Jump to content

john99

Honorary Members
  • Posts

    37
  • Joined

  • Last visited

Everything posted by john99

  1. Here it is: Results of screen317's Security Check version 0.99.85 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 10 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Microsoft Security Essentials Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Java 7 Update 51 Java version out of Date! Mozilla Firefox 29.0.1 Firefox out of Date! Google Chrome 35.0.1916.114 Google Chrome 35.0.1916.153 ````````Process Check: objlist.exe by Laurent```````` Microsoft Security Essentials MSMpEng.exe Microsoft Security Essentials msseces.exe WinPatrol winpatrol.exe Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbam.exe Malwarebytes Anti-Malware mbamscheduler.exe BillP Studios WinPatrol WinPatrol.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0% ````````````````````End of Log``````````````````````
  2. Hi, I updated the CCleaner version and ran it. Attached are my FRST64 logs. Thanks Addition.txt FRST.txt
  3. Sorry for delay. Malwarebytes Scan found not threats. The computer is running a bit slow. Nothing unusual in task manager. Here is Adware log: # AdwCleaner v3.213 - Report created 25/06/2014 at 22:29:06 # Updated 23/06/2014 by Xplode # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : johnr - JRAU-PC # Running from : C:\Users\johnr\Desktop\adwcleaner_3.213.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Users\johnr\AppData\Local\DefineExt Folder Deleted : C:\Users\johnr\AppData\Local\WhiteListing Folder Deleted : C:\Users\johnr\AppData\LocalLow\AskToolbar Folder Deleted : C:\Users\johnr\AppData\LocalLow\Conduit Folder Deleted : C:\Users\jrau\AppData\LocalLow\AVG Secure Search Folder Deleted : C:\Users\jrau\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaojmikegpiepcfdkkjaplodkpfmlo File Deleted : C:\END File Deleted : C:\Users\johnr\AppData\Roaming\Mozilla\Firefox\Profiles\ij2ykqmj.default\searchplugins\Askcom.xml File Deleted : C:\Users\johnr\AppData\Roaming\Mozilla\Firefox\Profiles\ij2ykqmj.default\user.js ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\avg-secure-search-installer_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\TaskScheduler_RASMANCS Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68} Key Deleted : HKCU\Software\BillP Studios Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\WEDLMNGR Key Deleted : HKCU\Software\AppDataLow\Software\Conduit Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar Key Deleted : HKLM\Software\BillP Studios Key Deleted : [x64] HKLM\SOFTWARE\Description Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4BB7A109-FDB5-45E3-9DB9-ECB2EA7B80EE} ***** [ Browsers ] ***** -\\ Internet Explorer v10.0.9200.16750 -\\ Mozilla Firefox v29.0.1 (en-US) [ File : C:\Users\johnr\AppData\Roaming\Mozilla\Firefox\Profiles\ij2ykqmj.default\prefs.js ] Line Deleted : user_pref("CT3309350_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1377999203630,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]"); Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", ""); Line Deleted : user_pref("smartbar.machineId", "XJXXDJXZRU2UURVTPRLPM2D8SPU9C443CLWZ4XA5N+KR5XMOWGEAQJ3EL443QFPBSEXMJRM65BNIITOA1CDR0Q"); [ File : C:\Users\jrau\AppData\Roaming\Mozilla\Firefox\Profiles\9j53xrvx.default\prefs.js ] Line Deleted : user_pref("browser.search.selectedEngine", "Ask.com"); Line Deleted : user_pref("browser.search.order.1", "Ask.com"); Line Deleted : user_pref("browser.search.defaultengine", "Ask.com"); Line Deleted : user_pref("browser.search.defaultenginename", "Ask.com"); Line Deleted : user_pref("extensions.asktb.ff-original-keyword-url", ""); -\\ Google Chrome v35.0.1916.153 [ File : C:\Users\jrau\AppData\Local\Google\Chrome\User Data\Default\preferences ] Deleted [Homepage] : hxxp://isearch.avg.com/?cid={FDB98080-8225-4317-AA08-F642242424EC}&mid=a0cb8c81babe47d0acfba9628d46c03d-5899a713f553e146c2a1299eef802221d09c6a83〈=en&ds=AVG&pr=fr&d=2012-12-12 20:16:50&v=15.2.0.5&pid=avg&sg=&sap=hp Deleted [Extension] : dhdepfaagokllfmhfbcfmocaeigmoebo Deleted [Extension] : hphibigbodkkohoglgfkddblldpfohjl Deleted [Extension] : kdcnnmifdmlmjffdgeieikcokcogpbej Deleted [Extension] : kincjchfokkeneeofpeefomkikfkiedl Deleted [Extension] : kkkeikdkpjenmoiicggnnodbkebafgpc Deleted [Extension] : pgmfkblbflahhponhjmkcnpjinenhlnc [ File : C:\Users\norton\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [6531 octets] - [25/06/2014 22:11:22] AdwCleaner[s0].txt - [6428 octets] - [25/06/2014 22:29:06] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [6488 octets] ##########
  4. I didn't see the FRST64 instructions until after I ran TDSKILLER and COMBOFIX. I ran it after them. When I ran FRST64 there was an error "Unknown variable at line xxxx". However a fixlog.txt was created and I attached it. The TDSKILLER found no Threats and I did not see a log. I attached the ComboFix log. Fixlog.txt ComboFix.txt
  5. I created a restore point and created the registry backup with delfix. The FRST64 logs are attached , the MalwareBytes log is below. I ran MS Essential but there were nothing found and no log. I am running RoqueKiller for about an hour. The progress bar seemed to have stopped about 1/2 way. Sure I let it continue to run? MalwareBytes Log: Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 6/24/2014 Scan Time: 3:28:21 PM Logfile: MalwareBytesScanLog.txt Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.06.24.12 Rootkit Database: v2014.06.23.02 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: johnr Scan Type: Threat Scan Result: Completed Objects Scanned: 448040 Time Elapsed: 19 min, 35 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Warn PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Addition.txt FRST.txt
  6. Thanks, I was able to boot normally. I have Malwarebytes, WinPatrol and MS Secuirty Essential on my computer. Should I run a full scan now? With these running not sure why I go the Ransomware. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 22-06-2014 Ran by SYSTEM at 2014-06-24 14:30:15 Run:1 Running from J:\ Boot Mode: Recovery ============================================== Content of fixlist: ***************** Replace: C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll C:\Windows\SysWOW64\user32.dll ***************** C:\Windows\SysWOW64\user32.dll => Moved successfully. C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll copied successfully to C:\Windows\SysWOW64\user32.dll ==== End of Fixlog ====
  7. Here is the results from the search. BTW - great looking dogs! Farbar Recovery Scan Tool (x64) Version: 22-06-2014 Ran by SYSTEM at 2014-06-24 11:39:50 Running from J:\ Boot Mode: Recovery ================== