\{91774881-D725-4E58-B298-07617B9B86A8}'=> Key not found. C:\Windows\System32\Drivers\etc\hosts => Moved successfully. Hosts was reset successfully. HKCU\Software\Mozilla\Firefox\Extensions\\{54529188-D165-76FA-72F3-FD3CCD7D5709} => value deleted successfully. HKCU\Software\Mozilla\Firefox\Extensions\\ConsumerInput@Compete => value deleted successfully. MFE_RR => Service deleted successfully. C:\Users\Marty\jagex_cl_runescape_LIVE.dat => Moved successfully. C:\Users\Marty\random.dat => Moved successfully. C:\Users\Marty\AppData\Roaming\Foyxheon => Moved successfully. C:\Program Files\pcreg => Moved successfully. "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started. "C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done. "C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed. 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2A6240B5-229F-4878-B21F-888BF9F38E12}' => Key deleted successfully. 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A6240B5-229F-4878-B21F-888BF9F38E12}' => Key deleted successfully. C:\Windows\System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-7 => Moved successfully. 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a74f6af7-b4c0-41c3-b53e-2486781d7f40-7' => Key deleted successfully. 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9FCCD69D-7C99-454E-8D80-7284B6B77B3C}' => Key deleted successfully. 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9FCCD69D-7C99-454E-8D80-7284B6B77B3C}' => Key deleted successfully. C:\Windows\System32\Tasks\pcreg => Moved successfully. 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\pcreg' => Key deleted successfully. 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A21EB3E3-4E0C-489E-A560-6318A05D3519}' => Key deleted successfully. 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A21EB3E3-4E0C-489E-A560-6318A05D3519}' => Key deleted successfully. C:\Windows\System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-1 => Moved successfully. 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a74f6af7-b4c0-41c3-b53e-2486781d7f40-1' => Key deleted successfully. The system needed a reboot. ==== End of Fixlog ==== Adwcleaner log: # AdwCleaner v3.212 - Report created 14/06/2014 at 10:18:49 # Updated 05/06/2014 by Xplode # Operating System : Windows 7 Home Premium (64 bits) # Username : Marty - MARTY-PC # Running from : C:\Users\Marty\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\ProgramData\VisualBee Folder Deleted : C:\Program Files (x86)\Bench Folder Deleted : C:\Program Files (x86)\Information Folder Deleted : C:\Users\Marty\AppData\Local\emaze Folder Deleted : C:\Users\Marty\AppData\Local\PackageAware Folder Deleted : C:\Users\Marty\AppData\LocalLow\iac Folder Deleted : C:\Users\Marty\AppData\LocalLow\mapsgalaxy_39 Folder Deleted : C:\Users\Marty\AppData\Roaming\Activeris Folder Deleted : C:\Users\Marty\AppData\Roaming\SupTab Folder Deleted : C:\Users\Marty\AppData\Roaming\Systweak Folder Deleted : C:\Users\Marty\AppData\Roaming\v9 Folder Deleted : C:\Users\Marty\Documents\PC Speed Maximizer File Deleted : C:\END ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\AppID\CptUrlPassthru.DLL Key Deleted : HKLM\SOFTWARE\Classes\AppID\dca-bho.DLL Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ActiverisAntiMalware_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ActiverisAntiMalware_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\NewPlayer_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\NewPlayer_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SupTab_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SupTab_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\systweakasp_rasapi32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\systweakasp_rasmancs Key Deleted : HKLM\SOFTWARE\Classes\AppID\{A57F7191-1E7F-4852-BAAF-F80A43E2687A} Key Deleted : HKLM\SOFTWARE\Classes\AppID\{DD7C44CC-0F60-4FD9-A38F-5CF30D698AC2} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220522302298} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660566306698} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F0B76E1-4E46-427B-B55B-B90593468AC6} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68} Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220522302298} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{15527BF5-9729-49DC-889C-9F956983154C} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DD05B915-F77B-474A-9D42-9FEEAF5475C4} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660566306698} Key Deleted : HKCU\Software\Compete Key Deleted : HKCU\Software\powerpack Key Deleted : HKCU\Software\systweak Key Deleted : HKCU\Software\visualbee Key Deleted : HKCU\Software\AppDataLow\Software\Compete Key Deleted : HKLM\Software\Bench Key Deleted : HKLM\Software\CompeteInc Key Deleted : HKLM\Software\Freeze.com Key Deleted : HKLM\Software\SupTab Key Deleted : HKLM\Software\systweak Key Deleted : HKLM\Software\V9Software Key Deleted : HKLM\Software\visualbee Key Deleted : HKLM\Software\Wpm Key Deleted : HKLM\Software\Information Key Deleted : [x64] HKLM\SOFTWARE\installedbrowserextensions ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16476 ************************* AdwCleaner[R0].txt - [4952 octets] - [14/06/2014 10:05:08] AdwCleaner[s0].txt - [4793 octets] - [14/06/2014 10:18:49] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4853 octets] ########## JRT log: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.1.4 (04.06.2014:1) OS: Windows 7 Home Premium x64 Ran by Marty on Sat 06/14/2014 at 10:23:36.96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.pseudotransparentplugin Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.pseudotransparentplugin.1 Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.radio Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.radio.1 Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.settingsplugin Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.settingsplugin.1 Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{173A5778-34BF-48A2-8A5E-6963CE922FED} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{4B7D0B0C-CFF3-49C5-9BC3-FFABC031C822} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{7D4DFAF7-F2CE-4C91-91A4-514C9612914D} Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{9B58A6CE-B337-43D5-9C2F-8C6D92FBA094} ~~~ Files ~~~ Folders Successfully deleted: [Folder] "C:\ProgramData\ammyy" Successfully deleted: [Folder] "C:\ProgramData\pc1data" Successfully deleted: [Folder] "C:\Users\Marty\AppData\Roaming\pc cleaners" Successfully deleted: [Folder] "C:\Users\Marty\AppData\Roaming\pcpro" Successfully deleted: [Folder] "C:\Users\Marty\appdata\locallow\recipehub_2j" Successfully deleted: [Folder] "C:\Users\Marty\appdata\locallow\recipehub_2jei" Successfully deleted: [Folder] "C:\Program Files (x86)\recipehub_2jei" Successfully deleted: [Empty Folder] C:\Users\Marty\appdata\local\{280CF035-5285-4C3A-9BF5-91FD805A3C42} Successfully deleted: [Empty Folder] C:\Users\Marty\appdata\local\{DBCB0101-4141-49FF-BBCF-E302023C55D6} ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Sat 06/14/2014 at 10:29:29.21 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Hope I posted everything correctly! Thanks again. DaveFL
  5. DaveFL
    Thanks MrC! I ran malwarebytes with the requested settings and it didn't find anything this time. Here is the Roguekiller log: RogueKiller V9.0.2.0 (x64) [Jun 3 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7600 ) 64 bits version Started in : Normal mode User : Marty [Admin rights] Mode : Scan -- Date : 06/13/2014 22:46:21 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 23 ¤¤¤ [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Qoyvf : "C:\Users\Marty\AppData\Roaming\Foyxheon\haefp.exe" -> FOUND [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GetSusp -> FOUND [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MFE_RR -> FOUND [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GetSusp -> FOUND [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MFE_RR -> FOUND [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GetSusp -> FOUND [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MFE_RR -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorUser : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorUser : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND [PUM.Desktop] (X64) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper : 0 -> FOUND [PUM.Desktop] (X86) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper : 0 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND ¤¤¤ Scheduled tasks : 1 ¤¤¤ [suspicious.Path] \\{9AD52BE1-60AA-41B8-8FC4-A4290EB10F3A} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Marty\AppData\Roaming\v9\UninstallManager.exe -c -ptid=tugs) -> FOUND ¤¤¤ Files : 13 ¤¤¤ [ZeroAccess][Junction] en-US -- C:\Program Files\Windows Defender\en-US [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MpAsDesc.dll -- C:\Program Files\Windows Defender\MpAsDesc.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MpClient.dll -- C:\Program Files\Windows Defender\MpClient.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MpCmdRun.exe -- C:\Program Files\Windows Defender\MpCmdRun.exe [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MpCommu.dll -- C:\Program Files\Windows Defender\MpCommu.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MpEvMsg.dll -- C:\Program Files\Windows Defender\MpEvMsg.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MpOAV.dll -- C:\Program Files\Windows Defender\MpOAV.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MpRTP.dll -- C:\Program Files\Windows Defender\MpRTP.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MpSvc.dll -- C:\Program Files\Windows Defender\MpSvc.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MSASCui.exe -- C:\Program Files\Windows Defender\MSASCui.exe [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MsMpCom.dll -- C:\Program Files\Windows Defender\MsMpCom.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MsMpLics.dll -- C:\Program Files\Windows Defender\MsMpLics.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND [ZeroAccess][Junction] MsMpRes.dll -- C:\Program Files\Windows Defender\MsMpRes.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND ¤¤¤ HOSTS File : 1 ¤¤¤ [C:\Windows\System32\drivers\etc\hosts] 54.221.22.25 dmcecclamecbinmplcolhaljlclhbgah ¤¤¤ Antirootkit : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: SAMSUNG HD103SJ +++++ --- User --- [MBR] 339053ccd380888a513d4babe099a448 [bSP] 2dfa851a71cb3d932cd438f3fdc85c0d : Unknown MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB 1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 14142 MB 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 29044736 | Size: 939686 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive3: Generic- SM/xD Picture USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) +++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++ Error reading User MBR! ([15] The device is not ready. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] The request is not supported. ) ============================================ RKreport_SCN_06132014_223919.log Thanks again! DaveFL
  6. DaveFL
    Thanks in advance for any help! I've got a re-occuring pup.optional.searchsafer hit from malwarebytes on my daughter's computer. MBAM will remove 2 instances of pup.optional.searchsafer then the next scan will be clean, then it will find them again, then its clean, etc. Also her homepage gets reset to about:blank every other day or so. The lastest (clean) mbam log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 6/13/2014 Scan Time: 11:46:48 AM Logfile: Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.06.13.06 Rootkit Database: v2014.06.02.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 CPU: x64 File System: NTFS User: Marty Scan Type: Threat Scan Result: Completed Objects Scanned: 271538 Time Elapsed: 9 min, 9 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 1 PUP.Optional.SearchSafer, C:\Program Files\pcreg\service.exe, 4412, Delete-on-Reboot, [62505d16d9a262d4abc6432419eb7f81] Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 1 PUP.Optional.SearchSafer, C:\Program Files\pcreg\service.exe, Quarantined, [62505d16d9a262d4abc6432419eb7f81], Physical Sectors: 0 (No malicious items detected) (end) The FRST.TXT log: Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-06-2014 02 Ran by Marty (administrator) on MARTY-PC on 13-06-2014 12:11:55 Running from C:\Users\Marty\Desktop Platform: Windows 7 Home Premium (X64) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Normal The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe () C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe (McAfee, Inc.) C:\Windows\System32\mfevtps.exe (SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE () C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe (McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe (SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe (McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE (McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe (McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McUICnt.exe (Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Qoyvf] => "C:\Users\Marty\AppData\Roaming\Foyxheon\haefp.exe" HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.) HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation) HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated) HKLM-x32\...\RunOnce: [Launcher] - C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [163040 2010-08-11] (Softthinks) HKLM-x32\...\RunOnce: [DSUpdateLauncher] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe" [161088 2010-07-21] () HKLM-x32\...\RunOnce: [sTToasterLauncher] - C:\Program Files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120032 2010-08-11] () Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\896\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.) HKLM\...\Policies\Explorer: [NoControlPanel] 0 HKLM\...\Policies\Explorer: [NoFolderOptions] 0 HKLM\...\Policies\Explorer: [HideSCAHealth] 1 HKU\.DEFAULT\...\Policies\Explorer: [HideSCAHealth] 1 HKU\.DEFAULT\...\Policies\Explorer: [NoFolderOptions] 0 HKU\.DEFAULT\...\Policies\Explorer: [NoControlPanel] 0 HKU\S-1-5-21-1617529379-2784233811-108745753-1001\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_13_0_0_214_ActiveX.exe [847536 2014-06-06] (Adobe Systems Incorporated) HKU\S-1-5-21-1617529379-2784233811-108745753-1001\...\Policies\Explorer: [HideSCAHealth] 1 HKU\S-1-5-21-1617529379-2784233811-108745753-1001\...\Policies\Explorer: [NoFolderOptions] 0 HKU\S-1-5-21-1617529379-2784233811-108745753-1001\...\Policies\Explorer: [NoControlPanel] 0 GroupPolicy: Group Policy on Chrome detected <======= ATTENTION ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.v9.com/web/?type=ds&ts=1399129011&from=tugs&uid=SAMSUNGXHD103SJ_S26BJ90ZB31071B31071&i=psd&t=341f22504&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://search.v9.com/web/?type=ds&ts=1399129011&from=tugs&uid=SAMSUNGXHD103SJ_S26BJ90ZB31071B31071&i=psd&t=341f22504&q={searchTerms} StartMenuInternet: IEXPLORE.EXE - iexplore.exe SearchScopes: HKLM-x32 - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^UX^xdm156^YY^us&si=CD4572&ptb=C3E0E9CD-6D86-470E-A98B-EB9C7C741BF3&ind=2013042610&n=77fc97b2&psa=&st=sb&searchfor={searchTerms} SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO-x32: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation) BHO-x32: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.) Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.) Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.) Hosts: 54.221.22.25 dmcecclamecbinmplcolhaljlclhbgah Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 FireFox: ======== FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF Plugin: @mcafee.com/MSC,version=10 - c:\PROGRA~1\mcafee\msc\npmcsnffpl64.dll () FF Plugin: @microsoft.com/GENUINE - disabled No File FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll No File FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin-x32: @mcafee.com/MSC,version=10 - c:\PROGRA~2\mcafee\msc\npmcsnffpl.dll () FF Plugin-x32: @microsoft.com/GENUINE - disabled No File FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2011-03-31] FF HKCU\...\Firefox\Extensions: [{54529188-D165-76FA-72F3-FD3CCD7D5709}] - C:\Program Files (x86)\Re-Markable-soft\161.xpi FF HKCU\...\Firefox\Extensions: [ConsumerInput@Compete] - C:\Program Files (x86)\Consumer Input\Firefox\ciff-3.2.0-12171.xpi ==================== Services (Whitelisted) ================= R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.) R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.) S3 McAWFwk; C:\Program Files\mcafee\msc\McAWFwk.exe [220528 2010-08-30] (McAfee, Inc.) R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.) R2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.) S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.) S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.) R2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.) R2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.) R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-03-18] (McAfee, Inc.) R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-04-03] (McAfee, Inc.) R2 mfevtp; C:\Windows\system32\mfevtps.exe [189912 2014-04-03] (McAfee, Inc.) R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.) R2 WSWNA1100; C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe [266240 2010-08-04] () [File not signed] ==================== Drivers (Whitelisted) ==================== R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70592 2014-04-03] (McAfee, Inc.) S3 GetSusp; C:\Windows\GetSusp.sys [16680 2013-12-11] (McAfee, Inc.) S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.) R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [177544 2014-04-03] (McAfee, Inc.) R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311856 2014-04-03] (McAfee, Inc.) R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [522360 2014-04-03] (McAfee, Inc.) R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [784760 2014-04-03] (McAfee, Inc.) R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [441264 2014-03-18] (McAfee, Inc.) S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-03-18] (McAfee, Inc.) R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [346760 2014-04-03] (McAfee, Inc.) U4 Messenger; S3 MFE_RR; \??