DaveFL

June 14, 2014

Thanks MrC!

Sorry for the delayed reply but SP1 didn't want to install. Microsoft's Update Readiness Tool, or whatever Microsoft sent me to, ran a hotfix, then SP1 cooperated nicely.

The Clean up went as advertised.

Everything seems to be holding together nicely!!

I suppose the next 24 hrs or so will tell....

Thanks again for all your help!

You are the Best, Mr Charlie!

DaveFL

June 14, 2014

Things still look good...

Security check log:

Results of screen317's Security Check version 0.99.84
Windows 7 x64 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
McAfee Anti-Virus and Anti-Spyware
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Java version out of Date!
Adobe Reader XI
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````

Thanks MrC!

DaveFL

June 14, 2014

Thanks MrC!

the new roguekiller report:

RogueKiller V9.0.2.0 (x64) [Jun 3 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Marty [Admin rights]
Mode : Scan -- Date : 06/14/2014 11:28:16

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess] mcshield.exe -- [x] -> ERROR [12]

¤¤¤ Registry Entries : 23 ¤¤¤
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GetSusp -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GetSusp -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GetSusp -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X64) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X86) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorUser : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorUser : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND
[PUM.Desktop] (X64) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper : 0 -> FOUND
[PUM.Desktop] (X86) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper : 0 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[suspicious.Path] \\{9AD52BE1-60AA-41B8-8FC4-A4290EB10F3A} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Marty\AppData\Roaming\v9\UninstallManager.exe -c -ptid=tugs) -> FOUND

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103SJ +++++
--- User ---
[MBR] 339053ccd380888a513d4babe099a448
[bSP] 2dfa851a71cb3d932cd438f3fdc85c0d : Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 14142 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 29044736 | Size: 939686 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_SCN_06132014_223919.log - RKreport_SCN_06132014_224621.log - RKreport_SCN_06142014_112316.log

I've been surfing around and opening and closing IE and so far so good!

I'll keep 'test driving' it a little here...

DaveFL

June 14, 2014

Thanks, MrC, for your clear and detailed instructions. Guys like me need that :-).

Everything ran as advertised.

The mbam scans were clean (but that's probably not a surprise since the computer has been idle except for what we are doing here, and I have no idea what caused the re-emergence of the malware...)

I let AdwCleaner remove everything it found.

the Logs:

Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-06-2014 02
Ran by Marty at 2014-06-14 10:01:43 Run:1
Running from C:\Users\Marty\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM\...\Run: [Qoyvf] => "C:\Users\Marty\AppData\Roaming\Foyxheon\haefp.exe"
HKLM-x32\...\Run: [] => [X]
GroupPolicy: Group Policy on Chrome detected
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.v9.com...&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://search.v9.com...&q={searchTerms}
SearchScopes: HKLM-x32 - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.mywebs...or={searchTerms}
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File
Hosts: 54.221.22.25 dmcecclamecbinmplcolhaljlclhbgah
FF HKCU\...\Firefox\Extensions: [{54529188-D165-76FA-72F3-FD3CCD7D5709}] - C:\Program Files (x86)\Re-Markable-soft\161.xpi
FF HKCU\...\Firefox\Extensions: [ConsumerInput@Compete] - C:\Program Files (x86)\Consumer Input\Firefox\ciff-3.2.0-12171.xpi
S3 MFE_RR; \??\C:\Users\Marty\AppData\Local\Temp\mfe_rr.sys [X]
C:\Users\Marty\jagex_cl_runescape_LIVE.dat
C:\Users\Marty\random.dat
C:\Users\Marty\AppData\Roaming\Foyxheon
C:\Program Files\pcreg
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
Task: {2A6240B5-229F-4878-B21F-888BF9F38E12} - System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-7 => C:\Program Files (x86)\HQvidPv1.12\HQvidPv1.12-nova.exe
Task: {9FCCD69D-7C99-454E-8D80-7284B6B77B3C} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe
Task: {A21EB3E3-4E0C-489E-A560-6318A05D3519} - System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-1 => C:\Program Files (x86)\HQvidPv1.12\HQvidPv1.12-codedownloader.exe
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Qoyvf => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Secondary Start Pages => value deleted successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
'HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{b0441a0e-a49a-4e16-afc1-74ecced1921f}'=> Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
'HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}'=> Key not found.
'HKCR\PROTOCOLS\Handler\skype-ie-addon-data' => Key deleted successfully.
'HKCR\CLSID\{91774881-D725-4E58-B298-07617B9B86A8}'=> Key not found.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
HKCU\Software\Mozilla\Firefox\Extensions\\{54529188-D165-76FA-72F3-FD3CCD7D5709} => value deleted successfully.
HKCU\Software\Mozilla\Firefox\Extensions\\ConsumerInput@Compete => value deleted successfully.
MFE_RR => Service deleted successfully.
C:\Users\Marty\jagex_cl_runescape_LIVE.dat => Moved successfully.
C:\Users\Marty\random.dat => Moved successfully.
C:\Users\Marty\AppData\Roaming\Foyxheon => Moved successfully.
C:\Program Files\pcreg => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2A6240B5-229F-4878-B21F-888BF9F38E12}' => Key deleted successfully.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2A6240B5-229F-4878-B21F-888BF9F38E12}' => Key deleted successfully.
C:\Windows\System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-7 => Moved successfully.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a74f6af7-b4c0-41c3-b53e-2486781d7f40-7' => Key deleted successfully.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9FCCD69D-7C99-454E-8D80-7284B6B77B3C}' => Key deleted successfully.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9FCCD69D-7C99-454E-8D80-7284B6B77B3C}' => Key deleted successfully.
C:\Windows\System32\Tasks\pcreg => Moved successfully.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\pcreg' => Key deleted successfully.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A21EB3E3-4E0C-489E-A560-6318A05D3519}' => Key deleted successfully.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A21EB3E3-4E0C-489E-A560-6318A05D3519}' => Key deleted successfully.
C:\Windows\System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-1 => Moved successfully.
'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\a74f6af7-b4c0-41c3-b53e-2486781d7f40-1' => Key deleted successfully.

The system needed a reboot.

==== End of Fixlog ====

Adwcleaner log:

# AdwCleaner v3.212 - Report created 14/06/2014 at 10:18:49
# Updated 05/06/2014 by Xplode
# Operating System : Windows 7 Home Premium (64 bits)
# Username : Marty - MARTY-PC
# Running from : C:\Users\Marty\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\VisualBee
Folder Deleted : C:\Program Files (x86)\Bench
Folder Deleted : C:\Program Files (x86)\Information
Folder Deleted : C:\Users\Marty\AppData\Local\emaze
Folder Deleted : C:\Users\Marty\AppData\Local\PackageAware
Folder Deleted : C:\Users\Marty\AppData\LocalLow\iac
Folder Deleted : C:\Users\Marty\AppData\LocalLow\mapsgalaxy_39
Folder Deleted : C:\Users\Marty\AppData\Roaming\Activeris
Folder Deleted : C:\Users\Marty\AppData\Roaming\SupTab
Folder Deleted : C:\Users\Marty\AppData\Roaming\Systweak
Folder Deleted : C:\Users\Marty\AppData\Roaming\v9
Folder Deleted : C:\Users\Marty\Documents\PC Speed Maximizer
File Deleted : C:\END

