Radagast

HI MrC, Currently at work, will run this tonight and provide feedback.

Ran Malwarebytes Anti-Rootkit twice. Keep getting this: Registry Data Items Detected: 1 HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Hijack.SHELL32) -> Bad: (\\?\globalroot\Device\HarddiskVolume3\Users\conklije\AppData\Local\Temp\spvjity\sdctqqh\wow.dll) Good: (SHELL32.dll) -> Replace on reboot. Keeps telling me its cleaned successfully but then its back when I ran another scan. I did not reboot between scans (not prompted to). I am attaching the two files under more reply options. Additionally I keep getting the message: Malware Anti-Malware Successfully blocked access to a potentially malicious site 5.45.66.217 Googled this site and references to it say it points to a Trojan Did not complete the last step in your prior email yet. Should I run the fixdamage.exe under malwarebytes as suggested? mbar-log-2014-02-23 (11-18-12).txt system-log.txt

Ran in safe mode. Results below: RogueKiller V8.8.8 _x64_ [Feb 19 2014] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Safe mode User : conklije [Admin rights] Mode : Scan -- Date : 02/23/2014 08:43:55 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 12 ¤¤¤ [RUN][sUSP PATH] HKLM\[...]\Run : Ukybraehofyxx ("C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe" [x]) -> FOUND [PROXY IE][PUM] HKLM\[...]\Internet Settings : ProxyEnable (1) -> FOUND [HJ POL][PUM] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND [HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND [HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Browser Addons : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS727550A9E364 +++++ --- User --- [MBR] d2427742a8527c899bd077f9418bfb76 [bSP] f4813db50b2d3a32426639928d93b5a4 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 500 Mo 1 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 1026048 | Size: 499 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048000 | Size: 475939 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_02232014_084355.txt >> ***As an aside---- before I engaged you I ran the Farber Recovery Scan tool and found: Error: (02/21/2014 10:21:57 PM) (Source: McLogEvent)(User: NT AUTHORITY) Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000. Additionally, each time I reboot Malwarebytes it keeps stating it blocked something to a website.

Good morning. Rogue Killer has been running since last night about midnight. It looks to be about 60% complete and seems to be stuck on Searching for Policy Hijacks -> (HJ INPROC) although it does not look like the tool itself is frozen.

DDS Contents: DS (Ver_2012-11-20.01) - NTFS_AMD64 Internet Explorer: 10.0.9200.16736 Run by conklije at 23:21:11 on 2014-02-22 Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.4046.1619 [GMT -5:00] . AV: McAfee VirusScan Enterprise *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892} SP: McAfee VirusScan Enterprise Antispyware Module *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} FW: McAfee Host Intrusion Prevention Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9} . ============== Running Processes =============== . C:\windows\system32\lsm.exe C:\windows\system32\svchost.exe -k DcomLaunch C:\windows\system32\svchost.exe -k RPCSS C:\windows\system32\atiesrxx.exe C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\windows\system32\svchost.exe -k LocalService C:\windows\system32\svchost.exe -k netsvcs C:\Program Files\IDT\WDM\STacSV64.exe C:\windows\system32\atieclxx.exe C:\windows\system32\Hpservice.exe C:\Windows\system32\WUDFHost.exe C:\windows\system32\vcsFPService.exe C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe C:\windows\system32\svchost.exe -k NetworkService C:\windows\System32\spoolsv.exe C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\ActivIdentity\ActivClient\acevents.exe C:\windows\System32\svchost.exe -k NetworkService C:\Program Files\IDT\WDM\AESTSr64.exe C:\Program Files (x86)\PC Backup\AgentService.exe C:\Program Files\LSI SoftModem\agr64svc.exe C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe C:\Program Files\Microsoft Forefront Identity Manager\2010\Password Reset Client Service\PwdMgmtProxy.exe C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McSACore.exe C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe C:\Windows\system32\mfevtps.exe c:\Program Files\Microsoft SQL Server\MSSQL10_50.R2\MSSQL\Binn\sqlservr.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe C:\PROGRA~2\HEWLET~1\PCCOE3~1\OVCMS~1\radalert.exe C:\Program Files (x86)\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe C:\windows\system32\wbem\unsecapp.exe C:\windows\system32\wbem\unsecapp.exe C:\windows\system32\wbem\wmiprvse.exe C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe C:\windows\system32\svchost.exe -k bthsvcs C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe C:\windows\system32\SearchIndexer.exe C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe C:\windows\system32\taskhost.exe C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe C:\windows\system32\Dwm.exe C:\windows\Explorer.EXE C:\Program Files\ActivIdentity\ActivClient\acevents.exe C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe C:\Program Files\IDT\WDM\sttray64.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files (x86)\Microsoft Office\Office15\lync.exe C:\Windows\System32\StikyNot.exe C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe C:\Program Files\ActivIdentity\ActivClient\acsagent.exe C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE C:\Program Files (x86)\Hewlett-Packard\PC COE\COEMsgDisplay.exe C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe C:\Program Files (x86)\Hewlett-Packard\GetITIcon\GetITShell.exe C:\Program Files (x86)\Hewlett-Packard\PC COE\Ida.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe C:\Program Files (x86)\PC Backup\Agent.exe C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe C:\Program Files (x86)\McAfee\Common Framework\McTray.exe C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Microsoft Office\Office15\UcMapi.