\C:\Users\Marty\AppData\Local\Temp\mfe_rr.sys [X] S3 pfc; system32\drivers\pfc.sys [X] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-06-13 12:11 - 2014-06-13 12:12 - 00013557 _____ () C:\Users\Marty\Desktop\FRST.txt 2014-06-13 12:11 - 2014-06-13 12:11 - 00000000 ____D () C:\FRST 2014-06-13 12:03 - 2014-06-13 12:03 - 02081792 _____ (Farbar) C:\Users\Marty\Desktop\FRST64.exe 2014-06-13 12:03 - 2014-06-13 12:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee 2014-06-12 21:02 - 2014-06-13 11:59 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-06-12 21:01 - 2014-06-12 21:01 - 00001080 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2014-06-12 21:01 - 2014-06-12 21:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2014-06-12 21:01 - 2014-06-12 21:01 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware 2014-06-12 21:01 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys 2014-06-12 21:01 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys 2014-06-12 20:28 - 2014-06-13 11:58 - 00000616 _____ () C:\Windows\setupact.log 2014-06-12 20:28 - 2014-06-12 20:28 - 00000000 _____ () C:\Windows\setuperr.log 2014-06-06 12:28 - 2014-06-06 12:28 - 00000000 ____D () C:\Windows\system32\SPReview 2014-05-30 07:49 - 2014-06-04 12:01 - 00000000 ____D () C:\Users\Marty\AppData\Roaming\Nugyyn ==================== One Month Modified Files and Folders ======= 2014-06-13 12:12 - 2014-06-13 12:11 - 00013557 _____ () C:\Users\Marty\Desktop\FRST.txt 2014-06-13 12:12 - 2014-05-01 13:59 - 00000360 _____ () C:\Windows\Tasks\CIMT_S-1-5-21-1617529379-2784233811-108745753-1001.job 2014-06-13 12:12 - 2011-04-06 15:27 - 00000000 ____D () C:\Users\Marty\AppData\Local\Temp 2014-06-13 12:11 - 2014-06-13 12:11 - 00000000 ____D () C:\FRST 2014-06-13 12:10 - 2009-07-14 00:10 - 02046741 _____ () C:\Windows\WindowsUpdate.log 2014-06-13 12:08 - 2009-07-13 23:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-06-13 12:08 - 2009-07-13 23:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-06-13 12:03 - 2014-06-13 12:03 - 02081792 _____ (Farbar) C:\Users\Marty\Desktop\FRST64.exe 2014-06-13 12:03 - 2014-06-13 12:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee 2014-06-13 11:59 - 2014-06-12 21:02 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-06-13 11:59 - 2011-03-31 15:42 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup 2014-06-13 11:58 - 2014-06-12 20:28 - 00000616 _____ () C:\Windows\setupact.log 2014-06-13 11:58 - 2013-08-15 16:31 - 00557426 _____ () C:\Windows\PFRO.log 2014-06-13 11:58 - 2011-04-06 15:30 - 00000073 _____ () C:\Windows\SysWOW64\ToasterLauncherLog.log 2014-06-13 11:58 - 2011-04-06 15:30 - 00000000 ____D () C:\Users\Marty\AppData\Local\SoftThinks 2014-06-13 11:58 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-06-13 11:58 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\tracing 2014-06-13 11:56 - 2014-05-01 13:56 - 00000000 ____D () C:\Program Files\pcreg 2014-06-13 11:54 - 2013-06-17 11:18 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-06-12 21:15 - 2009-07-13 23:45 - 00000000 ____D () C:\Windows\Setup 2014-06-12 21:02 - 2013-08-15 16:16 - 00000000 ____D () C:\Users\Marty\AppData\Roaming\Malwarebytes 2014-06-12 21:02 - 2013-08-15 16:15 - 00000000 ____D () C:\ProgramData\Malwarebytes 2014-06-12 21:01 - 2014-06-12 21:01 - 00001080 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2014-06-12 21:01 - 2014-06-12 21:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2014-06-12 21:01 - 2014-06-12 21:01 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware 2014-06-12 20:42 - 2013-08-08 03:29 - 00000000 ____D () C:\Windows\system32\MRT 2014-06-12 20:42 - 2011-10-24 14:42 - 00000000 ____D () C:\ProgramData\Microsoft Help 2014-06-12 20:42 - 2011-04-22 08:47 - 95414520 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe 2014-06-12 20:28 - 2014-06-12 20:28 - 00000000 _____ () C:\Windows\setuperr.log 2014-06-12 20:16 - 2011-04-09 08:27 - 00000000 ____D () C:\Users\Marty\AppData\Local\Google 2014-06-12 20:16 - 2011-04-09 08:27 - 00000000 ____D () C:\Program Files (x86)\Google 2014-06-12 20:14 - 2011-03-31 15:50 - 00000000 ____D () C:\Program Files (x86)\McAfee 2014-06-12 20:13 - 2014-05-01 13:49 - 00000000 ____D () C:\Program Files (x86)\Information 2014-06-12 17:48 - 2009-07-14 00:13 - 00727398 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-06-12 17:43 - 2011-03-31 15:54 - 00000000 ____D () C:\ProgramData\Sonic 2014-06-06 12:28 - 2014-06-06 12:28 - 00000000 ____D () C:\Windows\system32\SPReview 2014-06-06 06:35 - 2013-06-17 11:18 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2014-06-06 06:35 - 2013-06-17 11:18 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2014-06-06 06:35 - 2013-06-17 11:18 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater 2014-06-04 17:05 - 2013-08-14 07:51 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk 2014-06-04 12:01 - 2014-05-30 07:49 - 00000000 ____D () C:\Users\Marty\AppData\Roaming\Nugyyn 2014-05-28 15:35 - 2011-03-31 15:50 - 00000000 ____D () C:\Program Files\Common Files\mcafee Files to move or delete: ==================== C:\Users\Marty\jagex_cl_runescape_LIVE.dat C:\Users\Marty\random.dat ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender LastRegBack: 2014-06-12 22:57 ==================== End Of Log ============================ Additional.TXT log: Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-06-2014 02 Ran by Marty at 2014-06-13 12:12:28 Running from C:\Users\Marty\Desktop Boot Mode: Normal ========================================================== ==================== Security Center ======================== AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892} AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} FW: McAfee Firewall (Enabled) {959DA8E2-3527-57D1-4915-924367AD4FE9} ==================== Installed Programs ====================== Adobe Flash Player 13 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 13.0.0.214 - Adobe Systems Incorporated) Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated) CCleaner (HKLM\...\CCleaner) (Version: 3.15 - Piriform) Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc) HP Officejet 6500 E710n-z Basic Device Software (HKLM\...\{ADDF4B84-5D28-4EAE-8511-EF808C8BC81C}) (Version: 22.50.231.0 - Hewlett-Packard Co.) HP Officejet 6500 E710n-z Product Improvement Study (HKLM\...\{D5510D28-D0E4-433E-A0F3-EE3FCECA60D2}) (Version: 22.50.231.0 - Hewlett-Packard Co.) Java Auto Updater (HKLM-x32\...\{4A03706F-666A-4037-7777-5F2748764D10}) (Version: - ) Java 6 Update 23 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416023FF}) (Version: 6.0.230 - Oracle) Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation) McAfee SecurityCenter (HKLM-x32\...\MSC) (Version: 12.8.958 - McAfee, Inc.) Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation) Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation) Microsoft Office Click-to-Run 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden Microsoft Office Single Image 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden Microsoft PowerPoint Viewer (HKLM-x32\...\{95140000-00AF-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.56.34 - NVIDIA Corporation) RBVirtualFolder64Inst (Version: 1.00.0000 - Roxio, Inc.) Hidden Roxio File Backup (Version: 1.3.2 - Roxio) Hidden Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee) Windows Live ID Sign-in Assistant (Version: 7.250.4232.0 - Microsoft Corporation) Hidden Windows Live Language Selector (Version: 15.4.3555.0308 - Microsoft Corporation) Hidden Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden ==================== Restore Points ========================= 06-06-2014 11:37:32 Windows 7 Service Pack 1 06-06-2014 17:27:02 Windows Update 13-06-2014 01:40:27 Windows Update ==================== Hosts content: ========================== 2009-07-13 21:34 - 2014-05-05 17:21 - 00000871 ____A C:\Windows\system32\Drivers\etc\hosts 54.221.22.25 dmcecclamecbinmplcolhaljlclhbgah ==================== Scheduled Tasks (whitelisted) ============= Task: {19F65F47-E9EA-4C57-9E2B-47996338281F} - System32\Tasks\CIMT_S-1-5-21-1617529379-2784233811-108745753-1001 => C:\Program Files (x86)\Consumer Input\Monitoring\dca-monitoring.exe Task: {2A6240B5-229F-4878-B21F-888BF9F38E12} - System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-7 => C:\Program Files (x86)\HQvidPv1.12\HQvidPv1.12-nova.exe <==== ATTENTION Task: {393CEA64-4CC8-4D42-BC93-7BB76D4C70FD} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-06-06] (Adobe Systems Incorporated) Task: {7D678F84-71D1-47FB-888B-0DA4F007B8EF} - System32\Tasks\Games\UpdateCheck_S-1-5-21-1617529379-2784233811-108745753-1001 Task: {83874A12-6FE2-4134-AA3B-4D1C1454D32C} - System32\Tasks\HPCustParticipation HP Officejet 6500 E710n-z => C:\Program Files\HP\HP Officejet 6500 E710n-z\Bin\HPCustPartic.exe [2010-11-16] (Hewlett-Packard Co.) Task: {9FCCD69D-7C99-454E-8D80-7284B6B77B3C} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe <==== ATTENTION Task: {A21EB3E3-4E0C-489E-A560-6318A05D3519} - System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-1 => C:\Program Files (x86)\HQvidPv1.12\HQvidPv1.12-codedownloader.exe <==== ATTENTION Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\Windows\Tasks\CIMT_S-1-5-21-1617529379-2784233811-108745753-1001.job => C:\Program Files (x86)\Consumer Input\Monitoring\dca-monitoring.exe ==================== Loaded Modules (whitelisted) ============= 2011-03-31 15:42 - 2010-08-11 18:19 - 00781536 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe 2012-03-14 15:53 - 2010-08-04 14:44 - 00266240 _____ () C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe 2011-03-31 15:42 - 2010-08-11 18:19 - 00126176 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STLog.dll 2011-03-31 15:42 - 2010-08-11 18:19 - 01121504 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\LibXml2.dll 2011-03-31 15:42 - 2010-08-11 18:19 - 00077024 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\zlib1.dll 2011-03-31 15:42 - 2010-08-11 18:19 - 00232672 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STFiles.dll 2011-03-31 15:42 - 2010-08-11 18:19 - 00072928 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STRegistry.dll 2011-03-31 15:42 - 2010-08-11 18:19 - 00109792 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STPE.dll 2011-03-31 15:42 - 2010-08-11 18:19 - 00119008 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STNLS.dll 2011-03-31 15:42 - 2010-08-11 18:19 - 00056544 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STCoreXml.dll 2011-03-31 15:42 - 2010-08-11 18:19 - 00113888 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\PSTVdsDisk.dll 2012-03-14 15:53 - 2010-03-10 14:50 - 00360448 _____ () C:\Program Files (x86)\NETGEAR\WNA1100\WifiLib.dll 2011-03-31 15:42 - 2010-08-11 18:19 - 00023776 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\SftBRCCPiped.dll 2011-03-31 15:42 - 2010-08-11 18:19 - 00023776 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STBRCCServCLR.dll 2013-01-16 17:21 - 2013-01-16 17:21 - 00170496 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\d89f0252d910d617de1de783a812f840\IsdiInterop.ni.dll 2011-03-31 15:34 - 2010-03-03 20:08 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll ==================== Alternate Data Streams (whitelisted) ========= ==================== Safe Mode (whitelisted) =================== HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""="Service" ==================== EXE Association (whitelisted) ============= ==================== MSCONFIG/TASK MANAGER disabled items ========= MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NETGEAR WNA1100 Smart Wizard.lnk => C:\Windows\pss\NETGEAR WNA1100 Smart Wizard.lnk.CommonStartup MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: DellStage => "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup MSCONFIG\startupreg: Desktop Disc Tool => "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" MSCONFIG\startupreg: HP Software Update => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe MSCONFIG\startupreg: IAStorIcon => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe MSCONFIG\startupreg: mcui_exe => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey MSCONFIG\startupreg: OM2_Monitor => "C:\Program Files (x86)\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" MSCONFIG\startupreg: RoxWatchTray => "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" MSCONFIG\startupreg: RtHDVCpl => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" ==================== Faulty Device Manager Devices ============= Name: Microsoft 6to4 Adapter Description: Microsoft 6to4 Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: tunnel Problem: : This device cannot start. (Code10) Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device. On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. Name: Microsoft ISATAP Adapter #2 Description: Microsoft ISATAP Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: tunnel Problem: : This device cannot start. (Code10) Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device. On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. Name: Microsoft ISATAP Adapter Description: Microsoft ISATAP Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: tunnel Problem: : This device cannot start. (Code10) Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device. On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. Name: Teredo Tunneling Pseudo-Interface Description: Microsoft Teredo Tunneling Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: tunnel Problem: : This device cannot start. (Code10) Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device. On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. ==================== Event log errors: ========================= Application errors: ================== Error: (05/30/2014 10:59:33 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: McSvHost.exe, version: 3.8.703.0, time stamp: 0x51f7deae Faulting module name: homenetsvc.dll, version: 6.8.716.0, time stamp: 0x5321f22a Exception code: 0xc0000005 Fault offset: 0x0000000000226881 Faulting process id: 0x76c Faulting application start time: 0xMcSvHost.exe0 Faulting application path: McSvHost.exe1 Faulting module path: McSvHost.exe2 Report Id: McSvHost.exe3 Error: (05/07/2014 07:57:24 PM) (Source: VSS) (EventID: 12305) (User: ) Description: Volume Shadow Copy Service error: Volume/disk not connected or not found. Error context: CreateFileW(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8,0xc0000000,0x00000003,...). Operation: Processing PostFinalCommitSnapshots Context: Execution Context: System Provider Error: (05/05/2014 09:33:30 PM) (Source: AVLogEvent) (EventID: 5003) (User: NT AUTHORITY) Description: McShield encountered error while stopping. Error Code:a7f40610 Error: (05/02/2014 00:18:07 PM) (Source: Office Software Protection Platform Service) (EventID: 1062) (User: ) Description: Deposition of Confirmation ID failed. 0xC004F02F Sku Id=09e2d37e-474b-4121-8626-58ad9be5776f Error: (05/01/2014 08:13:20 PM) (Source: Office Software Protection Platform Service) (EventID: 1012) (User: ) Description: Acquisition of Product Certificate failed. hr=0xC004C003 Sku Id=09e2d37e-474b-4121-8626-58ad9be5776f Error: (05/01/2014 08:13:20 PM) (Source: Office Software Protection Platform Service) (EventID: 8200) (User: ) Description: License acquisition failure details. hr=0xC004C003 Error: (05/01/2014 01:57:33 PM) (Source: MsiInstaller) (EventID: 11316) (User: Marty-PC) Description: Product: Consumer Input Update Helper -- Error 1316. A network error occurred while attempting to read from the file: C:\Program Files (x86)\Consumer Input\Update\1.3.25.149\GoogleUpdateHelper.msi Error: (04/14/2014 08:49:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: ) Description: Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt> with error: The specified server cannot perform the requested operation. . Error: (04/14/2014 08:49:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: ) Description: Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt> with error: This operation returned because the timeout period expired. . Error: (04/14/2014 08:49:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: ) Description: Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt> with error: This operation returned because the timeout period expired. . System errors: ============= Error: (06/13/2014 11:59:42 AM) (Source: VDS Basic Provider) (EventID: 1) (User: ) Description: Unexpected failure. Error code: D@01010004 Error: (06/13/2014 11:59:42 AM) (Source: VDS Basic Provider) (EventID: 1) (User: ) Description: Unexpected failure. Error code: D@01010004 Error: (06/13/2014 11:59:40 AM) (Source: WMPNetworkSvc) (EventID: 14332) (User: ) Description: WMPNetworkSvc0x80004005 Error: (06/13/2014 11:55:52 AM) (Source: Service Control Manager) (EventID: 7011) (User: ) Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the pcregservice service. Error: (06/13/2014 11:28:57 AM) (Source: DCOM) (EventID: 10010) (User: ) Description: {209500FC-6B45-4693-8871-6296C4843751} Error: (06/13/2014 11:28:35 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The McAfee Platform Services service failed to start due to the following error: %%1053 Error: (06/13/2014 11:28:35 AM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (30000 milliseconds) while waiting for the McAfee Platform Services service to connect. Error: (06/13/2014 11:28:34 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The McAfee Platform Services service failed to start due to the following error: %%1053 Error: (06/13/2014 11:28:34 AM) (Source: Service Control Manager) (EventID: 7009) (User: ) Description: A timeout was reached (30000 milliseconds) while waiting for the McAfee Platform Services service to connect. Error: (06/13/2014 11:28:34 AM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1053mcpltsvc{20966775-18A4-4299-B8E3-772C336B52A7} Microsoft Office Sessions: ========================= Error: (05/30/2014 10:59:33 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: McSvHost.exe3.8.703.051f7deaehomenetsvc.dll6.8.716.05321f22ac0000005000000000022688176c01cf7c1fb7e4eea6C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exec:\PROGRA~1\COMMON~1\mcafee\mhn\homenetsvc.dll63d28dd9-e813-11e3-b233-b8ac6fe2aca8 Error: (05/07/2014 07:57:24 PM) (Source: VSS) (EventID: 12305) (User: ) Description: CreateFileW(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8,0xc0000000,0x00000003,...) Operation: Processing PostFinalCommitSnapshots Context: Execution Context: System Provider Error: (05/05/2014 09:33:30 PM) (Source: AVLogEvent) (EventID: 5003) (User: NT AUTHORITY) Description: a7f40610 Error: (05/02/2014 00:18:07 PM) (Source: Office Software Protection Platform Service) (EventID: 1062) (User: ) Description: 0xC004F02F09e2d37e-474b-4121-8626-58ad9be5776f Error: (05/01/2014 08:13:20 PM) (Source: Office Software Protection Platform Service) (EventID: 1012) (User: ) Description: hr=0xC004C00309e2d37e-474b-4121-8626-58ad9be5776f Error: (05/01/2014 08:13:20 PM) (Source: Office Software Protection Platform Service) (EventID: 8200) (User: ) Description: hr=0xC004C00300010001(0x00000000, 20:13:20:541 - http://go.microsoft.com/fwlink/?LinkID=120751) 00020001(0x00000000, 20:13:20:541) 00030001(0x00000000, 20:13:20:541 - http://go.microsoft.com) 00030002(0x00000000, 20:13:20:541 - 1) 