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\CptUrlPassthru.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dca-bho.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ActiverisAntiMalware_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ActiverisAntiMalware_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\NewPlayer_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\NewPlayer_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SupTab_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SupTab_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\systweakasp_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\systweakasp_rasmancs
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{A57F7191-1E7F-4852-BAAF-F80A43E2687A}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{DD7C44CC-0F60-4FD9-A38F-5CF30D698AC2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220522302298}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660566306698}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8F0B76E1-4E46-427B-B55B-B90593468AC6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220522302298}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{15527BF5-9729-49DC-889C-9F956983154C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DD05B915-F77B-474A-9D42-9FEEAF5475C4}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660566306698}
Key Deleted : HKCU\Software\Compete
Key Deleted : HKCU\Software\powerpack
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\visualbee
Key Deleted : HKCU\Software\AppDataLow\Software\Compete
Key Deleted : HKLM\Software\Bench
Key Deleted : HKLM\Software\CompeteInc
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\SupTab
Key Deleted : HKLM\Software\systweak
Key Deleted : HKLM\Software\V9Software
Key Deleted : HKLM\Software\visualbee
Key Deleted : HKLM\Software\Wpm
Key Deleted : HKLM\Software\Information
Key Deleted : [x64] HKLM\SOFTWARE\installedbrowserextensions

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16476

*************************

AdwCleaner[R0].txt - [4952 octets] - [14/06/2014 10:05:08]
AdwCleaner[s0].txt - [4793 octets] - [14/06/2014 10:18:49]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4853 octets] ##########

JRT log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Marty on Sat 06/14/2014 at 10:23:36.96
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.pseudotransparentplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.pseudotransparentplugin.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.radio
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.radio.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.settingsplugin
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\mapsgalaxy_39.settingsplugin.1
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{173A5778-34BF-48A2-8A5E-6963CE922FED}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{4B7D0B0C-CFF3-49C5-9BC3-FFABC031C822}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{7D4DFAF7-F2CE-4C91-91A4-514C9612914D}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{9B58A6CE-B337-43D5-9C2F-8C6D92FBA094}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\ammyy"
Successfully deleted: [Folder] "C:\ProgramData\pc1data"
Successfully deleted: [Folder] "C:\Users\Marty\AppData\Roaming\pc cleaners"
Successfully deleted: [Folder] "C:\Users\Marty\AppData\Roaming\pcpro"
Successfully deleted: [Folder] "C:\Users\Marty\appdata\locallow\recipehub_2j"
Successfully deleted: [Folder] "C:\Users\Marty\appdata\locallow\recipehub_2jei"
Successfully deleted: [Folder] "C:\Program Files (x86)\recipehub_2jei"
Successfully deleted: [Empty Folder] C:\Users\Marty\appdata\local\{280CF035-5285-4C3A-9BF5-91FD805A3C42}
Successfully deleted: [Empty Folder] C:\Users\Marty\appdata\local\{DBCB0101-4141-49FF-BBCF-E302023C55D6}

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 06/14/2014 at 10:29:29.21
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hope I posted everything correctly! Thanks again.

DaveFL

June 14, 2014

Thanks MrC!

I ran malwarebytes with the requested settings and it didn't find anything this time.

Here is the Roguekiller log:

RogueKiller V9.0.2.0 (x64) [Jun 3 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Marty [Admin rights]
Mode : Scan -- Date : 06/13/2014 22:46:21

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 23 ¤¤¤
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Qoyvf : "C:\Users\Marty\AppData\Roaming\Foyxheon\haefp.exe" -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GetSusp -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MFE_RR -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GetSusp -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MFE_RR -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\GetSusp -> FOUND
[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MFE_RR -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorUser : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorUser : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | EnableLUA : 0 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> FOUND
[PUM.Desktop] (X64) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper : 0 -> FOUND
[PUM.Desktop] (X86) HKEY_USERS\S-1-5-21-1617529379-2784233811-108745753-1001\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | NoChangingWallpaper : 0 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[suspicious.Path] \\{9AD52BE1-60AA-41B8-8FC4-A4290EB10F3A} -- C:\Windows\system32\pcalua.exe (-a C:\Users\Marty\AppData\Roaming\v9\UninstallManager.exe -c -ptid=tugs) -> FOUND

¤¤¤ Files : 13 ¤¤¤
[ZeroAccess][Junction] en-US -- C:\Program Files\Windows Defender\en-US [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MpAsDesc.dll -- C:\Program Files\Windows Defender\MpAsDesc.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MpClient.dll -- C:\Program Files\Windows Defender\MpClient.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MpCmdRun.exe -- C:\Program Files\Windows Defender\MpCmdRun.exe [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MpCommu.dll -- C:\Program Files\Windows Defender\MpCommu.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MpEvMsg.dll -- C:\Program Files\Windows Defender\MpEvMsg.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MpOAV.dll -- C:\Program Files\Windows Defender\MpOAV.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MpRTP.dll -- C:\Program Files\Windows Defender\MpRTP.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MpSvc.dll -- C:\Program Files\Windows Defender\MpSvc.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MSASCui.exe -- C:\Program Files\Windows Defender\MSASCui.exe [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MsMpCom.dll -- C:\Program Files\Windows Defender\MsMpCom.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MsMpLics.dll -- C:\Program Files\Windows Defender\MsMpLics.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND
[ZeroAccess][Junction] MsMpRes.dll -- C:\Program Files\Windows Defender\MsMpRes.dll [JUNCTION@ a000000c] >> \systemroot\system32\config -> FOUND

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 54.221.22.25 dmcecclamecbinmplcolhaljlclhbgah

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD103SJ +++++
--- User ---
[MBR] 339053ccd380888a513d4babe099a448
[bSP] 2dfa851a71cb3d932cd438f3fdc85c0d : Unknown MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 81920 | Size: 14142 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 29044736 | Size: 939686 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_SCN_06132014_223919.log

Thanks again!

DaveFL

June 13, 2014

Thanks in advance for any help!

I've got a re-occuring pup.optional.searchsafer hit from malwarebytes on my daughter's computer. MBAM will remove 2 instances of pup.optional.searchsafer then the next scan will be clean, then it will find them again, then its clean, etc. Also her homepage gets reset to about:blank every other day or so.