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Windows\System32\MsSpellCheckingFacility.exe C:\Program Files\HP\HP Deskjet 3510 series\Bin\HPNetworkCommunicator.exe C:\windows\system32\wbem\wmiprvse.exe C:\windows\System32\cscript.exe . ============== Pseudo HJT Report =============== . mWinlogon: Userinit = userinit.exe, BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130619191319.dll BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll uRun: [Lync] "C:\Program Files (x86)\Microsoft Office\Office15\lync.exe" /fromrunkey uRun: [RESTART_STICKY_NOTES] C:\windows\System32\StikyNot.exe uRun: [HP Deskjet 3510 series (NET)] "C:\Program Files\HP\HP Deskjet 3510 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN29S180BM05R7:NW" -scfn "HP Deskjet 3510 series (NET)" -AutoStart 1 mRun: [COEMsgDisplay] c:\Program Files (x86)\Hewlett-Packard\PC COE\COEMsgDisplay.exe mRun: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey mRun: [shStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" mRun: [GetITIcon] C:\Program Files (x86)\Hewlett-Packard\GetITIcon\GetITShell.exe mRun: [iDA] C:\Program Files (x86)\Hewlett-Packard\PC COE\IDA.EXE mRun: [HPConnectionManager] C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe mRun: [QLBController] c:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe /start mRun: [eepc_SmartClient] C:\Program Files (x86)\SmartClient\Smart.exe mRun: [AgentUiRunKey] "C:\Program Files (x86)\PC Backup\Agent.exe" -ni -sss -e http://localhost:16386/ mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ACTIVC~1.LNK - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe StartupFolder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\launch_splashscreen.vbs uPolicies-Explorer: NoDriveTypeAutoRun = dword:145 mPolicies-Explorer: NoActiveDesktop = dword:1 mPolicies-Explorer: NoActiveDesktopChanges = dword:1 mPolicies-Explorer: HideSCAHealth = dword:1 mPolicies-Explorer: NoWebServices = dword:1 mPolicies-Explorer: NoPublishingWizard = dword:1 mPolicies-Explorer: NoDriveTypeAutoRun = dword:255 mPolicies-Explorer: NoAutorun = dword:1 mPolicies-System: ConsentPromptBehaviorAdmin = dword:4 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableLUA = dword:0 mPolicies-System: EnableUIADesktopToggle = dword:0 mPolicies-System: dontdisplaylockeduserid = dword:1 mPolicies-System: legalnoticecaption = Terms of Use mPolicies-System: legalnoticetext = This computing system is a company owned asset and provided for the exclusive use of authorized personnel for business purposes. All information and data created, accessed, processed, or stored using this system (including personal information) are subject to monitoring, auditing, or review to the extent permitted by applicable law. Unauthorized use or abuse of this system may lead to corrective action including termination of employment, civil and/or criminal penalties. mPolicies-System: LogonType = dword:0 mPolicies-System: HideFastUserSwitching = dword:1 mPolicies-System: ReportControllerMissing = dword:0 mPolicies-System: DisableNT4Policy = dword:1 IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office15\EXCEL.EXE/3000 IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office15\ONBttnIE.dll/105 IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print 2.0\smartprintsetup.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll TCP: NameServer = 75.75.76.76 75.75.75.75 TCP: Interfaces\{9342DD57-64B2-4CA8-AB34-762DEFC75CD8} : DHCPNameServer = 10.1.10.1 TCP: Interfaces\{FE6D2225-47FF-41C7-8345-ACE8FC323D4F} : DHCPNameServer = 75.75.76.76 75.75.75.75 TCP: Interfaces\{FE6D2225-47FF-41C7-8345-ACE8FC323D4F}\E41647966796479725563647F62797 : DHCPNameServer = 10.1.10.1 Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor Enterprise\McIEPlg.dll SSODL: WebCheck - <orphaned> mASetup: {86E45973-5352-439F-A115-2E8EE4D40140} - "C:\Program Files (x86)\Common Files\Hewlett-Packard\ActSet\HpActSet.exe" x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130619191318.dll x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL x64-Run: [McAfee Host Intrusion Prevention Tray] "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe" x64-Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe" x64-Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe" x64-Run: [HPRAService] C:\Program Files\RA2HP\HPRAService.exe x64-Run: [PasswordRegistration] C:\windows\System32\MsPwdRegistration.exe x64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe x64-Run: [ukybraehofyxx] "C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe" x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - <orphaned> x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned> x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned> x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - <orphaned> x64-SSODL: WebCheck - <orphaned> . ================= FIREFOX =================== . FF - ProfilePath - C:\Users\conklije\AppData\Roaming\Mozilla\Firefox\Profiles\0fn2yd7j.default\ FF - plugin: C:\PROGRA~2\MICROS~1\Office15\NPSPWRAP.DLL FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrlui.dll FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMeetingJoinPluginOC.dll FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll FF - plugin: C:\Windows\SysWOW64\npmproxy.dll . ============= SERVICES / DRIVERS =============== . R0 mfehidk;McAfee Inc. mfehidk;C:\windows\System32\drivers\mfehidk.sys [2013-6-19 673624] R0 mfewfpk;McAfee Inc. mfewfpk;C:\windows\System32\drivers\mfewfpk.sys [2013-6-19 305536] R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2014-2-7 55024] R1 mfenlfk;McAfee NDIS Light Filter;C:\windows\System32\drivers\mfenlfk.sys [2013-6-19 76224] R2 ac.sharedstore;ActivIdentity Shared Store Service;C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-6-2 277032] R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2014-2-7 89600] R2 AgentService;AgentService;C:\Program Files (x86)\PC Backup\AgentService.exe [2013-8-2 6789408] R2 AMD External Events Utility;AMD External Events Utility;C:\windows\System32\atiesrxx.exe [2013-6-21 235520] R2 enterceptAgent;McAfee Host Intrusion Prevention Service;C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe [2012-7-3 646192] R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\windows\System32\drivers\AtihdW76.sys [2013-6-21 96896] R3 FireNfcp;McAfee Inc. FireNfcp;C:\windows\System32\drivers\FireNfcp.sys [2013-6-19 53472] R3 HipShieldK;McAfee Inc. HipShieldK;C:\windows\System32\drivers\HipShieldK.sys [2013-6-19 197576] R3 JMCR;JMCR;C:\windows\System32\drivers\jmcr.sys [2013-2-12 175928] R3 johci;JMicron 1394 Filter Driver;C:\windows\System32\drivers\johci.sys [2013-2-12 26208] R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2014-2-21 25928] R3 mfeavfk;McAfee Inc. mfeavfk;C:\windows\System32\drivers\mfeavfk.sys [2013-6-19 282736] R3 mfefirek;McAfee Inc. mfefirek;C:\windows\System32\drivers\mfefirek.sys [2013-6-19 496592] R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\System32\drivers\nusb3hub.sys [2011-2-15 80384] R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\System32\drivers\nusb3xhc.sys [2011-2-15 181248] R3 RadiaMsi;RadiaMsi;C:\windows\System32\drivers\radiamsi.sys [2009-9-10 43032] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576] S3 btwampfl;Bluetooth AMP USB Filter;C:\windows\System32\drivers\btwampfl.sys [2011-6-20 344616] S3 dmvsc;dmvsc;C:\windows\System32\drivers\dmvsc.sys [2010-11-21 71168] S3 LV_Tracker;LV_Tracker;C:\windows\System32\drivers\LV_Tracker64.sys [2013-8-2 54824] S3 mferkdet;McAfee Inc. mferkdet;C:\windows\System32\drivers\mferkdet.sys [2013-6-19 101200] S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2010-11-20 20992] S3 SmbDrv;SmbDrv;C:\windows\System32\drivers\Smb_driver_AMDASF.sys [2013-6-12 28400] S3 SmbDrvI;SmbDrvI;C:\windows\System32\drivers\Smb_driver_Intel.sys [2013-6-12 32496] S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960] S3 terminpt;Microsoft Remote Desktop Input Driver;C:\windows\System32\drivers\terminpt.sys [2010-11-21 34816] S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392] S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232] S3 tsusbhub;Remote Deskotop USB Hub;C:\windows\System32\drivers\tsusbhub.sys [2010-11-21 117248] S4 RsFx0103;RsFx0103 Driver;C:\windows\System32\drivers\RsFx0103.sys [2009-3-30 311656] S4 RsFx0153;RsFx0153 Driver;C:\windows\System32\drivers\RsFx0153.sys [2012-6-29 321992] . =============== File Associations =============== . FileExt: .inf: inffile=C:\windows\System32\NOTEPAD.EXE %1 [userChoice] . =============== Created Last 30 ================ . 