00020005(0x00000000, 20:13:20:541 - 1) 0002000C(0x00000000, 20:13:20:728 - 302) 0002000E(0x00000000, 20:13:20:728 - https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx?configextension=o14) 00020001(0x00000000, 20:13:20:728) 00030001(0x00000000, 20:13:20:728 - https://activation.sls.microsoft.com) 00030002(0x00000000, 20:13:20:728 - 1) 00020005(0x00000000, 20:13:20:728 - 1) 0002000C(0x00000000, 20:13:20:837 - 500) 00010002(0x8004FC01, 20:13:20:837 - <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>SoapException</faultstring><detail><HRESULT>0xC004C003</HRESULT><Messages><Message>103 (Activation) - [PA Product key blocked. ---> Product key blocked]</Message></Messages></detail></soap:Fault></soap:Body></soap:Envelope>) 00010003(0x8004FC01, 20:13:20:853) Error: (05/01/2014 01:57:33 PM) (Source: MsiInstaller) (EventID: 11316) (User: Marty-PC) Description: Product: Consumer Input Update Helper -- Error 1316. A network error occurred while attempting to read from the file: C:\Program Files (x86)\Consumer Input\Update\1.3.25.149\GoogleUpdateHelper.msi(NULL)(NULL)(NULL)(NULL)(NULL) Error: (04/14/2014 08:49:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: ) Description: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crtThe specified server cannot perform the requested operation. Error: (04/14/2014 08:49:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: ) Description: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crtThis operation returned because the timeout period expired. Error: (04/14/2014 08:49:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: ) Description: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crtThis operation returned because the timeout period expired. ==================== Memory info =========================== Percentage of memory in use: 46% Total physical RAM: 4094.98 MB Available physical RAM: 2187.4 MB Total Pagefile: 8188.07 MB Available Pagefile: 6142.34 MB Total Virtual: 8192 MB Available Virtual: 8191.81 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:917.66 GB) (Free:856.32 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 932 GB) (Disk ID: CB59CF0B) Partition 1: (Not Active) - (Size=39 MB) - (Type=DE) Partition 2: (Active) - (Size=14 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=918 GB) - (Type=07 NTFS) ==================== End Of Log ============================ Thanks again for any help! If we can fix this it'll make my daughter Very Happy (and, by extension, me)!! DaveFL
  7. DaveFL
    Again, my apologies Maniac. I still haven't gotten back into town yet. My Boss may keep me out of town another day or 2. I appreciate all the help you've given me and would still like to finish this up if you'll stay with me... I'll run the requested scans when I get home and Post back... Thanks Maniac for bearing with me (If you can)! Again, my apologies for the confusion! Thanks, DaveFL
  8. DaveFL
    Maniac, my apologies to you. I got called out of town on work. when I return in a day (or two) I will run those scans and post back. Thank you so much for your help so far! I really appreciate it! DaveFL
  9. DaveFL
    Thanks again Maniac! The ESET scanner ran fine. It didn't report finding anything in the after scan report. The log isn't very revealing. It had just 2 lines related to registration. Interesting that you haven't found anything. Is it possible that Mbam cleared the infection both times, but that it was reinfected from the same external source (infected email, Website, thumb drive, etc.)? I wasn't there either time it was infected, and she's not very tech-smart! Maybe we are Clear of it on this computer? ;-) Thanks again, Maniac! ESET Log: ESETSmartInstaller@High as CAB hook log: OnlineScanner64.ocx - registred OK OnlineScanner.ocx - registred OK
  10. DaveFL
    Thanks again Maniac! Combofix also ran as it was supposed to... The Log: ComboFix 12-10-10.02 - End User 10/10/2012 10:02:36.1.4 - x64 Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.1728 [GMT -5:00] Running from: c:\users\End User\Desktop\ComboFix.exe AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF} FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\security\Database\tmp.edb . . ((((((((((((((((((((((((( Files Created from 2012-09-10 to 2012-10-10 ))))))))))))))))))))))))))))))) . . 2012-10-10 15:12 . 2012-10-10 15:12 -------- d-----w- c:\users\Molly\AppData\Local\temp 2012-10-10 15:12 . 2012-10-10 15:12 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-10-09 20:01 . 2012-10-09 20:01 -------- d-----w- C:\FRST 2012-10-09 14:58 . 2012-10-09 14:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware 2012-10-09 14:58 . 2012-09-07 22:04 25928 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-09-26 17:57 . 2012-08-21 21:01 245760 ----a-w- c:\windows\system32\OxpsConverter.exe 2012-09-21 14:34 . 2012-09-21 14:34 -------- d-----w- C:\06c33aa9e93f77da9b45cec4e03782 2012-09-12 12:54 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys 2012-09-12 12:54 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys 2012-09-12 12:54 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS 2012-09-12 12:54 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys 2012-09-12 12:54 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys 2012-09-12 12:54 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll 2012-09-12 12:54 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-10-10 14:54 . 2010-12-28 16:46 65309168 ----a-w- c:\windows\system32\MRT.exe 2012-08-25 05:47 . 2010-06-24 18:33 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll 2012-07-18 18:15 . 2012-08-25 19:28 3148800 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn\YTNavAssist.dll" [2011-03-16 214840] "{2d7432c9-a3fd-4ed1-aea9-fbdb12dba4a7}"= "c:\program files (x86)\Radio_1.1\prxtbRadi.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}] [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin] . [HKEY_CLASSES_ROOT\clsid\{2d7432c9-a3fd-4ed1-aea9-fbdb12dba4a7}] . [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{2d7432c9-a3fd-4ed1-aea9-fbdb12dba4a7}] 2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\Radio_1.1\prxtbRadi.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar] "{2d7432c9-a3fd-4ed1-aea9-fbdb12dba4a7}"= "c:\program files (x86)\Radio_1.1\prxtbRadi.dll" [2011-05-09 176936] . [HKEY_CLASSES_ROOT\clsid\{2d7432c9-a3fd-4ed1-aea9-fbdb12dba4a7}] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960] "ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136] "TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840] "NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-08-17 3218792] "ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2008-05-27 413696] "Garmin Lifetime Updater"="c:\program files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-12-15 1446248] . c:\users\End User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Kodak EasyShare software.lnk - c:\program files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2011-2-23 323584] SentriLockCardUtility.lnk - c:\windows\Installer\{9348BA70-11FB-4A78-A929-0980EF2C4DE8}\Icon9348BA70.exe [2011-5-27 91648] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=0 (0x0) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 136176] R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 136176] R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184] R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-02-09 239136] R3 S3XXx64;SCR3xx USB SmartCardReader64;c:\windows\system32\DRIVERS\S3XXx64.sys [2010-11-12 69376] R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864] R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312] R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-28 1255736] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184] S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS [2011-01-27 450680] S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS [2011-03-15 912504] S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120928.001\BHDrvx64.sys [2012-08-31 1385120] S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20121009.001\IDSvia64.sys [2012-09-01 513184] S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [2011-01-27 171128] S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [2011-04-21 386168] S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904] S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe [2011-01-03 20360] S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624] S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [2011-04-17 130008] S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.5.60\SymcPCCULaunchSvc.exe [2012-08-28 123320] S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.5.60\ccSvcHst.exe [2009-08-24 126392] S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776] S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-02-26 252928] S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472] S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-18 2320920] S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-25 138912] S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344] S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-22 287232] S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-02-23 75304] S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008] S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2009-06-15 12800] S3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-02-12 877088] S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264] S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648] S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960] S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376] S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496] S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512] S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560] S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952] S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920] . . Contents of the 'Scheduled Tasks' folder . 