The lastest (clean) mbam log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/13/2014
Scan Time: 11:46:48 AM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.13.06
Rootkit Database: v2014.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: Marty

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 271538
Time Elapsed: 9 min, 9 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
PUP.Optional.SearchSafer, C:\Program Files\pcreg\service.exe, 4412, Delete-on-Reboot, [62505d16d9a262d4abc6432419eb7f81]

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.SearchSafer, C:\Program Files\pcreg\service.exe, Quarantined, [62505d16d9a262d4abc6432419eb7f81],

Physical Sectors: 0
(No malicious items detected)

(end)

The FRST.TXT log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-06-2014 02
Ran by Marty (administrator) on MARTY-PC on 13-06-2014 12:11:55
Running from C:\Users\Marty\Desktop
Platform: Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
() C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McUICnt.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Qoyvf] => "C:\Users\Marty\AppData\Roaming\Foyxheon\haefp.exe"
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)
HKLM-x32\...\RunOnce: [Launcher] - C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [163040 2010-08-11] (Softthinks)
HKLM-x32\...\RunOnce: [DSUpdateLauncher] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe" [161088 2010-07-21] ()
HKLM-x32\...\RunOnce: [sTToasterLauncher] - C:\Program Files (x86)\Dell DataSafe Local Backup\toasterLauncher.exe [120032 2010-08-11] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\896\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\.DEFAULT\...\Policies\Explorer: [HideSCAHealth] 1
HKU\.DEFAULT\...\Policies\Explorer: [NoFolderOptions] 0
HKU\.DEFAULT\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-1617529379-2784233811-108745753-1001\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_13_0_0_214_ActiveX.exe [847536 2014-06-06] (Adobe Systems Incorporated)
HKU\S-1-5-21-1617529379-2784233811-108745753-1001\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1617529379-2784233811-108745753-1001\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-1617529379-2784233811-108745753-1001\...\Policies\Explorer: [NoControlPanel] 0
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.v9.com/web/?type=ds&ts=1399129011&from=tugs&uid=SAMSUNGXHD103SJ_S26BJ90ZB31071B31071&i=psd&t=341f22504&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://search.v9.com/web/?type=ds&ts=1399129011&from=tugs&uid=SAMSUNGXHD103SJ_S26BJ90ZB31071B31071&i=psd&t=341f22504&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
SearchScopes: HKLM-x32 - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^UX^xdm156^YY^us&si=CD4572&ptb=C3E0E9CD-6D86-470E-A98B-EB9C7C741BF3&ind=2013042610&n=77fc97b2&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - No File
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.)
Hosts: 54.221.22.25 dmcecclamecbinmplcolhaljlclhbgah
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @mcafee.com/MSC,version=10 - c:\PROGRA~1\mcafee\msc\npmcsnffpl64.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 - c:\PROGRA~2\mcafee\msc\npmcsnffpl.dll ()
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2011-03-31]
FF HKCU\...\Firefox\Extensions: [{54529188-D165-76FA-72F3-FD3CCD7D5709}] - C:\Program Files (x86)\Re-Markable-soft\161.xpi
FF HKCU\...\Firefox\Extensions: [ConsumerInput@Compete] - C:\Program Files (x86)\Consumer Input\Firefox\ciff-3.2.0-12171.xpi

==================== Services (Whitelisted) =================

R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
S3 McAWFwk; C:\Program Files\mcafee\msc\McAWFwk.exe [220528 2010-08-30] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
S4 McOobeSv; C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-03-18] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-04-03] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [189912 2014-04-03] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 WSWNA1100; C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe [266240 2010-08-04] () [File not signed]

==================== Drivers (Whitelisted) ====================

R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70592 2014-04-03] (McAfee, Inc.)
S3 GetSusp; C:\Windows\GetSusp.sys [16680 2013-12-11] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [177544 2014-04-03] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311856 2014-04-03] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [522360 2014-04-03] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [784760 2014-04-03] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [441264 2014-03-18] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-03-18] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [346760 2014-04-03] (McAfee, Inc.)
U4 Messenger;
S3 MFE_RR; \??\C:\Users\Marty\AppData\Local\Temp\mfe_rr.sys [X]
S3 pfc; system32\drivers\pfc.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-13 12:11 - 2014-06-13 12:12 - 00013557 _____ () C:\Users\Marty\Desktop\FRST.txt
2014-06-13 12:11 - 2014-06-13 12:11 - 00000000 ____D () C:\FRST
2014-06-13 12:03 - 2014-06-13 12:03 - 02081792 _____ (Farbar) C:\Users\Marty\Desktop\FRST64.exe
2014-06-13 12:03 - 2014-06-13 12:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-06-12 21:02 - 2014-06-13 11:59 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-06-12 21:01 - 2014-06-12 21:01 - 00001080 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-06-12 21:01 - 2014-06-12 21:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-06-12 21:01 - 2014-06-12 21:01 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-06-12 21:01 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-06-12 21:01 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-06-12 20:28 - 2014-06-13 11:58 - 00000616 _____ () C:\Windows\setupact.log
2014-06-12 20:28 - 2014-06-12 20:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-06-06 12:28 - 2014-06-06 12:28 - 00000000 ____D () C:\Windows\system32\SPReview
2014-05-30 07:49 - 2014-06-04 12:01 - 00000000 ____D () C:\Users\Marty\AppData\Roaming\Nugyyn

==================== One Month Modified Files and Folders =======

2014-06-13 12:12 - 2014-06-13 12:11 - 00013557 _____ () C:\Users\Marty\Desktop\FRST.txt
2014-06-13 12:12 - 2014-05-01 13:59 - 00000360 _____ () C:\Windows\Tasks\CIMT_S-1-5-21-1617529379-2784233811-108745753-1001.job
2014-06-13 12:12 - 2011-04-06 15:27 - 00000000 ____D () C:\Users\Marty\AppData\Local\Temp
2014-06-13 12:11 - 2014-06-13 12:11 - 00000000 ____D () C:\FRST
2014-06-13 12:10 - 2009-07-14 00:10 - 02046741 _____ () C:\Windows\WindowsUpdate.log
2014-06-13 12:08 - 2009-07-13 23:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-13 12:08 - 2009-07-13 23:45 - 00014240 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-13 12:03 - 2014-06-13 12:03 - 02081792 _____ (Farbar) C:\Users\Marty\Desktop\FRST64.exe
2014-06-13 12:03 - 2014-06-13 12:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-06-13 11:59 - 2014-06-12 21:02 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-06-13 11:59 - 2011-03-31 15:42 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-06-13 11:58 - 2014-06-12 20:28 - 00000616 _____ () C:\Windows\setupact.log
2014-06-13 11:58 - 2013-08-15 16:31 - 00557426 _____ () C:\Windows\PFRO.log
2014-06-13 11:58 - 2011-04-06 15:30 - 00000073 _____ () C:\Windows\SysWOW64\ToasterLauncherLog.log
2014-06-13 11:58 - 2011-04-06 15:30 - 00000000 ____D () C:\Users\Marty\AppData\Local\SoftThinks
2014-06-13 11:58 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-13 11:58 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\tracing
2014-06-13 11:56 - 2014-05-01 13:56 - 00000000 ____D () C:\Program Files\pcreg
2014-06-13 11:54 - 2013-06-17 11:18 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-06-12 21:15 - 2009-07-13 23:45 - 00000000 ____D () C:\Windows\Setup
2014-06-12 21:02 - 2013-08-15 16:16 - 00000000 ____D () C:\Users\Marty\AppData\Roaming\Malwarebytes
2014-06-12 21:02 - 2013-08-15 16:15 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-06-12 21:01 - 2014-06-12 21:01 - 00001080 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-06-12 21:01 - 2014-06-12 21:01 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-06-12 21:01 - 2014-06-12 21:01 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-06-12 20:42 - 2013-08-08 03:29 - 00000000 ____D () C:\Windows\system32\MRT
2014-06-12 20:42 - 2011-10-24 14:42 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-06-12 20:42 - 2011-04-22 08:47 - 95414520 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-06-12 20:28 - 2014-06-12 20:28 - 00000000 _____ () C:\Windows\setuperr.log
2014-06-12 20:16 - 2011-04-09 08:27 - 00000000 ____D () C:\Users\Marty\AppData\Local\Google
2014-06-12 20:16 - 2011-04-09 08:27 - 00000000 ____D () C:\Program Files (x86)\Google
2014-06-12 20:14 - 2011-03-31 15:50 - 00000000 ____D () C:\Program Files (x86)\McAfee
2014-06-12 20:13 - 2014-05-01 13:49 - 00000000 ____D () C:\Program Files (x86)\Information
2014-06-12 17:48 - 2009-07-14 00:13 - 00727398 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-06-12 17:43 - 2011-03-31 15:54 - 00000000 ____D () C:\ProgramData\Sonic
2014-06-06 12:28 - 2014-06-06 12:28 - 00000000 ____D () C:\Windows\system32\SPReview
2014-06-06 06:35 - 2013-06-17 11:18 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-06-06 06:35 - 2013-06-17 11:18 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-06-06 06:35 - 2013-06-17 11:18 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-06-04 17:05 - 2013-08-14 07:51 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-06-04 12:01 - 2014-05-30 07:49 - 00000000 ____D () C:\Users\Marty\AppData\Roaming\Nugyyn
2014-05-28 15:35 - 2011-03-31 15:50 - 00000000 ____D () C:\Program Files\Common Files\mcafee