2014-02-22 18:08:25 -------- d-----w- C:\FRST 2014-02-22 17:25:41 -------- d-----w- C:\AdwCleaner 2014-02-22 14:45:40 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable) 2014-02-22 14:45:00 91352 ----a-w- C:\windows\System32\drivers\mbamchameleon.sys 2014-02-21 16:32:21 -------- d-----w- C:\Users\conklije\AppData\Roaming\Malwarebytes 2014-02-21 16:31:47 -------- d-----w- C:\ProgramData\Malwarebytes 2014-02-21 16:31:42 25928 ----a-w- C:\windows\System32\drivers\mbam.sys 2014-02-21 16:31:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware 2014-02-21 16:29:08 -------- d-----w- C:\Users\conklije\AppData\Local\Programs 2014-02-20 21:48:11 -------- d-----w- C:\Users\conklije\AppData\Roaming\Riupof 2014-02-20 21:46:34 -------- d-----w- C:\Quarantine 2014-02-15 17:37:19 -------- d-----w- C:\ProgramData\Visan 2014-02-15 17:37:19 -------- d-----w- C:\ProgramData\HP Photo Creations 2014-02-15 17:37:19 -------- d-----w- C:\Program Files (x86)\HP Photo Creations 2014-02-15 17:37:03 -------- d-----w- C:\Users\conklije\AppData\Roaming\HpUpdate 2014-02-15 17:36:47 741480 ------w- C:\windows\System32\HPDiscoPMAD11.dll 2014-02-15 17:36:26 -------- d-----w- C:\Program Files (x86)\HP 2014-02-15 17:36:25 -------- d-----w- C:\Program Files\HP 2014-02-15 17:35:59 -------- d-----w- C:\Users\conklije\AppData\Local\HP 2014-02-13 20:45:05 -------- d-----w- C:\Users\conklije\AppData\Roaming\Xerox 2014-02-13 20:43:56 -------- d-----w- C:\ProgramData\Xerox 2014-02-13 20:43:52 42496 ----a-w- C:\windows\System32\Spool\prtprocs\x64\x5pp.dll 2014-02-13 20:43:52 11264 ----a-w- C:\windows\System32\Spool\prtprocs\x64\x5print.dll 2014-02-13 20:42:27 -------- d-----w- C:\Xerox 2014-02-13 20:15:39 -------- d-----w- C:\Users\conklije\AppData\Local\Cisco 2014-02-13 02:39:17 -------- d-----w- C:\Program Files (x86)\Cisco 2014-02-13 02:38:29 -------- d-----w- C:\ProgramData\Cisco 2014-02-13 01:09:16 21008 ----a-w- C:\windows\SysWow64\Ctl3d.dll 2014-02-13 01:09:11 -------- d-----w- C:\Program Files (x86)\OpenLink 2014-02-13 01:08:18 315904 ----a-w- C:\windows\IsUninst.exe 2014-02-12 17:03:48 -------- d-----w- C:\ProgramData\Email Backup Optimization 2014-02-12 17:02:12 -------- d-----w- C:\Program Files (x86)\PC Backup 2014-02-09 03:48:51 -------- d-----w- C:\Users\conklije\AppData\Local\ServiceNow 2014-02-09 03:35:32 -------- d-----w- C:\Program Files (x86)\ServiceNow 2014-02-08 20:28:15 57288 ----a-w- C:\windows\SysWow64\perf-MSSQL10_50.R2-sqlagtctr.dll 2014-02-08 20:28:14 86984 ----a-w- C:\windows\System32\perf-MSSQL10_50.R2-sqlagtctr.dll 2014-02-08 20:28:04 88520 ----a-w- C:\windows\System32\perf-MSSQL$R2-sqlctr10.52.4000.0.dll 2014-02-08 20:28:04 82888 ----a-w- C:\windows\SysWow64\perf-MSSQL$R2-sqlctr10.52.4000.0.dll 2014-02-08 19:45:57 -------- d-----w- C:\backup 2014-02-08 19:29:52 -------- d-----w- C:\Users\conklije\AppData\Local\Microsoft_Corporation 2014-02-08 11:43:28 594024 ----a-w- C:\windows\System32\dsNcSmartCardProv.dll 2014-02-08 11:43:28 423528 ----a-w- C:\windows\System32\dsNcCredProv.dll 2014-02-08 11:43:10 -------- d-----w- C:\Program Files (x86)\Juniper Networks 2014-02-08 11:43:00 -------- d-----w- C:\Users\conklije\AppData\Roaming\Juniper Networks 2014-02-08 11:42:57 -------- d-----w- C:\Users\conklije\AppData\Local\Juniper Networks 2014-02-08 04:40:20 -------- d-----w- C:\ProgramData\Uninstall 2014-02-08 04:40:10 -------- d-----w- C:\Program Files (x86)\Common Files\SureThing Shared 2014-02-08 04:40:08 -------- d-----w- C:\Program Files (x86)\Roxio 2014-02-08 04:39:33 55024 ------w- C:\windows\System32\drivers\PxHlpa64.sys 2014-02-08 04:39:16 -------- d-----w- C:\Program Files (x86)\Common Files\Sonic Shared 2014-02-08 04:39:16 -------- d-----w- C:\Program Files (x86)\Common Files\PX Storage Engine 2014-02-08 00:54:29 -------- d-----w- C:\Users\conklije\AppData\Local\Mozilla 2014-02-08 00:54:21 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service 2014-02-07 22:58:20 78872 ----a-w- C:\windows\System32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll 2014-02-07 22:58:20 50200 ----a-w- C:\windows\SysWow64\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll 2014-02-07 22:58:17 79896 ----a-w- C:\windows\SysWow64\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll 2014-02-07 22:58:17 111640 ----a-w- C:\windows\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll 2014-02-07 22:57:48 -------- d-----w- C:\windows\System32\RsFx 2014-02-07 22:53:16 -------- d-----w- C:\Program Files\Microsoft SQL Server 2014-02-07 22:52:37 -------- d-----w- C:\Program Files\Microsoft Synchronization Services 2014-02-07 22:52:37 -------- d-----w- C:\Program Files\Microsoft SQL Server Compact Edition 2014-02-07 22:52:33 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services 2014-02-07 22:52:32 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition 2014-02-07 22:51:51 -------- d-----w- C:\ProgramData\PreEmptive Solutions 2014-02-07 22:48:39 -------- d-----w- C:\Program Files (x86)\Microsoft ASP.NET 2014-02-07 22:48:35 -------- d-----w- C:\Program Files\IIS 2014-02-07 22:48:34 -------- d-----w- C:\Program Files (x86)\IIS 2014-02-07 22:48:04 2377696 ----a-w- C:\ProgramData\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll 2014-02-07 22:38:40 -------- d-----w- C:\windows\SysWow64\1033 2014-02-07 22:38:29 -------- d-----w- C:\Program Files (x86)\Microsoft Visual Studio 10.0 2014-02-07 22:38:29 -------- d-----w- C:\Program Files (x86)\Microsoft F# 2014-02-07 22:38:29 -------- d-----w- C:\Program Files (x86)\HTML Help Workshop 2014-02-07 22:38:29 -------- d-----w- C:\Program Files (x86)\Common Files\Merge Modules 2014-02-07 22:26:56 -------- d-----w- C:\windows\System32\1033 2014-02-07 22:26:56 -------- d-----w- C:\Program Files\Microsoft Visual Studio 10.0 2014-02-07 22:26:56 -------- d-----w- C:\Program Files\Microsoft Help Viewer 2014-02-07 21:19:41 -------- d-----w- C:\Users\conklije\AppData\Local\Hewlett-Packard_Company 2014-02-07 19:12:43 -------- d-----w- C:\Logs 2014-02-07 18:38:13 184320 ----a-w- C:\windows\System32\cryptsvc.dll 2014-02-07 18:38:13 1474048 ----a-w- C:\windows\System32\crypt32.dll 2014-02-07 18:38:13 140288 ----a-w- C:\windows\SysWow64\cryptsvc.dll 2014-02-07 18:38:13 139776 ----a-w- C:\windows\System32\cryptnet.dll 2014-02-07 18:38:13 1168384 ----a-w- C:\windows\SysWow64\crypt32.dll 2014-02-07 18:38:13 103936 ----a-w- C:\windows\SysWow64\cryptnet.dll 2014-02-07 18:37:37 497152 ----a-w- C:\windows\System32\drivers\afd.sys 2014-02-07 18:37:10 2048 ----a-w- C:\windows\SysWow64\tzres.dll 2014-02-07 18:37:10 2048 ----a-w- C:\windows\System32\tzres.dll 2014-02-07 18:37:01 9216 ----a-w- C:\Program Files (x86)\Windows Defender\MpAsDesc.dll 2014-02-07 18:37:01 571904 ----a-w- C:\Program