2012-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 04:04] . 2012-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 04:04] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-10 161304] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-10 386584] "Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-10 415256] "cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-03-10 520760] "SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768] "TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376] "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.yahoo.com/?ilc=34 mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = <local> IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB DPF: {2EA5DD45-9254-4B0D-9F48-E92FEC3A9754} - hxxps://simulcast.manheim.com/simulcast_docs/av/SimulcastAVPlugin-win-ie.cab . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) Toolbar-Locked - (no file) WebBrowser-{2D7432C9-A3FD-4ED1-AEA9-FBDB12DBA4A7} - (no file) HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe AddRemove-WT089366 - c:\program files (x86)\TOSHIBA Games\Cake Mania - Lights . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS] "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1" -- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr] "ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.5.60\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.5.60\diMaster.dll\" /prefetch:1" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2012-10-10 10:27:15 ComboFix-quarantined-files.txt 2012-10-10 15:27 . Pre-Run: 238,495,875,072 bytes free Post-Run: 239,114,252,288 bytes free . - - End Of File - - F4A3A0800289CDE33D8ABAC7B59597D3
  11. DaveFL
    Thanks Maniac! I need all the help I can get ;-) Farbar ran as advertised! here is the log: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-10-2012 Ran by SYSTEM at 09-10-2012 12:01:54 Running from F:\ Windows 7 Home Premium (X64) OS Language: English(US) The current controlset is ControlSet001 ==================== Registry (Whitelisted) =================== HKLM\...\Run: [] [x] HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.) HKLM\...\Run: [smartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] () HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated) HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation) HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation) HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation) HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation) HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation) HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1483776 2010-02-25] (TOSHIBA Corporation) HKLM\...\Run: [smartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation) HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation) HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation) HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation) HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation) HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba) HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation) HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.) HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED [3218792 2010-08-17] (Toshiba) HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.) HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [413696 2008-05-27] (Apple Inc.) HKLM-x32\...\Run: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1446248 2011-12-15] (Garmin) HKU\Molly\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x] Winlogon\Notify\ScCertProp: wlnotify.dll [X] Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 Startup: C:\Users\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company) Startup: C:\Users\All Users\Start Menu\Programs\Startup\SentriLockCardUtility.lnk ShortcutTarget: SentriLockCardUtility.lnk -> C:\windows\Installer\{9348BA70-11FB-4A78-A929-0980EF2C4DE8}\Icon9348BA70.exe () Startup: C:\Users\End User\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation) ==================== Services (Whitelisted) =================== 2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.) 2 atashost; "C:\windows\SysWOW64\atashost.exe" [20360 2011-01-03] (WebEx Communications, Inc.) 2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation) 2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.5.60\SymcPCCULaunchSvc.exe /s [123320 2012-08-28] (Symantec Corporation) 2 PCCUJobMgr; "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.5.60\ccSvcHst.exe" /s "PCCUJobMgr" /m "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.5.60\diMaster.dll" /prefetch:1 [132984 2009-08-29] (Symantec Corporation) ==================== Drivers (Whitelisted) ===================== 1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120928.001\BHDrvx64.sys [1385120 2012-08-31] (Symantec Corporation) 1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-24] (Symantec Corporation) 3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-24] (Symantec Corporation) 1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20121006.001\IDSvia64.sys [513184 2012-08-31] (Symantec Corporation) 3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20121009.003\ENG64.SYS [126112 2012-09-13] (Symantec Corporation) 3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20121009.003\EX64.SYS [2084000 2012-09-13] (Symantec Corporation) 3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation) 1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation) 0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation) 0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation) 3 SymEvent; \??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-10] (Symantec Corporation) 1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation) 1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation) ==================== NetSvcs (Whitelisted) ==================== ==================== One Month Created Files and Folders ======== 2012-10-09 12:01 - 2012-10-09 12:01 - 00000000 ____D C:\FRST 2012-10-09 08:02 - 2012-10-09 08:02 - 00022671 ____A C:\Users\End User\Desktop\DDS.txt 2012-10-09 08:02 - 2012-10-09 08:02 - 00014090 ____A C:\Users\End User\Desktop\Attach.txt 2012-10-09 07:51 - 2012-10-09 07:51 - 00607260 ____R (Swearware) C:\Users\End User\Desktop\dds.scr 2012-10-09 06:58 - 2012-10-09 06:58 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-10-09 06:58 - 2012-10-09 06:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware 2012-10-09 06:58 - 2012-09-07 14:04 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-10-09 06:57 - 2012-10-09 06:57 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\End User\Downloads\mbam-setup-1.65.0.1400.exe 2012-10-03 13:36 - 2012-10-03 13:36 - 02939029 ____A C:\Users\End User\Downloads\6272.xml 2012-10-03 12:15 - 2012-10-03 12:15 - 03193867 ____A C:\Users\End User\Downloads\6271.xml 2012-10-02 11:21 - 2012-10-02 11:21 - 03166341 ____A C:\Users\End User\Downloads\attachments_2012_10_02 (2).zip 2012-10-02 11:09 - 2012-10-02 11:09 - 03166341 ____A C:\Users\End User\Downloads\attachments_2012_10_02 (1).zip 2012-10-02 09:56 - 2012-10-02 09:56 - 03166341 ____A C:\Users\End User\Downloads\attachments_2012_10_02.zip 2012-10-01 14:35 - 2012-10-01 14:35 - 03122324 ____A C:\Users\End User\Downloads\6262 (1).xml 2012-10-01 13:48 - 2012-10-01 13:48 - 02965587 ____A C:\Users\End User\Downloads\6266 (3).xml 2012-10-01 12:03 - 2012-10-01 12:03 - 02965813 ____A C:\Users\End User\Downloads\6266 (2).xml 2012-10-01 08:44 - 2012-10-01 08:44 - 02965587 ____A C:\Users\End User\Downloads\6266 (1).xml 2012-09-28 12:24 - 2012-09-28 12:24 - 02684905 ____A C:\Users\End User\Downloads\6265 (1).xml 2012-09-28 12:22 - 2012-09-28 12:22 - 01977870 ____A C:\Users\End User\Downloads\6260 (1).xml 2012-09-28 11:30 - 2012-09-28 11:30 - 02006269 ____A C:\Users\End User\Downloads\6259 (1).xml 2012-09-26 09:57 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe 2012-09-25 12:57 - 2012-09-25 12:57 - 02684501 ____A C:\Users\End User\Downloads\6265.xml 2012-09-25 11:34 - 2012-09-25 11:34 - 02967446 ____A C:\Users\End User\Downloads\6266.xml 2012-09-25 05:01 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-09-25 05:01 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-09-25 05:01 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-09-25 05:01 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-09-25 05:01 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-09-25 05:01 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-09-25 05:01 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-09-25 05:01 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-09-25 05:01 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-09-25 05:01 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-09-25 05:01 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2012-09-25 05:01 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-09-25 05:01 