Files to move or delete:
====================
C:\Users\Marty\jagex_cl_runescape_LIVE.dat
C:\Users\Marty\random.dat

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

LastRegBack: 2014-06-12 22:57

==================== End Of Log ============================

Additional.TXT log:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-06-2014 02
Ran by Marty at 2014-06-13 12:12:28
Running from C:\Users\Marty\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall (Enabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

==================== Installed Programs ======================

Adobe Flash Player 13 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 13.0.0.214 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
CCleaner (HKLM\...\CCleaner) (Version: 3.15 - Piriform)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
HP Officejet 6500 E710n-z Basic Device Software (HKLM\...\{ADDF4B84-5D28-4EAE-8511-EF808C8BC81C}) (Version: 22.50.231.0 - Hewlett-Packard Co.)
HP Officejet 6500 E710n-z Product Improvement Study (HKLM\...\{D5510D28-D0E4-433E-A0F3-EE3FCECA60D2}) (Version: 22.50.231.0 - Hewlett-Packard Co.)
Java Auto Updater (HKLM-x32\...\{4A03706F-666A-4037-7777-5F2748764D10}) (Version: - )
Java 6 Update 23 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416023FF}) (Version: 6.0.230 - Oracle)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
McAfee SecurityCenter (HKLM-x32\...\MSC) (Version: 12.8.958 - McAfee, Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (Version: 14.0.4763.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft PowerPoint Viewer (HKLM-x32\...\{95140000-00AF-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.56.34 - NVIDIA Corporation)
RBVirtualFolder64Inst (Version: 1.00.0000 - Roxio, Inc.) Hidden
Roxio File Backup (Version: 1.3.2 - Roxio) Hidden
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3555.0308 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden

==================== Restore Points =========================

06-06-2014 11:37:32 Windows 7 Service Pack 1
06-06-2014 17:27:02 Windows Update
13-06-2014 01:40:27 Windows Update

==================== Hosts content: ==========================

2009-07-13 21:34 - 2014-05-05 17:21 - 00000871 ____A C:\Windows\system32\Drivers\etc\hosts
54.221.22.25 dmcecclamecbinmplcolhaljlclhbgah

==================== Scheduled Tasks (whitelisted) =============

Task: {19F65F47-E9EA-4C57-9E2B-47996338281F} - System32\Tasks\CIMT_S-1-5-21-1617529379-2784233811-108745753-1001 => C:\Program Files (x86)\Consumer Input\Monitoring\dca-monitoring.exe
Task: {2A6240B5-229F-4878-B21F-888BF9F38E12} - System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-7 => C:\Program Files (x86)\HQvidPv1.12\HQvidPv1.12-nova.exe <==== ATTENTION
Task: {393CEA64-4CC8-4D42-BC93-7BB76D4C70FD} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-06-06] (Adobe Systems Incorporated)
Task: {7D678F84-71D1-47FB-888B-0DA4F007B8EF} - System32\Tasks\Games\UpdateCheck_S-1-5-21-1617529379-2784233811-108745753-1001
Task: {83874A12-6FE2-4134-AA3B-4D1C1454D32C} - System32\Tasks\HPCustParticipation HP Officejet 6500 E710n-z => C:\Program Files\HP\HP Officejet 6500 E710n-z\Bin\HPCustPartic.exe [2010-11-16] (Hewlett-Packard Co.)
Task: {9FCCD69D-7C99-454E-8D80-7284B6B77B3C} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe <==== ATTENTION
Task: {A21EB3E3-4E0C-489E-A560-6318A05D3519} - System32\Tasks\a74f6af7-b4c0-41c3-b53e-2486781d7f40-1 => C:\Program Files (x86)\HQvidPv1.12\HQvidPv1.12-codedownloader.exe <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\CIMT_S-1-5-21-1617529379-2784233811-108745753-1001.job => C:\Program Files (x86)\Consumer Input\Monitoring\dca-monitoring.exe

==================== Loaded Modules (whitelisted) =============

2011-03-31 15:42 - 2010-08-11 18:19 - 00781536 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
2012-03-14 15:53 - 2010-08-04 14:44 - 00266240 _____ () C:\Program Files (x86)\NETGEAR\WNA1100\WifiSvc.exe
2011-03-31 15:42 - 2010-08-11 18:19 - 00126176 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STLog.dll
2011-03-31 15:42 - 2010-08-11 18:19 - 01121504 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\LibXml2.dll
2011-03-31 15:42 - 2010-08-11 18:19 - 00077024 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\zlib1.dll
2011-03-31 15:42 - 2010-08-11 18:19 - 00232672 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STFiles.dll
2011-03-31 15:42 - 2010-08-11 18:19 - 00072928 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STRegistry.dll
2011-03-31 15:42 - 2010-08-11 18:19 - 00109792 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STPE.dll
2011-03-31 15:42 - 2010-08-11 18:19 - 00119008 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STNLS.dll
2011-03-31 15:42 - 2010-08-11 18:19 - 00056544 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STCoreXml.dll
2011-03-31 15:42 - 2010-08-11 18:19 - 00113888 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\PSTVdsDisk.dll
2012-03-14 15:53 - 2010-03-10 14:50 - 00360448 _____ () C:\Program Files (x86)\NETGEAR\WNA1100\WifiLib.dll
2011-03-31 15:42 - 2010-08-11 18:19 - 00023776 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\SftBRCCPiped.dll
2011-03-31 15:42 - 2010-08-11 18:19 - 00023776 _____ () C:\Program Files (x86)\Dell DataSafe Local Backup\STBRCCServCLR.dll
2013-01-16 17:21 - 2013-01-16 17:21 - 00170496 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\d89f0252d910d617de1de783a812f840\IsdiInterop.ni.dll
2011-03-31 15:34 - 2010-03-03 20:08 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""="Service"

==================== EXE Association (whitelisted) =============

==================== MSCONFIG/TASK MANAGER disabled items =========

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NETGEAR WNA1100 Smart Wizard.lnk => C:\Windows\pss\NETGEAR WNA1100 Smart Wizard.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: DellStage => "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
MSCONFIG\startupreg: Desktop Disc Tool => "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
MSCONFIG\startupreg: HP Software Update => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: IAStorIcon => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
MSCONFIG\startupreg: mcui_exe => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
MSCONFIG\startupreg: OM2_Monitor => "C:\Program Files (x86)\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
MSCONFIG\startupreg: RoxWatchTray => "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
MSCONFIG\startupreg: RtHDVCpl => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