Files\Windows Defender\MpClient.dll 2014-02-07 18:37:01 54784 ----a-w- C:\Program Files (x86)\Windows Defender\MpOAV.dll 2014-02-07 18:37:01 4608 ----a-w- C:\Program Files (x86)\Windows Defender\MsMpLics.dll 2014-02-07 18:37:01 392704 ----a-w- C:\Program Files (x86)\Windows Defender\MpClient.dll 2014-02-07 18:37:01 314880 ----a-w- C:\Program Files\Windows Defender\MpCommu.dll 2014-02-07 18:37:01 1011712 ----a-w- C:\Program Files\Windows Defender\MpSvc.dll 2014-02-07 18:35:43 9728 ----a-w- C:\windows\System32\Wdfres.dll 2014-02-07 18:35:43 785624 ----a-w- C:\windows\System32\drivers\Wdf01000.sys 2014-02-07 18:35:43 54376 ----a-w- C:\windows\System32\drivers\WdfLdr.sys 2014-02-07 18:35:34 664064 ----a-w- C:\windows\SysWow64\rpcrt4.dll 2014-02-07 18:35:34 189440 ----a-w- C:\windows\System32\rpchttp.dll 2014-02-07 18:35:34 140800 ----a-w- C:\windows\SysWow64\rpchttp.dll 2014-02-07 18:35:34 1216000 ----a-w- C:\windows\System32\rpcrt4.dll 2014-02-07 18:35:28 100864 ----a-w- C:\windows\System32\drivers\usbcir.sys 2014-02-07 18:34:59 76800 ----a-w- C:\windows\System32\drivers\hidclass.sys 2014-02-07 18:34:59 32896 ----a-w- C:\windows\System32\drivers\hidparse.sys 2014-02-07 18:34:54 624128 ----a-w- C:\windows\System32\qedit.dll 2014-02-07 18:34:54 509440 ----a-w- C:\windows\SysWow64\qedit.dll 2014-02-07 18:34:46 3155968 ----a-w- C:\windows\System32\win32k.sys 2014-02-07 18:33:17 404480 ----a-w- C:\windows\System32\gdi32.dll 2014-02-07 18:33:17 311808 ----a-w- C:\windows\SysWow64\gdi32.dll 2014-02-07 18:33:02 936448 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll 2014-02-07 18:33:02 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll 2014-02-07 18:33:02 1393152 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll 2014-02-07 18:33:01 1732608 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL 2014-02-07 18:33:01 1367040 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll 2014-02-07 18:32:56 124112 ----a-w- C:\windows\System32\PresentationCFFRasterizerNative_v0300.dll 2014-02-07 18:32:56 102608 ----a-w- C:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll 2014-02-07 18:32:44 376768 ----a-w- C:\windows\System32\drivers\netio.sys 2014-02-07 18:32:44 288192 ----a-w- C:\windows\System32\drivers\FWPKCLNT.SYS 2014-02-07 18:32:44 1900992 ----a-w- C:\windows\System32\drivers\tcpip.sys 2014-02-07 18:32:37 984512 ----a-w- C:\windows\System32\drivers\dxgkrnl.sys 2014-02-07 18:32:37 265152 ----a-w- C:\windows\System32\drivers\dxgmms1.sys 2014-02-07 18:32:07 1643520 ----a-w- C:\windows\System32\DWrite.dll 2014-02-07 18:32:07 1247744 ----a-w- C:\windows\SysWow64\DWrite.dll 2014-02-07 18:30:55 99840 ----a-w- C:\windows\System32\drivers\usbccgp.sys 2014-02-07 18:30:55 7808 ----a-w- C:\windows\System32\drivers\usbd.sys 2014-02-07 18:30:55 52736 ----a-w- C:\windows\System32\drivers\usbehci.sys 2014-02-07 18:30:55 325120 ----a-w- C:\windows\System32\drivers\usbport.sys 2014-02-07 18:30:55 30720 ----a-w- C:\windows\System32\drivers\usbuhci.sys 2014-02-07 18:30:55 25600 ----a-w- C:\windows\System32\drivers\usbohci.sys 2014-02-07 18:30:54 343040 ----a-w- C:\windows\System32\drivers\usbhub.sys 2014-02-07 17:45:36 -------- d-----w- C:\ProgramData\itsec 2014-02-07 17:41:49 30208 ----a-w- C:\windows\System32\dnscacheugc.exe 2014-02-07 17:41:49 28672 ----a-w- C:\windows\SysWow64\dnscacheugc.exe 2014-02-07 17:41:49 183296 ----a-w- C:\windows\System32\dnsrslvr.dll 2014-02-07 17:40:45 -------- d-----w- C:\windows\SmartClient 2014-02-07 17:40:34 -------- d-----w- C:\Program Files (x86)\SmartClient 2014-02-07 17:38:37 -------- d-----w- C:\SSM 2014-02-07 17:30:48 -------- d-----w- C:\Users\conklije\AppData\Roaming\Intel Corporation 2014-02-07 17:30:47 -------- d-----w- C:\Users\conklije\AppData\Roaming\Synaptics 2014-02-07 17:30:47 -------- d-----w- C:\Users\conklije\AppData\Roaming\hpqLog 2014-02-07 15:10:23 752 ----a-w- C:\windows\runsurvey.vbs 2014-02-07 15:10:23 3022 ----a-w- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\launch_splashscreen.vbs 2014-02-07 15:10:23 1509 ----a-w- C:\windows\surveytime.vbs 2014-02-07 15:09:50 12800 ------w- C:\windows\EricssonMobileBroadbandVer.dll 2014-02-07 15:08:18 -------- d-----w- C:\windows\SysWow64\SDA 2014-02-07 15:08:17 -------- d-----w- C:\Program Files (x86)\JMicron 2014-02-07 15:08:08 8192 ----a-w- C:\windows\System32\drivers\IntelMEFWVer.dll 2014-02-07 15:08:05 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent 2014-02-07 15:07:12 53248 ----a-w- C:\windows\SysWow64\CSVer.dll 2014-02-07 15:07:07 -------- d-----w- C:\ProgramData\Validity 2014-02-07 15:07:07 -------- d-----w- C:\Intel 2014-02-07 15:06:50 -------- d-----w- C:\Program Files\Validity Sensors 2014-02-07 15:06:17 48640 ----a-w- C:\windows\System32\wwanprotdim.dll 2014-02-07 15:06:16 229888 ----a-w- C:\windows\System32\wwansvc.dll 2014-02-07 15:05:16 296320 ----a-w- C:\windows\System32\drivers\volsnap.sys 2014-02-07 15:04:56 951680 ----a-w- C:\windows\System32\drivers\ndis.sys 2014-02-07 15:04:27 -------- d-----w- C:\system.sav 2014-02-07 15:03:49 -------- d-----w- C:\Program Files (x86)\Common Files\Telespree 2014-02-06 23:25:08 -------- d-----w- C:\Program Files\Synaptics 2014-02-06 23:23:01 -------- d-----w- C:\Temp . ==================== Find3M ==================== . 2014-02-06 04:42:12 53472 ----a-w- C:\windows\System32\drivers\FireNfcp.sys . ============= FINISH: 23:22:40.62 =============== Attach contents: Microsoft Windows 7 Enterprise Boot Device: \Device\HarddiskVolume2 Install Date: 2/7/2014 10:02:42 AM System Uptime: 2/22/2014 5:24:38 PM (6 hours ago) . Motherboard: Hewlett-Packard | | 161C Processor: Intel® Core i5-2520M CPU @ 2.50GHz | CPU 1 | 2501/100mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 465 GiB total, 404.076 GiB free. D: is CDROM (CDFS) . ==== Disabled Device Manager Items ============= . Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 Device ID: ROOT\NET\0000 Manufacturer: Cisco Systems Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 PNP Device ID: ROOT\NET\0000 Service: vpnva . ==== System Restore Points =================== . RP52: 2/15/2014 2:31:48 PM - Windows Update RP53: 2/22/2014 11:48:13 AM - Malwarebytes Anti-Rootkit Restore Point . ==== Installed Programs ====================== . ActivClient Adobe Flash Player 10 ActiveX Adobe Reader Chinese Simplified Fonts Support For Adobe Reader 9 Chinese Traditional Fonts Support For Adobe Reader 9 Cisco AnyConnect VPN Client Crystal Reports for Visual Studio Device Installer x64 Dotfuscator Software Services - Community Edition Forefront Identity Manager Add-ins and Extensions Get IT Icon Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040) Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308) Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344) Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540) Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789) HP 3D DriveGuard HP Client Automation Application Manager Agent HP Connection Manager HP Deskjet 3510 series Basic Device Software HP Deskjet 3510 series Help HP Deskjet 3510 series Product Improvement Study HP ESU for Microsoft Windows 7 HP Fonts HP Hotkey Support HP Photo Creations HP Software Framework HP Timing Service HP Update Intel® Control Center Intel® Management Engine Components Intel® Rapid Storage Technology Japanese Fonts Support For Adobe Reader 9 Java JMicron 1394 Filter Driver JMicron Flash Media Controller Driver Juniper Networks Network Connect 7.4.0 Juniper Networks, Inc. Setup Client Juniper Networks, Inc. Setup Client 64-bit Activex Control Juniper Networks, Inc. Setup Client Activex Control Korean Fonts Support For Adobe Reader 9 LSI HDA Modem Malwarebytes Anti-Malware version 1.75.0.1300 McAfee Agent McAfee Host Intrusion Prevention McAfee SiteAdvisor Enterprise Plus McAfee VirusScan Enterprise Microsoft .NET Framework 4 Client Profile Microsoft .NET Framework 4 Extended Microsoft .NET Framework 4 Multi-Targeting Pack Microsoft Access MUI (English) 2013 Microsoft Access Setup Metadata MUI (English) 2013 Microsoft Application Error Reporting Microsoft ASP.NET MVC 2 Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools Microsoft DCF MUI (English) 2013 Microsoft Excel MUI (English) 2013 Microsoft Groove MUI (English) 2013 Microsoft Help Viewer 1.0 Microsoft InfoPath MUI (English) 2013 Microsoft Lync MUI (English) 2013 Microsoft Office 64-bit Components 2013 Microsoft Office OSM MUI (English) 2013 Microsoft Office OSM UX MUI (English) 2013 Microsoft Office Professional Plus 2013 Microsoft Office Proofing (English) 2013 Microsoft Office Proofing Tools 2013 - English Microsoft Office Proofing Tools 2013 - Español Microsoft Office Shared 64-bit MUI (English) 2013 Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2013 Microsoft Office Shared MUI (English) 2013 Microsoft Office Shared Setup Metadata MUI (English) 2013 Microsoft OneNote MUI (English) 2013 Microsoft Outlook MUI (English) 2013 Microsoft PowerPoint MUI (English) 2013 Microsoft Publisher MUI (English) 2013 Microsoft Silverlight Microsoft Silverlight 3 SDK Microsoft SQL Server 2008 (64-bit) Microsoft SQL Server 2008 Database Engine Services Microsoft SQL Server 2008 Management Studio Microsoft SQL Server 2008 Policies Microsoft SQL Server 2008 R2 (64-bit) Microsoft SQL Server 2008 R2 Data-Tier Application Framework Microsoft SQL Server 2008 R2 Data-Tier Application Project Microsoft SQL Server 2008 R2 Management Objects Microsoft SQL Server 2008 R2 Management Objects (x64) Microsoft SQL Server 2008 R2 Native Client Microsoft SQL Server 2008 R2 RsFx Driver Microsoft SQL Server 2008 R2 Setup (English) Microsoft SQL Server 2008 R2 Transact-SQL Language Service Microsoft SQL Server 2008 RsFx Driver Microsoft SQL Server 2008 Setup Support Files Microsoft SQL Server Browser Microsoft SQL Server Compact 3.5 SP1 Query Tools English Microsoft SQL Server Compact 3.5 SP2 ENU Microsoft SQL Server Compact 3.5 SP2 x64 ENU Microsoft SQL Server Database Publishing Wizard 1.4 Microsoft SQL Server System CLR Types Microsoft SQL Server System CLR Types (x64) Microsoft SQL Server VSS Writer Microsoft Sync Framework Runtime v1.0 SP1 (x64) Microsoft Sync Framework SDK v1.0 SP1 Microsoft Sync Framework Services v1.0 SP1 (x64) Microsoft Sync Services for ADO.NET v2.0 SP1 (x64) Microsoft Team Foundation Server 2010 Object Model - ENU Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2005 Redistributable (x64) Microsoft Visual C++ 2005 Runtime Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974 Microsoft Visual C++ 2010 x64 Designtime - 10.0.30319 Microsoft Visual C++ 2010 x64 Runtime - 10.0.30319 Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319 Microsoft Visual F# 2.0 Runtime Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools Microsoft Visual Studio 2010 Office Developer Tools (x64) Microsoft Visual Studio 2010 Professional - ENU Microsoft Visual Studio 2010 SharePoint Developer Tools Microsoft Visual Studio 2010 Tools for Office Runtime (x64) Microsoft Visual Studio Macro Tools Microsoft Visual Studio Tools for Applications 2.0 - ENU Microsoft Word MUI (English) 2013 Mozilla Firefox 27.0.1 (x86 en-US) Mozilla Maintenance Service MSXML 4.0 SP3 Parser (KB2721691) MSXML 4.0 SP3 Parser (KB2758694) OpenLink UDA 5.20.0076 Multi-Tier Generic Client Outils de vérification linguistique 2013 de Microsoft Office - Français PC Backup Agent PC COE PC COE Required Settings Remote Access to HP Network 6.5 Roxio Activation Module Roxio Creator Audio Roxio Creator Business Roxio Creator Business v10 Roxio Creator Copy Roxio Creator Data Roxio Creator Tools Roxio Express Labeler 3 Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449) Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428) Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019) Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595) Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642) Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576) Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393) Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2) Security Update for Microsoft .NET Framework 4 Extended (KB2487367) Security Update for Microsoft .NET Framework 4 Extended (KB2656351) Security Update for Microsoft .NET Framework 4 Extended (KB2736428) Security Update for Microsoft .NET Framework 4 Extended (KB2742595) Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2) Security Update for Microsoft Excel 2013 (KB2827238) 32-Bit Edition Security Update for Microsoft Lync 2013 (KB2817465) 32-Bit Edition Security Update for Microsoft Office 2013 (KB2768005) 32-Bit Edition Security Update for Microsoft Office 2013 (KB2810009) 32-Bit Edition Security Update for Microsoft Office 2013 (KB2817623) 32-Bit Edition Security Update for Microsoft Outlook 2013 (KB2837618) 32-Bit Edition Security Update for Microsoft Visual Studio 2010 Professional - ENU (KB2251489) Security Update for Microsoft Visual Studio 2010 Professional - ENU (KB2644980) Service Pack 1 for SQL Server 2008 (KB968369) (64-bit) Service Pack 2 for SQL Server 2008 R2 (KB2630458) (64-bit) ServiceNow ODBC Driver SQL Server 2008 R2 SP2 Common Files SQL Server 2008 R2 SP2 Database Engine Services SQL Server 2008 R2 SP2 Database Engine Shared Sql Server Customer Experience Improvement Program Synaptics Pointing Device Driver Update for Microsoft Office 2013 (KB2767852) 32-Bit Edition Validity Fingerprint Sensor Driver Visual Studio 2010 Prerequisites - English Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU Web Deployment Tool . ==== Event Viewer Messages From Past Week ======== . 2/22/2014 9:31:13 AM, Error: Microsoft-Windows-Smartcard-Server [610] - Smart Card Reader 'Generic EMV Smartcard Reader 0' rejected IOCTL GET_STATE: The handle is invalid. If this error persists, your smart card or reader may not be functioning correctly. Command Header: XX XX XX XX 2/22/2014 3:29:39 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{FE6D2225-47FF-41C7-8345-ACE8FC323D4F} because another computer on the network has the same name. The server could not start. 2/22/2014 12:57:09 PM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. 2/22/2014 11:09:20 PM, Error: Schannel [36871] - A fatal error occurred while creating an SSL client credential. The internal error state is 10013. 2/22/2014 10:14:59 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain AMERICAS due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. 2/21/2014 5:16:56 AM, Error: Schannel [36887] - The following fatal alert was received: 100. 2/21/2014 3:22:47 PM, Error: Microsoft-Windows-Smartcard-Server [610] - Smart Card Reader 'ActivIdentity Activkey_Sim 0' rejected IOCTL GET_STATE: The I/O operation has been aborted because of either a thread exit or an application request. If this error persists, your smart card or reader may not be functioning correctly. Command Header: XX XX XX XX 2/20/2014 11:48:41 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting. 2/20/2014 10:19:02 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={A4DB9F7F-9036-418A-9C59-8E9563CA2926}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 2/20/2014 10:02:12 PM, Error: Microsoft-Windows-RasSstp [1] - CoId={13B3727B-6E9A-4278-9FBE-080C29528170}:The initial Secure Socket Tunneling Protocol request could not be successfully sent to the server. This can be due to network connectivity issues or certificate (trust) issues. The detailed error message is provided below. Correct the problem and try again. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. 2/19/2014 9:25:30 AM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{71554EBE-24C9-476F-9B43-CDA3FC7BAD97} because another computer on the network has the same name. The server could not start. 2/19/2014 3:41:09 PM, Error: WudfUsbccidDriver [6] - Invalid data. Name: InvalidSetProtocol Value: 0x0 2/19/2014 3:41:09 PM, Error: WudfUsbccidDriver [11] - A Request has returned failure. MsgType: 0x80 ICCStatus: 0x1 CmdStatus: 0x1 Error: 0xfe SW1: 0x0 SW2: 0x0 2/19/2014 3:41:09 PM, Error: WudfUsbccidDriver [1] - An operation has failed (0x6, 0x3, 0x0, 0x0). ScCardPowerWarmReset: IccPowerOn failed. HResult: {Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired. 2/19/2014 3:41:09 PM, Error: WudfUsbccidDriver [1] - An operation has failed (0x0, 0x0, 0x0, 0x0). UpdateCardCapabilities: ATR too short. HResult: {Unknown Disk Format} The disk in drive %hs is not formatted properly. Please check the disk, and reformat if necessary. 2/19/2014 3:41:09 PM, Error: Microsoft-Windows-Smartcard-Server [610] - Smart Card Reader 'ActivIdentity Activkey_Sim 0' rejected IOCTL POWER: The smart card is not responding to a reset. If this error persists, your smart card or reader may not be functioning correctly. Command Header: 02 00 00 00 2/19/2014 3:41:08 PM, Error: WudfUsbccidDriver [11] - A Request has returned failure. MsgType: 0x80 ICCStatus: 0x0 CmdStatus: 0x1 Error: 0xfb SW1: 0x0 SW2: 0x0 2/19/2014 3:41:08 PM, Error: WudfUsbccidDriver [10] - Request[0](CLS=0x0,INS=0xca,P1=0x7f,P2=0x68,Lc=0,Le=256,.NETServiceMethod=0x0) 2/19/2014 3:41:08 PM, Error: WudfUsbccidDriver [10] - Request[0](CLS=0x0,INS=0xa4,P1=0x4,P2=0x0,Lc=9,Le=0,.NETServiceMethod=0x0) 2/19/2014 3:41:08 PM, Error: WudfUsbccidDriver [1] - An operation has failed (0x0, 0x0, 0x0, 0x0). ScT0Transmit: Failed to send request at TPDU level. HResult: The I/O device reported an I/O error. 2/19/2014 3:41:08 PM, Error: Microsoft-Windows-Smartcard-Server [610] - Smart Card Reader 'ActivIdentity Activkey_Sim 0' rejected IOCTL TRANSMIT: The request could not be performed because of an I/O device error. If this error persists, your smart card or reader may not be functioning correctly. Command Header: 00 ca 7f 68 2/19/2014 3:41:08 PM, Error: Microsoft-Windows-Smartcard-Server [610] - Smart Card Reader 'ActivIdentity Activkey_Sim 0' rejected IOCTL TRANSMIT: The request could not be performed because of an I/O device error. If this error persists, your smart card or reader may not be functioning correctly. Command Header: 00 a4 04 00 2/19/2014 3:41:07 PM, Error: WudfUsbccidDriver [10] - Request[0](CLS=0x0,INS=0xa4,P1=0x4,P2=0x0,Lc=11,Le=0,.NETServiceMethod=0x0) 2/19/2014 3:06:30 PM, Error: WudfUsbccidDriver [10] - Request[0](CLS=0x0,INS=0xa4,P1=0x4,P2=0x0,Lc=7,Le=0,.NETServiceMethod=0x0) 2/18/2014 5:42:33 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service. 2/17/2014 9:48:08 AM, Error: Microsoft-Windows-Smartcard-Server [610] - Smart Card Reader 'Generic EMV Smartcard Reader 0' rejected IOCTL GET_STATE: The I/O operation has been aborted because of either a thread exit or an application request. If this error persists, your smart card or reader may not be functioning correctly. Command Header: XX XX XX XX 2/16/2014 4:43:36 PM, Error: Service Control Manager [7000] - The Juniper Network Connect Service service failed to start due to the following error: The pipe has been ended. 2/16/2014 4:43:18 PM, Error: Service Control Manager [7000] - The Intel® Management and Security Application Local Management Service service failed to start due to the following error: The pipe has been ended. 2/16/2014 4:43:13 PM, Error: Service Control Manager [7000] - The Cisco AnyConnect VPN Agent service failed to start due to the following error: The pipe has been ended. 2/16/2014 4:43:09 PM, Error: Service Control Manager [7031] - The Cisco AnyConnect VPN Agent service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 4000 milliseconds: Restart the service. 2/16/2014 4:43:08 PM, Error: Service Control Manager [7034] - The McAfee Framework Service service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 4:43:08 PM, Error: Service Control Manager [7034] - The Intel® Rapid Storage Technology service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 4:43:08 PM, Error: Service Control Manager [7034] - The Intel® Management and Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 4:43:08 PM, Error: Service Control Manager [7034] - The HP Connection Manager 4 Service service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 4:43:08 PM, Error: Service Control Manager [7031] - The Intel® Management and Security Application Local Management Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service. 2/16/2014 4:43:07 PM, Error: Service Control Manager [7034] - The HPCA Scheduler Daemon service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 4:43:07 PM, Error: Service Control Manager [7034] - The HPCA Notify Daemon service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 4:43:06 PM, Error: Service Control Manager [7034] - The McAfee Task Manager service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 4:43:06 PM, Error: Service Control Manager [7034] - The McAfee SiteAdvisor Enterprise Service service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 4:43:06 PM, Error: Service Control Manager [7034] - The hpHotkeyMonitor service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 4:43:06 PM, Error: Service Control Manager [7034] - The HP Quick Synchronization Service service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 4:43:06 PM, Error: Service Control Manager [7031] - The Juniper Network Connect Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service. 2/16/2014 4:43:05 PM, Error: Service Control Manager [7031] - The AgentService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. 