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2012-09-25 05:01 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-09-25 05:01 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-09-25 05:01 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-09-25 05:01 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-09-25 05:01 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-09-25 05:01 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-09-25 05:01 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-09-25 05:01 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-09-25 05:01 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-09-25 05:01 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-09-25 05:01 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-09-25 05:01 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-09-25 05:01 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2012-09-25 05:01 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-09-25 05:01 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2012-09-25 05:01 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-09-25 05:01 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-09-25 05:01 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-09-25 05:01 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-09-23 20:04 - 2012-09-23 20:05 - 03891360 ____A C:\Users\End User\Downloads\6256 (1).xml 2012-09-21 06:34 - 2012-09-21 06:34 - 00000000 ____D C:\06c33aa9e93f77da9b45cec4e03782 2012-09-19 20:22 - 2012-09-19 20:23 - 03122263 ____A C:\Users\End User\Downloads\6262.xml 2012-09-18 11:35 - 2012-09-18 11:35 - 03071242 ____A C:\Users\End User\Downloads\6263 (3).xml 2012-09-17 17:33 - 2012-09-17 17:33 - 03277856 ____A C:\Users\End User\Downloads\6263.xml 2012-09-17 17:33 - 2012-09-17 17:33 - 03277856 ____A C:\Users\End User\Downloads\6263 (2).xml 2012-09-17 17:33 - 2012-09-17 17:33 - 03277856 ____A C:\Users\End User\Downloads\6263 (1).xml 2012-09-17 13:16 - 2012-09-17 13:17 - 03382825 ____A C:\Users\End User\Downloads\6229 (1).xml 2012-09-15 13:18 - 2012-09-15 13:18 - 02928992 ____A C:\Users\End User\Downloads\6253 (2).xml 2012-09-15 13:18 - 2012-09-15 13:18 - 02928992 ____A C:\Users\End User\Downloads\6253 (1).xml 2012-09-12 07:14 - 2012-09-12 07:16 - 02117503 ____A C:\Users\End User\Downloads\6255 (3).xml 2012-09-12 04:54 - 2012-08-22 10:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys 2012-09-12 04:54 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys 2012-09-12 04:54 - 2012-08-22 10:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys 2012-09-12 04:54 - 2012-08-22 10:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS 2012-09-12 04:54 - 2012-08-02 09:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll 2012-09-12 04:54 - 2012-08-02 08:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll 2012-09-12 04:54 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys 2012-09-11 14:41 - 2012-09-11 14:41 - 01978012 ____A C:\Users\End User\Downloads\6260.xml 2012-09-11 11:36 - 2012-09-11 11:36 - 02006417 ____A C:\Users\End User\Downloads\6259.xml 2012-09-11 11:06 - 2012-09-11 11:06 - 02117503 ____A C:\Users\End User\Downloads\6255 (2).xml ==================== 3 Months Modified Files ================== 2012-10-09 08:56 - 2010-11-26 17:22 - 02091332 ____A C:\Windows\WindowsUpdate.log 2012-10-09 08:56 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2012-10-09 08:56 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2012-10-09 08:54 - 2009-07-13 21:13 - 00727334 ____A C:\Windows\System32\PerfStringBackup.INI 2012-10-09 08:53 - 2009-07-13 20:51 - 00044303 ____A C:\Windows\setupact.log 2012-10-09 08:02 - 2012-10-09 08:02 - 00022671 ____A C:\Users\End User\Desktop\DDS.txt 2012-10-09 08:02 - 2012-10-09 08:02 - 00014090 ____A C:\Users\End User\Desktop\Attach.txt 2012-10-09 08:00 - 2010-10-14 20:04 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2012-10-09 07:51 - 2012-10-09 07:51 - 00607260 ____R (Swearware) C:\Users\End User\Desktop\dds.scr 2012-10-09 07:48 - 2010-10-14 20:04 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2012-10-09 07:48 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT 2012-10-09 07:47 - 2010-10-14 20:32 - 00452164 ____A C:\Windows\PFRO.log 2012-10-09 06:58 - 2012-10-09 06:58 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2012-10-09 06:57 - 2012-10-09 06:57 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\End User\Downloads\mbam-setup-1.65.0.1400.exe 2012-10-03 13:36 - 2012-10-03 13:36 - 02939029 ____A C:\Users\End User\Downloads\6272.xml 2012-10-03 13:33 - 2011-01-04 12:42 - 00000080 ____A C:\Windows\SysWOW64\PDFWRITR.INI 2012-10-03 13:33 - 2011-01-04 12:42 - 00000080 ____A C:\Windows\SysWOW64\__PDF.INI 2012-10-03 13:33 - 2009-07-13 18:34 - 00000558 ____A C:\Windows\win.ini 2012-10-03 12:15 - 2012-10-03 12:15 - 03193867 ____A C:\Users\End User\Downloads\6271.xml 2012-10-02 11:21 - 2012-10-02 11:21 - 03166341 ____A C:\Users\End User\Downloads\attachments_2012_10_02 (2).zip 2012-10-02 11:09 - 2012-10-02 11:09 - 03166341 ____A C:\Users\End User\Downloads\attachments_2012_10_02 (1).zip 2012-10-02 09:56 - 2012-10-02 09:56 - 03166341 ____A C:\Users\End User\Downloads\attachments_2012_10_02.zip 2012-10-01 14:35 - 2012-10-01 14:35 - 03122324 ____A C:\Users\End User\Downloads\6262 (1).xml 2012-10-01 13:48 - 2012-10-01 13:48 - 02965587 ____A C:\Users\End User\Downloads\6266 (3).xml 2012-10-01 12:03 - 2012-10-01 12:03 - 02965813 ____A C:\Users\End User\Downloads\6266 (2).xml 2012-10-01 08:44 - 2012-10-01 08:44 - 02965587 ____A C:\Users\End User\Downloads\6266 (1).xml 2012-09-28 12:24 - 2012-09-28 12:24 - 02684905 ____A C:\Users\End User\Downloads\6265 (1).xml 2012-09-28 12:22 - 2012-09-28 12:22 - 01977870 ____A C:\Users\End User\Downloads\6260 (1).xml 2012-09-28 11:30 - 2012-09-28 11:30 - 02006269 ____A C:\Users\End User\Downloads\6259 (1).xml 2012-09-27 08:09 - 2011-12-04 20:49 - 00002385 ____A C:\Users\Public\Desktop\Google Chrome.lnk 2012-09-25 12:57 - 2012-09-25 12:57 - 02684501 ____A C:\Users\End User\Downloads\6265.xml 2012-09-25 11:34 - 2012-09-25 11:34 - 02967446 ____A C:\Users\End User\Downloads\6266.xml 2012-09-23 20:05 - 2012-09-23 20:04 - 03891360 ____A C:\Users\End User\Downloads\6256 (1).xml 2012-09-21 06:34 - 2010-12-28 08:46 - 64462936 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe 2012-09-19 20:23 - 2012-09-19 20:22 - 03122263 ____A C:\Users\End User\Downloads\6262.xml 2012-09-18 11:35 - 2012-09-18 11:35 - 03071242 ____A C:\Users\End User\Downloads\6263 (3).xml 2012-09-17 17:33 - 2012-09-17 17:33 - 03277856 ____A C:\Users\End User\Downloads\6263.xml 2012-09-17 17:33 - 2012-09-17 17:33 - 03277856 ____A C:\Users\End User\Downloads\6263 (2).xml 2012-09-17 17:33 - 2012-09-17 17:33 - 03277856 ____A C:\Users\End User\Downloads\6263 (1).xml 2012-09-17 13:17 - 2012-09-17 13:16 - 03382825 ____A C:\Users\End User\Downloads\6229 (1).xml 2012-09-15 13:18 - 2012-09-15 13:18 - 02928992 ____A C:\Users\End User\Downloads\6253 (2).xml 2012-09-15 13:18 - 2012-09-15 13:18 - 02928992 ____A C:\Users\End User\Downloads\6253 (1).xml 2012-09-15 12:51 - 2011-01-12 10:49 - 00028733 ____A C:\Users\End User\Documents\WindsorOrg2010(1).xlsx 2012-09-12 07:16 - 2012-09-12 07:14 - 02117503 ____A C:\Users\End User\Downloads\6255 (3).xml 2012-09-11 14:41 - 2012-09-11 14:41 - 01978012 ____A C:\Users\End User\Downloads\6260.xml 2012-09-11 11:36 - 2012-09-11 11:36 - 02006417 ____A C:\Users\End User\Downloads\6259.xml 2012-09-11 11:06 - 2012-09-11 11:06 - 02117503 ____A C:\Users\End User\Downloads\6255 (2).xml 2012-09-08 13:11 - 2012-09-08 13:11 - 02063370 ____A C:\Users\End User\Downloads\6255 (1).xml 2012-09-07 14:04 - 2012-10-09 06:58 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2012-09-06 09:52 - 2012-09-06 09:52 - 02743602 ____A C:\Users\End User\Downloads\6256.xml 2012-09-05 06:57 - 2012-09-05 06:53 - 03193377 ____A C:\Users\End User\Downloads\6258.xml 2012-08-31 09:12 - 2012-08-31 09:12 - 02062559 ____A C:\Users\End User\Downloads\6255.xml 2012-08-30 14:13 - 2012-08-30 14:13 - 03466082 ____A C:\Users\End User\Downloads\6245 (2).xml 2012-08-28 10:25 - 2012-08-28 10:25 - 02819934 ____A C:\Users\End User\Downloads\6251 (1).xml 2012-08-26 07:24 - 2009-07-13 20:45 - 00416736 ____A C:\Windows\System32\FNTCACHE.DAT 2012-08-24 09:11 - 2012-08-24 09:11 - 02930711 ____A C:\Users\End User\Downloads\6253.xml 2012-08-24 03:15 - 2012-09-25 05:01 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2012-08-24 02:39 - 2012-09-25 05:01 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll 2012-08-24 02:31 - 2012-09-25 05:01 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll 2012-08-24 02:22 - 2012-09-25 05:01 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll 2012-08-24 02:21 - 2012-09-25 05:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll 2012-08-24 02:20 - 2012-09-25 05:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl 2012-08-24 02:18 - 2012-09-25 05:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll 2012-08-24 02:17 - 2012-09-25 05:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll 2012-08-24 02:14 - 2012-09-25 05:01 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll 2012-08-24 02:14 - 2012-09-25 05:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe 2012-08-24 02:13 - 2012-09-25 05:01 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll 2012-08-24 02:12 - 2012-09-25 05:01 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll 2012-08-24 02:11 - 2012-09-25 05:01 