==================== Faulty Device Manager Devices =============

Name: Microsoft 6to4 Adapter
Description: Microsoft 6to4 Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Microsoft ISATAP Adapter #2
Description: Microsoft ISATAP Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Microsoft ISATAP Adapter
Description: Microsoft ISATAP Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (05/30/2014 10:59:33 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: McSvHost.exe, version: 3.8.703.0, time stamp: 0x51f7deae
Faulting module name: homenetsvc.dll, version: 6.8.716.0, time stamp: 0x5321f22a
Exception code: 0xc0000005
Fault offset: 0x0000000000226881
Faulting process id: 0x76c
Faulting application start time: 0xMcSvHost.exe0
Faulting application path: McSvHost.exe1
Faulting module path: McSvHost.exe2
Report Id: McSvHost.exe3

Error: (05/07/2014 07:57:24 PM) (Source: VSS) (EventID: 12305) (User: )
Description: Volume Shadow Copy Service error: Volume/disk not connected or not found.
Error context: CreateFileW(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8,0xc0000000,0x00000003,...).

Operation:
Processing PostFinalCommitSnapshots

Context:
Execution Context: System Provider

Error: (05/05/2014 09:33:30 PM) (Source: AVLogEvent) (EventID: 5003) (User: NT AUTHORITY)
Description: McShield encountered error while stopping.
Error Code:a7f40610

Error: (05/02/2014 00:18:07 PM) (Source: Office Software Protection Platform Service) (EventID: 1062) (User: )
Description: Deposition of Confirmation ID failed. 0xC004F02F
Sku Id=09e2d37e-474b-4121-8626-58ad9be5776f

Error: (05/01/2014 08:13:20 PM) (Source: Office Software Protection Platform Service) (EventID: 1012) (User: )
Description: Acquisition of Product Certificate failed. hr=0xC004C003
Sku Id=09e2d37e-474b-4121-8626-58ad9be5776f

Error: (05/01/2014 08:13:20 PM) (Source: Office Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0xC004C003

Error: (05/01/2014 01:57:33 PM) (Source: MsiInstaller) (EventID: 11316) (User: Marty-PC)
Description: Product: Consumer Input Update Helper -- Error 1316. A network error occurred while attempting to read from the file: C:\Program Files (x86)\Consumer Input\Update\1.3.25.149\GoogleUpdateHelper.msi

Error: (04/14/2014 08:49:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt> with error: The specified server cannot perform the requested operation.
.

Error: (04/14/2014 08:49:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: )
Description: Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt> with error: This operation returned because the timeout period expired.
.

System errors:
=============
Error: (06/13/2014 11:59:42 AM) (Source: VDS Basic Provider) (EventID: 1) (User: )
Description: Unexpected failure. Error code: D@01010004

Error: (06/13/2014 11:59:42 AM) (Source: VDS Basic Provider) (EventID: 1) (User: )
Description: Unexpected failure. Error code: D@01010004

Error: (06/13/2014 11:59:40 AM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: WMPNetworkSvc0x80004005

Error: (06/13/2014 11:55:52 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the pcregservice service.

Error: (06/13/2014 11:28:57 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {209500FC-6B45-4693-8871-6296C4843751}

Error: (06/13/2014 11:28:35 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee Platform Services service failed to start due to the following error:
%%1053

Error: (06/13/2014 11:28:35 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the McAfee Platform Services service to connect.

Error: (06/13/2014 11:28:34 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee Platform Services service failed to start due to the following error:
%%1053

Error: (06/13/2014 11:28:34 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the McAfee Platform Services service to connect.

Error: (06/13/2014 11:28:34 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1053mcpltsvc{20966775-18A4-4299-B8E3-772C336B52A7}

Microsoft Office Sessions:
=========================
Error: (05/30/2014 10:59:33 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: McSvHost.exe3.8.703.051f7deaehomenetsvc.dll6.8.716.05321f22ac0000005000000000022688176c01cf7c1fb7e4eea6C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exec:\PROGRA~1\COMMON~1\mcafee\mhn\homenetsvc.dll63d28dd9-e813-11e3-b233-b8ac6fe2aca8

Error: (05/07/2014 07:57:24 PM) (Source: VSS) (EventID: 12305) (User: )
Description: CreateFileW(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8,0xc0000000,0x00000003,...)

Operation:
Processing PostFinalCommitSnapshots

Context:
Execution Context: System Provider

Error: (05/05/2014 09:33:30 PM) (Source: AVLogEvent) (EventID: 5003) (User: NT AUTHORITY)
Description: a7f40610

Error: (05/02/2014 00:18:07 PM) (Source: Office Software Protection Platform Service) (EventID: 1062) (User: )
Description: 0xC004F02F09e2d37e-474b-4121-8626-58ad9be5776f

Error: (05/01/2014 08:13:20 PM) (Source: Office Software Protection Platform Service) (EventID: 1012) (User: )
Description: hr=0xC004C00309e2d37e-474b-4121-8626-58ad9be5776f

Error: (05/01/2014 08:13:20 PM) (Source: Office Software Protection Platform Service) (EventID: 8200) (User: )
Description: hr=0xC004C00300010001(0x00000000, 20:13:20:541 - http://go.microsoft.com/fwlink/?LinkID=120751)
00020001(0x00000000, 20:13:20:541)
00030001(0x00000000, 20:13:20:541 - http://go.microsoft.com)
00030002(0x00000000, 20:13:20:541 - 1)
00020005(0x00000000, 20:13:20:541 - 1)
0002000C(0x00000000, 20:13:20:728 - 302)
0002000E(0x00000000, 20:13:20:728 - https://activation.sls.microsoft.com/slpkc/SLCertifyProduct.asmx?configextension=o14)
00020001(0x00000000, 20:13:20:728)
00030001(0x00000000, 20:13:20:728 - https://activation.sls.microsoft.com)
00030002(0x00000000, 20:13:20:728 - 1)
00020005(0x00000000, 20:13:20:728 - 1)
0002000C(0x00000000, 20:13:20:837 - 500)
00010002(0x8004FC01, 20:13:20:837 - <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>SoapException</faultstring><detail><HRESULT>0xC004C003</HRESULT><Messages><Message>103 (Activation) - [PA Product key blocked. ---> Product key blocked]</Message></Messages></detail></soap:Fault></soap:Body></soap:Envelope>)
00010003(0x8004FC01, 20:13:20:853)

Error: (05/01/2014 01:57:33 PM) (Source: MsiInstaller) (EventID: 11316) (User: Marty-PC)
Description: Product: Consumer Input Update Helper -- Error 1316. A network error occurred while attempting to read from the file: C:\Program Files (x86)\Consumer Input\Update\1.3.25.149\GoogleUpdateHelper.msi(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (04/14/2014 08:49:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: )
Description: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crtThe specified server cannot perform the requested operation.

Error: (04/14/2014 08:49:32 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 4101) (User: )
Description: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crtThis operation returned because the timeout period expired.