2/16/2014 4:43:04 PM, Error: Service Control Manager [7031] - The Cisco AnyConnect VPN Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service. 2/16/2014 4:43:03 PM, Error: Service Control Manager [7043] - The McAfee McShield service did not shut down properly after receiving a preshutdown control. 2/16/2014 4:43:03 PM, Error: Service Control Manager [7034] - The HP Software Framework Service service terminated unexpectedly. It has done this 1 time(s). 2/16/2014 12:45:33 PM, Error: Microsoft-Windows-Smartcard-Server [610] - Smart Card Reader 'ActivIdentity Activkey_Sim 0' rejected IOCTL GET_STATE: The device has been removed. If this error persists, your smart card or reader may not be functioning correctly. Command Header: XX XX XX XX 2/15/2014 3:52:57 PM, Error: Schannel [36888] - The following fatal alert was generated: 80. The internal error state is 301. 2/15/2014 3:02:57 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 for x64-based Systems (KB2160841). 2/15/2014 2:47:45 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 for x64-based Systems (KB2416472). 2/15/2014 2:47:45 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Silverlight (KB2814124). . ==== End Of File ===========================

Here is the Malwarebytes report : 2/22/2014 9:57:04 PM mbam-log-2014-02-22 (21-57-04).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 629097 Time elapsed: 1 hour(s), 14 minute(s), 15 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

Additional info: ( I just got this machine and loaded it with software not more than two weeks ago. Also put old files on it which was probably the source of my woes. My initial machine got infected and came down with a boot sector error. Tried to fix the boot error but it was an encrypted disk and well... beyond the scope of this post). After running the first Malwarebytes and posting first log above and applying cleaning (deleting) I re-ran and got this: Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 772044 Time elapsed: 2 hour(s), 23 minute(s), 44 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Also in my protection log from Malwarebytes I got this (log snippet since it is repetitive (tries to clean problem but unable): Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 772044 Time elapsed: 2 hour(s), 23 minute(s), 44 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Then ran Malwarebytes anti-rootkit: from mbar log: 2/22/2014 9:45:44 AM mbar-log-2014-02-22 (09-45-44).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 642623 Time elapsed: 1 hour(s), 51 minute(s), 48 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 1 HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| (Hijack.SHELL32) -> Bad: (\\?\globalroot\Device\HarddiskVolume3\Users\conklije\AppData\Local\Temp\spvjity\sdctqqh\wow.dll) Good: (SHELL32.dll) -> Replace on reboot. Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) From system log: Malwarebytes Anti-Rootkit BETA 1.07.0.1009 © Malwarebytes Corporation 2011-2012 OS version: 6.1.7601 Windows 7 Service Pack 1 x64 Account is Administrative Internet Explorer version: 10.0.9200.16736 Java version: 1.6.0_33 File system is: NTFS Disk drives: C:\ DRIVE_FIXED CPU speed: 2.494000 GHz Memory total: 4242911232, free: 1840058368 ======================================= Initializing... ------------ Kernel report ------------ 02/22/2014 09:45:40 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\vdrvroot.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\DRIVERS\compbatt.sys \SystemRoot\system32\DRIVERS\BATTC.SYS \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\iaStor.sys \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\system32\drivers\mfehidk.sys \SystemRoot\System32\Drivers\PxHlpa64.sys \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\drivers\mfewfpk.sys \SystemRoot\system32\drivers\vmstorfl.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\system32\drivers\hpdskflt.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\drivers\disk.sys \SystemRoot\system32\drivers\CLASSPNP.SYS \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\drivers\afd.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\mfenlfk.sys \SystemRoot\system32\DRIVERS\vwififlt.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\system32\drivers\csc.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\DRIVERS\blbdrive.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\atikmpag.sys \SystemRoot\system32\DRIVERS\atikmdag.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\HECIx64.sys \SystemRoot\system32\DRIVERS\e1c62x64.sys \SystemRoot\system32\drivers\usbehci.sys \SystemRoot\system32\drivers\USBPORT.SYS \SystemRoot\system32\DRIVERS\SCSIPORT.SYS \SystemRoot\system32\DRIVERS\Netwsw00.sys \SystemRoot\system32\DRIVERS\vwifibus.sys \SystemRoot\system32\DRIVERS\nusb3xhc.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\drivers\tpm.sys \SystemRoot\system32\DRIVERS\parport.sys \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys \SystemRoot\system32\DRIVERS\SynTP.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\Accelerometer.sys \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\wmiacpi.sys \SystemRoot\system32\DRIVERS\CompositeBus.sys \SystemRoot\system32\DRIVERS\dsNcAdpt.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\rdpbus.sys \SystemRoot\system32\DRIVERS\serscan.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\system32\DRIVERS\nusb3hub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\drivers\AtihdW76.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\DRIVERS\stwrt64.sys \SystemRoot\system32\DRIVERS\agrsm64.sys \SystemRoot\system32\drivers\modem.sys \SystemRoot\system32\drivers\mfefirek.sys \SystemRoot\system32\drivers\mfeavfk.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\system32\DRIVERS\cdfs.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_iaStor.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\system32\DRIVERS\WinUSB.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\system32\drivers\btwampfl.sys \SystemRoot\System32\Drivers\BTHUSB.sys \SystemRoot\System32\Drivers\bthport.sys \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\drivers\luafv.sys \??\C:\windows\system32\drivers\mbam.sys \SystemRoot\system32\DRIVERS\rfcomm.sys \SystemRoot\system32\drivers\WudfPf.sys \SystemRoot\system32\DRIVERS\BthEnum.sys \SystemRoot\system32\DRIVERS\bthpan.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\system32\drivers\HipShieldK.sys \SystemRoot\system32\drivers\FireNfcp.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\radiamsi.sys \SystemRoot\system32\DRIVERS\asyncmac.sys \SystemRoot\system32\drivers\mfeapfk.sys \??\C:\windows\system32\drivers\mbamchameleon.sys \??