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll 2012-08-24 02:10 - 2012-09-25 05:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll 2012-08-24 02:09 - 2012-09-25 05:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb 2012-08-24 02:04 - 2012-09-25 05:01 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll 2012-08-23 23:27 - 2012-09-25 05:01 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2012-08-23 23:03 - 2012-09-25 05:01 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2012-08-23 22:59 - 2012-09-25 05:01 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2012-08-23 22:51 - 2012-09-25 05:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl 2012-08-23 22:51 - 2012-09-25 05:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2012-08-23 22:51 - 2012-09-25 05:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2012-08-23 22:49 - 2012-09-25 05:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll 2012-08-23 22:48 - 2012-09-25 05:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2012-08-23 22:47 - 2012-09-25 05:01 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2012-08-23 22:47 - 2012-09-25 05:01 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll 2012-08-23 22:47 - 2012-09-25 05:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe 2012-08-23 22:45 - 2012-09-25 05:01 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2012-08-23 22:44 - 2012-09-25 05:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2012-08-23 22:44 - 2012-09-25 05:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll 2012-08-23 22:43 - 2012-09-25 05:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2012-08-23 22:40 - 2012-09-25 05:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2012-08-22 10:42 - 2012-08-22 10:42 - 01001264 ____A (Solid State Networks) C:\Users\End User\Downloads\install_flashplayer11x32ax_gtbp_chra_aih (1).exe 2012-08-22 10:12 - 2012-09-12 04:54 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys 2012-08-22 10:12 - 2012-09-12 04:54 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys 2012-08-22 10:12 - 2012-09-12 04:54 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys 2012-08-22 10:12 - 2012-09-12 04:54 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS 2012-08-22 07:27 - 2012-08-22 07:27 - 02924085 ____A C:\Users\End User\Downloads\6247 (3).xml 2012-08-22 07:26 - 2012-08-22 07:26 - 02924085 ____A C:\Users\End User\Downloads\6247 (2).xml 2012-08-22 07:07 - 2012-08-22 07:07 - 02924081 ____A C:\Users\End User\Downloads\6247 (1).xml 2012-08-22 06:51 - 2012-08-22 06:51 - 00000942 ____A C:\Users\End User\Documents\riverton.txt 2012-08-21 13:01 - 2012-09-26 09:57 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe 2012-08-20 09:26 - 2012-08-20 09:25 - 02819342 ____A C:\Users\End User\Downloads\6251.xml 2012-08-18 08:35 - 2012-08-18 08:35 - 02227541 ____A C:\Users\End User\Downloads\6252.xml 2012-08-14 13:40 - 2012-08-14 13:40 - 02976544 ____A C:\Users\End User\Downloads\6250.xml 2012-08-14 07:53 - 2012-08-14 07:53 - 02744977 ____A C:\Users\End User\Downloads\6249.xml 2012-08-13 06:42 - 2012-08-13 06:42 - 03092748 ____A C:\Users\End User\Downloads\6242 (1).xml 2012-08-10 13:57 - 2012-08-10 13:57 - 03466033 ____A C:\Users\End User\Downloads\6245 (1).xml 2012-08-10 12:59 - 2012-08-10 12:59 - 03011271 ____A C:\Users\End User\Downloads\6247.xml 2012-08-10 05:54 - 2012-08-10 05:54 - 03164633 ____A C:\Users\End User\Downloads\6245.xml 2012-08-08 06:44 - 2012-08-08 06:44 - 02750488 ____A C:\Users\End User\Downloads\6242.xml 2012-08-02 09:58 - 2012-09-12 04:54 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll 2012-08-02 08:57 - 2012-09-12 04:54 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll 2012-07-27 13:56 - 2012-07-27 13:56 - 03754002 ____A C:\Users\End User\Downloads\6238.xml 2012-07-24 18:28 - 2012-07-24 18:28 - 02143581 ____A C:\Users\End User\Downloads\6231 (1).xml 2012-07-23 16:36 - 2012-07-23 16:36 - 03826209 ____A C:\Users\End User\Downloads\6230.xml 2012-07-23 14:02 - 2012-07-23 14:02 - 01891349 ____A C:\Users\End User\Downloads\6231.xml 2012-07-23 08:51 - 2012-07-23 08:51 - 06477390 ____A C:\Users\End User\Downloads\attachments_2012_07_23.zip 2012-07-20 07:02 - 2012-07-20 07:01 - 02840679 ____A C:\Users\End User\Downloads\6229.xml 2012-07-19 11:31 - 2012-07-19 11:31 - 00000110 ____A C:\Users\End User\Desktop\Capital Area Association of REALTORS.url 2012-07-18 10:15 - 2012-08-25 11:28 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys 2012-07-13 00:17 - 2012-07-13 00:17 - 02982456 ____A C:\Users\End User\Downloads\6218.xml 2012-07-12 09:35 - 2012-07-12 09:35 - 02818781 ____A C:\Users\End User\Downloads\6213 (1).xml ==================== Known DLLs (Whitelisted) ================= ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= Restore point made on: 2012-08-24 21:37:39 Restore point made on: 2012-08-28 04:53:21 Restore point made on: 2012-09-20 11:39:49 Restore point made on: 2012-09-21 06:43:56 Restore point made on: 2012-09-25 05:01:35 Restore point made on: 2012-09-28 08:18:04 ==================== Memory info =========================== Percentage of memory in use: 14% Total physical RAM: 3893.86 MB Available physical RAM: 3332.14 MB Total Pagefile: 3892.01 MB Available Pagefile: 3321.8 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ==================== Partitions ============================= 1 Drive c: (TI106033W0C) (Fixed) (Total:284.9 GB) (Free:211.52 GB) NTFS ==>[system with boot components (obtained from reading drive)] 2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[system with boot components (obtained from reading drive)] 4 Drive f: (PKBACK# 001) (Removable) (Total:7.45 GB) (Free:7.43 GB) FAT32 6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 298 GB 0 B Disk 1 Online 7643 MB 0 B Disk 2 No Media 0 B 0 B Partitions of Disk 0: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Recovery 1500 MB 1024 KB Partition 2 Primary 284 GB 1501 MB Partition 3 Primary 11 GB 286 GB ================================================================================== Disk: 0 Partition 1 Type : 27 Hidden: Yes Active: Yes Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 2 D System NTFS Partition 1500 MB Healthy Hidden ========================================================= Disk: 0 Partition 2 Type : 07 Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 1 C TI106033W0C NTFS Partition 284 GB Healthy ========================================================= Disk: 0 Partition 3 Type : 17 (Suspicious Type) Hidden: Yes Active: No There is no volume associated with this partition. ========================================================= Partitions of Disk 1: =============== Partition ### Type Size Offset ------------- ---------------- ------- ------- Partition 1 Primary 7643 MB 31 KB ================================================================================== Disk: 1 Partition 1 Type : 0B Hidden: No Active: No Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- * Volume 3 F PKBACK# 001 FAT32 Removable 7643 MB Healthy ========================================================= Last Boot: 2012-06-01 06:25 ==================== End Of Log =============================
  12. DaveFL
    Hi! I was helping a family member with a virus on Sunday. Her computer was seized up on a black 'FBI' screen demanding money. I rebooted to safe mode, ran MBAM, and it found and removed several objects. I rebooted out of safe mode and succesfully opened IE and browsed a few pages. Everything seemed fine. I re-ran MBAM and it didn't report any problems. I rebooted again, opened a few more web pages, and then re-ran MBAM a 3rd time. Again it reported no problems. I thought we were in the clear! Unfortunately, She was in tears this morning because the Black FBI screen was back! I Rebooted into safe mode and ran Mbam again. It found (and removed) a further 2 objects. Thanks in advance for any Help I can get! I've included this morning's MBAM log along with the two DDS Logs: Malwarebytes Anti-Malware 1.65.0.1400 www.malwarebytes.org Database version: v2012.10.09.07 Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking) Internet Explorer 9.0.8112.16421 End User :: ENDUSER-PC [administrator] 10/9/2012 10:00:29 AM mbam-log-2012-10-09 (10-00-29).txt Scan type: Full scan (C:\|D:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 385868 Time elapsed: 41 minute(s), 45 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|GoogleChrome (Trojan.Ransom.ANC) -> Data: C:\Users\ENDUSE~1\AppData\Local\Temp\sdjutta.exe -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Users\End User\AppData\Local\Temp\sdjutta.exe (Trojan.Ransom.ANC) -> Quarantined and deleted successfully. (end) Attach.txt DDS.txt
  13. DaveFL

    Thanks for all your help! You are as kind as these virus-authors are evil! No, KINDER! Your instuctions where clear and easy to follow. Best of all you got me going again! Thanks a million! Ive Bookmarked your website!

  14. DaveFL
    Thanks again, Mr Charlie!
  15. DaveFL
    Thanks Mr Charlie! MBAM scan was Clean! I rebooted afterwords, opened IE, scanned again, and it was clean! Am I Fixed? the MBAM log: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.27.09 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 9.0.8112.16421 Judith :: JUDITH-PC [administrator] 6/27/2012 3:36:47 PM mbam-log-2012-06-27 (15-36-47).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 209807 Time elapsed: 3 minute(s), 18 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.