==================== Memory info ===========================

Percentage of memory in use: 46%
Total physical RAM: 4094.98 MB
Available physical RAM: 2187.4 MB
Total Pagefile: 8188.07 MB
Available Pagefile: 6142.34 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:917.66 GB) (Free:856.32 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 932 GB) (Disk ID: CB59CF0B)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=14 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=918 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Thanks again for any help! If we can fix this it'll make my daughter Very Happy (and, by extension, me)!!

DaveFL

October 17, 2012

Again, my apologies Maniac. I still haven't gotten back into town yet. My Boss may keep me out of town another day or 2. I appreciate all the help you've given me and would still like to finish this up if you'll stay with me...

I'll run the requested scans when I get home and Post back...

Thanks Maniac for bearing with me (If you can)!

Again, my apologies for the confusion!

Thanks,

DaveFL

October 13, 2012

Maniac, my apologies to you. I got called out of town on work. when I return in a day (or two) I will run those scans and post back.

Thank you so much for your help so far! I really appreciate it!

DaveFL

October 11, 2012

Thanks again Maniac!

The ESET scanner ran fine. It didn't report finding anything in the after scan report. The log isn't very revealing. It had just 2 lines related to registration.

Interesting that you haven't found anything. Is it possible that Mbam cleared the infection both times, but that it was reinfected from the same external source (infected email, Website, thumb drive, etc.)? I wasn't there either time it was infected, and she's not very tech-smart! Maybe we are Clear of it on this computer? ;-)

Thanks again, Maniac!

ESET Log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

October 10, 2012

Thanks again Maniac!

Combofix also ran as it was supposed to...

The Log:

ComboFix 12-10-10.02 - End User 10/10/2012 10:02:36.1.4 - x64

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.1728 [GMT -5:00]

Running from: c:\users\End User\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\security\Database\tmp.edb

.

((((((((((((((((((((((((( Files Created from 2012-09-10 to 2012-10-10 )))))))))))))))))))))))))))))))

.

2012-10-10 15:12 . 2012-10-10 15:12 -------- d-----w- c:\users\Molly\AppData\Local\temp

2012-10-10 15:12 . 2012-10-10 15:12 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-10-09 20:01 . 2012-10-09 20:01 -------- d-----w- C:\FRST

2012-10-09 14:58 . 2012-10-09 14:58 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-10-09 14:58 . 2012-09-07 22:04 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-26 17:57 . 2012-08-21 21:01 245760 ----a-w- c:\windows\system32\OxpsConverter.exe

2012-09-21 14:34 . 2012-09-21 14:34 -------- d-----w- C:\06c33aa9e93f77da9b45cec4e03782

2012-09-12 12:54 . 2012-08-22 18:12 1913200 ----a-w- c:\windows\system32\drivers\tcpip.sys

2012-09-12 12:54 . 2012-08-22 18:12 376688 ----a-w- c:\windows\system32\drivers\netio.sys

2012-09-12 12:54 . 2012-08-22 18:12 288624 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS

2012-09-12 12:54 . 2012-08-22 18:12 950128 ----a-w- c:\windows\system32\drivers\ndis.sys

2012-09-12 12:54 . 2012-07-04 20:26 41472 ----a-w- c:\windows\system32\drivers\RNDISMP.sys

2012-09-12 12:54 . 2012-08-02 17:58 574464 ----a-w- c:\windows\system32\d3d10level9.dll

2012-09-12 12:54 . 2012-08-02 16:57 490496 ----a-w- c:\windows\SysWow64\d3d10level9.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-10-10 14:54 . 2010-12-28 16:46 65309168 ----a-w- c:\windows\system32\MRT.exe

2012-08-25 05:47 . 2010-06-24 18:33 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll

2012-07-18 18:15 . 2012-08-25 19:28 3148800 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn\YTNavAssist.dll" [2011-03-16 214840]

"{2d7432c9-a3fd-4ed1-aea9-fbdb12dba4a7}"= "c:\program files (x86)\Radio_1.1\prxtbRadi.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]

[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]

[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]

[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]

.

[HKEY_CLASSES_ROOT\clsid\{2d7432c9-a3fd-4ed1-aea9-fbdb12dba4a7}]

.

[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{2d7432c9-a3fd-4ed1-aea9-fbdb12dba4a7}]

2011-05-09 09:49 176936 ----a-w- c:\program files (x86)\Radio_1.1\prxtbRadi.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{2d7432c9-a3fd-4ed1-aea9-fbdb12dba4a7}"= "c:\program files (x86)\Radio_1.1\prxtbRadi.dll" [2011-05-09 176936]

.

[HKEY_CLASSES_ROOT\clsid\{2d7432c9-a3fd-4ed1-aea9-fbdb12dba4a7}]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"ToshibaAppPlace"="c:\program files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [2010-09-23 552960]

"ToshibaServiceStation"="c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-10-06 1294136]

"TWebCamera"="c:\program files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2010-02-24 2454840]

"NortonOnlineBackupReminder"="c:\program files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" [2010-08-17 3218792]

"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2008-05-27 413696]

"Garmin Lifetime Updater"="c:\program files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-12-15 1446248]

.

c:\users\End User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - c:\program files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2011-2-23 323584]

SentriLockCardUtility.lnk - c:\windows\Installer\{9348BA70-11FB-4A78-A929-0980EF2C4DE8}\Icon9348BA70.exe [2011-5-27 91648]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 136176]

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 136176]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-02-09 239136]

R3 S3XXx64;SCR3xx USB SmartCardReader64;c:\windows\system32\DRIVERS\S3XXx64.sys [2010-11-12 69376]

R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]

R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]

R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-28 1255736]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]

S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS [2011-01-27 450680]

S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS [2011-03-15 912504]

S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120928.001\BHDrvx64.sys [2012-08-31 1385120]

S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20121009.001\IDSvia64.sys [2012-09-01 513184]

S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [2011-01-27 171128]

S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [2011-04-21 386168]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]

S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe [2011-01-03 20360]

S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]

S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [2011-04-17 130008]

S2 Norton PC Checkup Application Launcher;Toshiba Laptop Checkup Application Launcher;c:\program files (x86)\Norton PC Checkup\Engine\2.0.5.60\SymcPCCULaunchSvc.exe [2012-08-28 123320]

S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files (x86)\Norton PC Checkup\Engine\2.0.5.60\ccSvcHst.exe [2009-08-24 126392]

S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]

S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2010-02-26 252928]

S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 14472]

S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-18 2320920]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-08-25 138912]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-22 287232]

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2010-02-23 75304]

S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 35008]

S3 QIOMem;Generic IO & Memory Access;c:\windows\system32\DRIVERS\QIOMem.sys [2009-06-15 12800]

S3 rtl8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys [2010-02-12 877088]

S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]

S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]

S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]

S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]

S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]

S3 TMachInfo;TMachInfo;c:\program files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-10-06 51512]

S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2010-02-06 137560]

S3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2010-02-24 835952]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]

.

Contents of the 'Scheduled Tasks' folder

.

2012-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 04:04]

.