\C:\windows\system32\drivers\MBAMSwissArmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe \Windows\System32\lpk.dll \Windows\System32\urlmon.dll \Windows\System32\gdi32.dll \Windows\System32\kernel32.dll \Windows\System32\shell32.dll \Windows\System32\imagehlp.dll \Windows\System32\advapi32.dll \Windows\System32\shlwapi.dll \Windows\System32\oleaut32.dll \Windows\System32\normaliz.dll \Windows\System32\comdlg32.dll \Windows\System32\difxapi.dll \Windows\System32\sechost.dll \Windows\System32\imm32.dll \Windows\System32\user32.dll \Windows\System32\msctf.dll \Windows\System32\setupapi.dll \Windows\System32\clbcatq.dll \Windows\System32\ole32.dll \Windows\System32\nsi.dll \Windows\System32\Wldap32.dll \Windows\System32\msvcrt.dll \Windows\System32\usp10.dll \Windows\System32\wininet.dll \Windows\System32\psapi.dll \Windows\System32\iertutil.dll \Windows\System32\rpcrt4.dll \Windows\System32\ws2_32.dll \Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll \Windows\System32\comctl32.dll \Windows\System32\devobj.dll \Windows\System32\wintrust.dll \Windows\System32\cfgmgr32.dll \Windows\System32\KernelBase.dll \Windows\System32\crypt32.dll \Windows\System32\msasn1.dll \Windows\SysWOW64\normaliz.dll ----------- End ----------- Done! <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa80048ed060 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IAAStorageDevice-1\ Lower Device Object: 0xfffffa80048c1050 Lower Device Driver Name: \Driver\iaStor\ <<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa80048ed060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa80048edb90, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa80048ed060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa8004af4b10, DeviceName: Unknown, DriverName: \Driver\hpdskflt\ DevicePointer: 0xfffffa8003ca38c0, DeviceName: Unknown, DriverName: \Driver\ACPI\ DevicePointer: 0xfffffa80048c1050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 4A2FEE12 Partition information: Partition 0 type is Other (0x27) Partition is NOT ACTIVE. Partition starts at LBA: 2048 Numsec = 1024000 Partition 1 type is Other (0x27) Partition is ACTIVE. Partition starts at LBA: 1026048 Numsec = 1021952 Partition file system is NTFS Partition is bootable Partition 2 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 2048000 Numsec = 974723072 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500107862016 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)... Done! Infected: HKCU\SOFTWARE\CLASSES\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32| --> [Hijack.SHELL32] Scan finished Creating System Restore point... Cleaning up... Removal successful. No system shutdown is required. ======================================= Removal queue found; removal started Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-1026048-i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam... Removal finished Ran ADWCleaner and performed cleanup of what was found. Logfile below: AdwCleaner v3.019 - Report created 22/02/2014 at 12:25:57 # Updated 17/02/2014 by Xplode # Operating System : Windows 7 Enterprise Service Pack 1 (64 bits) # Username : conklije - CONKLIJE4 # Running from : C:\Users\conklije\Documents\Anti Virus Tools\ADWCleaner\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** File Found : C:\Uninstall.exe ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Key Found : HKLM\Software\caphyon Key Found : HKLM\SOFTWARE\Classes\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} ***** [ Browsers ] ***** -\\ Internet Explorer v10.0.9200.16736 -\\ Mozilla Firefox v27.0.1 (en-US) [ File : C:\Users\conklije\AppData\Roaming\Mozilla\Firefox\Profiles\0fn2yd7j.default\prefs.js ] ************************* AdwCleaner[R0].txt - [1491 octets] - [22/02/2014 12:25:57] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1551 octets] ########## Then ran Farber Recovery Scan Tool and it produced a FRST log which was inconsequential and an additional.txt file which was posted in the prior post.

Having issues removing Trojan.zbot.fbd Ran malwarebytes, malwarebytes anti-rootkit, adwcleaner, and Farber Recovery Scan Tool. Below I have log output from Malwarebytes and following that Farber.... problem is I can't seem to get rid of the files in appdata folder as seen in the Farber log (addition.txt). Any advice or direction for me? From Malwarebytes log: mbam-log-2014-02-21 (11-36-37).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 643007 Time elapsed: 1 hour(s), 20 minute(s), 48 second(s) Memory Processes Detected: 3 C:\Windows\SysWOW64\umoci.exe (Trojan.Zbot.FBD) -> 3300 -> Delete on reboot. C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe (Trojan.Zbot.FBD) -> 5216 -> Delete on reboot. C:\Users\conklije\AppData\Roaming\hpqLog\WINDB3D.exe (Trojan.Agent.TMSGen) -> 6040 -> Delete on reboot. Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 1 HKLM\SYSTEM\CurrentControlSet\Services\SecurityCenterServer527587583 (Trojan.Zbot.FBD) -> Quarantined and deleted successfully. Registry Values Detected: 3 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ukybraehofyxx (Trojan.Zbot.FBD) -> Data: C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ukybraehofyxx (Trojan.Zbot.FBD) -> Data: C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|GameServer52A (Trojan.Agent.TMSGen) -> Data: "C:\Users\conklije\AppData\Roaming\hpqLog\WINDB3D.exe" -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 7 C:\Windows\SysWOW64\umoci.exe (Trojan.Zbot.FBD) -> Delete on reboot. C:\Users\conklije\AppData\Roaming\Riupof\wofaiz.exe (Trojan.Zbot.FBD) -> Delete on reboot. C:\Windows\System32\umoci.exe (Trojan.Zbot.FBD) -> Delete on reboot. C:\Users\conklije\AppData\Local\Temp\UpdateFlashPlayer_8852cc0b.exe (Trojan.Zbot.FBD) -> Quarantined and deleted successfully. C:\Users\conklije\AppData\Local\Temp\UpdateFlashPlayer_bec308d9.exe (Trojan.Agent.ED) -> Quarantined and deleted successfully. C:\Windows\Tasks\Security Center Update - 527587583.job (Trojan.Agent.RvGen) -> Quarantined and deleted successfully. C:\Users\conklije\AppData\Roaming\hpqLog\WINDB3D.exe (Trojan.Agent.TMSGen) -> Delete on reboot. (end) Farber log (second file - addition.txt snippet - not whole file): Microsoft Office Sessions: ========================= Error: (02/22/2014 00:47:13 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (02/21/2014 10:24:24 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (02/21/2014 10:22:23 PM) (Source: McLogEvent)(User: NT AUTHORITY) Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000. Error: (02/21/2014 10:21:57 PM) (Source: McLogEvent)(User: NT AUTHORITY) Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000. Error: (02/21/2014 10:21:31 PM) (Source: McLogEvent)(User: NT AUTHORITY) Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000. Error: (02/21/2014 10:21:05 PM) (Source: McLogEvent)(User: NT AUTHORITY) Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000. Error: (02/21/2014 10:20:39 PM) (Source: McLogEvent)(User: NT AUTHORITY) Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000. Error: (02/21/2014 10:20:13 PM) (Source: McLogEvent)(User: NT AUTHORITY) Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000. Error: (02/21/2014 10:19:47 PM) (Source: McLogEvent)(User: NT AUTHORITY) Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000. Error: (02/21/2014 10:19:21 PM) (Source: McLogEvent)(User: NT AUTHORITY) Description: The file C:\Users\conklije\AppData\Local\Microsoft_Corporation\Adobe\njllhnfdmf.dll contains the Generic Downloader.z Trojan. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5600.1067 DAT version 7356.0000.