2012-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-15 04:04]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-10 161304]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-10 386584]

"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-10 415256]

"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2010-03-10 520760]

"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2010-04-28 307768]

"TosVolRegulator"="c:\program files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe" [2009-11-11 24376]

"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2010-02-06 709976]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.yahoo.com/?ilc=34

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

DPF: {2EA5DD45-9254-4B0D-9F48-E92FEC3A9754} - hxxps://simulcast.manheim.com/simulcast_docs/av/SimulcastAVPlugin-win-ie.cab

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

WebBrowser-{2D7432C9-A3FD-4ED1-AEA9-FBDB12DBA4A7} - (no file)

HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe

HKLM-Run-TPwrMain - c:\program files (x86)\TOSHIBA\Power Saver\TPwrMain.EXE

HKLM-Run-HSON - c:\program files (x86)\TOSHIBA\TBS\HSON.exe

HKLM-Run-SmoothView - c:\program files (x86)\Toshiba\SmoothView\SmoothView.exe

HKLM-Run-00TCrdMain - c:\program files (x86)\TOSHIBA\FlashCards\TCrdMain.exe

HKLM-Run-TosWaitSrv - c:\program files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe

HKLM-Run-Teco - c:\program files (x86)\TOSHIBA\TECO\Teco.exe

HKLM-Run-SmartFaceVWatcher - c:\program files (x86)\Toshiba\SmartFaceV\SmartFaceVWatcher.exe

HKLM-Run-TosNC - c:\program files (x86)\Toshiba\BulletinBoard\TosNcCore.exe

HKLM-Run-TosReelTimeMonitor - c:\program files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe

AddRemove-WT089366 - c:\program files (x86)\TOSHIBA Games\Cake Mania - Lights

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]

"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll\" /prefetch:1"

--

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCCUJobMgr]

"ImagePath"="\"c:\program files (x86)\Norton PC Checkup\Engine\2.0.5.60\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files (x86)\Norton PC Checkup\Engine\2.0.5.60\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2012-10-10 10:27:15

ComboFix-quarantined-files.txt 2012-10-10 15:27

.

Pre-Run: 238,495,875,072 bytes free

Post-Run: 239,114,252,288 bytes free

.

- - End Of File - - F4A3A0800289CDE33D8ABAC7B59597D3

October 9, 2012

Thanks Maniac!

I need all the help I can get ;-)

Farbar ran as advertised!

here is the log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-10-2012

Ran by SYSTEM at 09-10-2012 12:01:54

Running from F:\

Windows 7 Home Premium (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [] [x]

HKLM\...\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [520760 2010-03-10] (Conexant Systems, Inc.)

HKLM\...\Run: [smartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [307768 2010-04-28] ()

HKLM\...\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)

HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)

HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)

HKLM\...\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)

HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)

HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)

HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1483776 2010-02-25] (TOSHIBA Corporation)

HKLM\...\Run: [smartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)

HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)

HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)

HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-09] (TOSHIBA Corporation)

HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-02-23] (TOSHIBA Corporation)

HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)

HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)

HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)

HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED [3218792 2010-08-17] (Toshiba)

HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [413696 2008-05-27] (Apple Inc.)

HKLM-x32\...\Run: [Garmin Lifetime Updater] C:\Program Files (x86)\Garmin\Lifetime Updater\GarminLifetime.exe /StartMinimized [1446248 2011-12-15] (Garmin)

HKU\Molly\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]

Winlogon\Notify\ScCertProp: wlnotify.dll [X]

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

Startup: C:\Users\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

ShortcutTarget: Kodak EasyShare software.lnk -> C:\Program Files (x86)\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\SentriLockCardUtility.lnk

ShortcutTarget: SentriLockCardUtility.lnk -> C:\windows\Installer\{9348BA70-11FB-4A78-A929-0980EF2C4DE8}\Icon9348BA70.exe ()

Startup: C:\Users\End User\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

2 atashost; "C:\windows\SysWOW64\atashost.exe" [20360 2011-01-03] (WebEx Communications, Inc.)

2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\diMaster.dll" /prefetch:1 [262584 2011-03-31] (Symantec Corporation)

2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.5.60\SymcPCCULaunchSvc.exe /s [123320 2012-08-28] (Symantec Corporation)

2 PCCUJobMgr; "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.5.60\ccSvcHst.exe" /s "PCCUJobMgr" /m "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.5.60\diMaster.dll" /prefetch:1 [132984 2009-08-29] (Symantec Corporation)

==================== Drivers (Whitelisted) =====================

1 BHDrvx64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20120928.001\BHDrvx64.sys [1385120 2012-08-31] (Symantec Corporation)

1 eeCtrl; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-08-24] (Symantec Corporation)

3 EraserUtilRebootDrv; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2012-08-24] (Symantec Corporation)

1 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20121006.001\IDSvia64.sys [513184 2012-08-31] (Symantec Corporation)

3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20121009.003\ENG64.SYS [126112 2012-09-13] (Symantec Corporation)

3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20121009.003\EX64.SYS [2084000 2012-09-13] (Symantec Corporation)

3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)

1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)

0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-26] (Symantec Corporation)

0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)

3 SymEvent; \??\C:\windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2011-05-10] (Symantec Corporation)

1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)

1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-10-09 12:01 - 2012-10-09 12:01 - 00000000 ____D C:\FRST

2012-10-09 08:02 - 2012-10-09 08:02 - 00022671 ____A C:\Users\End User\Desktop\DDS.txt

2012-10-09 08:02 - 2012-10-09 08:02 - 00014090 ____A C:\Users\End User\Desktop\Attach.txt

2012-10-09 07:51 - 2012-10-09 07:51 - 00607260 ____R (Swearware) C:\Users\End User\Desktop\dds.scr

2012-10-09 06:58 - 2012-10-09 06:58 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-10-09 06:58 - 2012-10-09 06:58 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-10-09 06:58 - 2012-09-07 14:04 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-10-09 06:57 - 2012-10-09 06:57 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\End User\Downloads\mbam-setup-1.65.0.1400.exe

2012-10-03 13:36 - 2012-10-03 13:36 - 02939029 ____A C:\Users\End User\Downloads\6272.xml

2012-10-03 12:15 - 2012-10-03 12:15 - 03193867 ____A C:\Users\End User\Downloads\6271.xml

2012-10-02 11:21 - 2012-10-02 11:21 - 03166341 ____A C:\Users\End User\Downloads\attachments_2012_10_02 (2).zip

2012-10-02 11:09 - 2012-10-02 11:09 - 03166341 ____A C:\Users\End User\Downloads\attachments_2012_10_02 (1).zip

2012-10-02 09:56 - 2012-10-02 09:56 - 03166341 ____A C:\Users\End User\Downloads\attachments_2012_10_02.zip

2012-10-01 14:35 - 2012-10-01 14:35 - 03122324 ____A C:\Users\End User\Downloads\6262 (1).xml

2012-10-01 13:48 - 2012-10-01 13:48 - 02965587 ____A C:\Users\End User\Downloads\6266 (3).xml

2012-10-01 12:03 - 2012-10-01 12:03 - 02965813 ____A C:\Users\End User\Downloads\6266 (2).xml

2012-10-01 08:44 - 2012-10-01 08:44 - 02965587 ____A C:\Users\End User\Downloads\6266 (1).xml

2012-09-28 12:24 - 2012-09-28 12:24 - 02684905 ____A C:\Users\End User\Downloads\6265 (1).xml

2012-09-28 12:22 - 2012-09-28 12:22 - 01977870 ____A C:\Users\End User\Downloads\6260 (1).xml

2012-09-28 11:30 - 2012-09-28 11:30 - 02006269 ____A C:\Users\End User\Downloads\6259 (1).xml

2012-09-26 09:57 - 2012-08-21 13:01 - 00245760 ____A (Microsoft Corporation) C:\Windows\System32\OxpsConverter.exe

2012-09-25 12:57 - 2012-09-25 12:57 - 02684501 ____A C:\Users\End User\Downloads\6265.xml

2012-09-25 11:34 - 2012-09-25 11:34 - 02967446 ____A C:\Users\End User\Downloads\6266.xml

2012-09-25 05:01 - 2012-08-24 03:15 - 17810944 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll

2012-09-25 05:01 - 2012-08-24 02:39 - 10925568 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll

2012-09-25 05:01 - 2012-08-24 02:31 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll

2012-09-25 05:01 - 2012-08-24 02:22 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll

2012-09-25 05:01 - 2012-08-24 02:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll

2012-09-25 05:01 - 2012-08-24 02:20 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl

2012-09-25 05:01 - 2012-08-24 02:18 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll

2012-09-25 05:01 - 2012-08-24 02:17 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll

2012-09-25 05:01 - 2012-08-24 02:14 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll

2012-09-25 05:01 - 2012-08-24 02:14 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe

2012-09-25 05:01 - 2012-08-24 02:13 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll

2012-09-25 05:01 - 2012-08-24 02:12 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll

2012-09-25 05:01 - 2012-08-24 02:11 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll

2012-09-25 05:01 - 2012-08-24 02:10 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll

2012-09-25 05:01 - 2012-08-24 02:09 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb

2012-09-25 05:01 - 2012-08-24 02:04 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll

2012-09-25 05:01 - 2012-08-23 23:27 - 12319744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2012-09-25 05:01 - 2012-08-23 23:03 - 09738240 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2012-09-25 05:01 - 2012-08-23 22:59 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2012-09-25 05:01 - 2012-08-23 22:51 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2012-09-25 05:01 - 2012-08-23 22:51 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2012-09-25 05:01 - 2012-08-23 22:51 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2012-09-25 05:01 - 2012-08-23 22:49 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll

2012-09-25 05:01 - 2012-08-23 22:48 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll

2012-09-25 05:01 - 2012-08-23 22:47 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2012-09-25 05:01 - 2012-08-23 22:47 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2012-09-25 05:01 - 2012-08-23 22:47 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe

2012-09-25 05:01 - 2012-08-23 22:45 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2012-09-25 05:01 - 2012-08-23 22:44 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2012-09-25 05:01 - 2012-08-23 22:44 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll

2012-09-25 05:01 - 2012-08-23 22:43 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb

2012-09-25 05:01 - 2012-08-23 22:40 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll

2012-09-23 20:04 - 2012-09-23 20:05 - 03891360 ____A C:\Users\End User\Downloads\6256 (1).xml

2012-09-21 06:34 - 2012-09-21 06:34 - 00000000 ____D C:\06c33aa9e93f77da9b45cec4e03782

2012-09-19 20:22 - 2012-09-19 20:23 - 03122263 ____A C:\Users\End User\Downloads\6262.xml

2012-09-18 11:35 - 2012-09-18 11:35 - 03071242 ____A C:\Users\End User\Downloads\6263 (3).xml

2012-09-17 17:33 - 2012-09-17 17:33 - 03277856 ____A C:\Users\End User\Downloads\6263.xml

2012-09-17 17:33 - 2012-09-17 17:33 - 03277856 ____A C:\Users\End User\Downloads\6263 (2).xml

2012-09-17 17:33 - 2012-09-17 17:33 - 03277856 ____A C:\Users\End User\Downloads\6263 (1).xml

2012-09-17 13:16 - 2012-09-17 13:17 - 03382825 ____A C:\Users\End User\Downloads\6229 (1).xml

2012-09-15 13:18 - 2012-09-15 13:18 - 02928992 ____A C:\Users\End User\Downloads\6253 (2).xml

2012-09-15 13:18 - 2012-09-15 13:18 - 02928992 ____A C:\Users\End User\Downloads\6253 (1).xml

2012-09-12 07:14 - 2012-09-12 07:16 - 02117503 ____A C:\Users\End User\Downloads\6255 (3).xml

2012-09-12 04:54 - 2012-08-22 10:12 - 01913200 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys

2012-09-12 04:54 - 2012-08-22 10:12 - 00950128 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ndis.sys

2012-09-12 04:54 - 2012-08-22 10:12 - 00376688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\netio.sys

2012-09-12 04:54 - 2012-08-22 10:12 - 00288624 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\FWPKCLNT.SYS

2012-09-12 04:54 - 2012-08-02 09:58 - 00574464 ____A (Microsoft Corporation) C:\Windows\System32\d3d10level9.dll

2012-09-12 04:54 - 2012-08-02 08:57 - 00490496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d10level9.dll

2012-09-12 04:54 - 2012-07-04 12:26 - 00041472 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\RNDISMP.sys

2012-09-11 14:41 - 2012-09-11 14:41 - 01978012 ____A C:\Users\End User\Downloads\6260.xml

2012-09-11 11:36 - 2012-09-11 11:36 - 02006417 ____A C:\Users\End User\Downloads\6259.xml

2012-09-11 11:06 - 2012-09-11 11:06 - 02117503 ____A C:\Users\End User\Downloads\6255 (2).xml

==================== 3 Months Modified Files ==================

2012-10-09 08:56 - 2010-11-26 17:22 - 02091332 ____A C:\Windows\WindowsUpdate.log

2012-10-09 08:56 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-10-09 08:56 - 2009-07-13 20:45 - 00015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-10-09 08:54 - 2009-07-13 21:13 - 00727334 ____A C:\Windows\System32\PerfStringBackup.INI

2012-10-09 08:53 - 2009-07-13 20:51 - 00044303 ____A C:\Windows\setupact.log

2012-10-09 08:02 - 2012-10-09 08:02 - 00022671 ____A C:\Users\End User\Desktop\DDS.txt

2012-10-09 08:02 - 2012-10-09 08:02 - 00014090 ____A C:\Users\End User\Desktop\Attach.txt

2012-10-09 08:00 - 2010-10-14 20:04 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-10-09 07:51 - 2012-10-09 07:51 - 00607260 ____R (Swearware) C:\Users\End User\Desktop\dds.scr

2012-10-09 07:48 - 2010-10-14 20:04 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-10-09 07:48 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-10-09 07:47 - 2010-10-14 20:32 - 00452164 ____A C:\Windows\PFRO.log

2012-10-09 06:58 - 2012-10-09 06:58 - 00001120 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-10-09 06:57 - 2012-10-09 06:57 - 10524080 ____A (Malwarebytes Corporation ) C:\Users\End User\Downloads\mbam-setup-1.65.0.1400.exe

2012-10-03 13:36 - 2012-10-03 13:36 - 02939029 ____A C:\Users\End User\Downloads\6272.xml

2012-10-03 13:33 - 2011-01-04 12:42 - 00000080 ____A C:\Windows\SysWOW64\PDFWRITR.INI

2012-10-03 13:33 - 2011-01-04 12:42 - 00000080 ____A C:\Windows\SysWOW64\__PDF.INI

2012-10-03 13:33 - 2009-07-13 18:34 - 00000558 ____A C:\Windows\win.ini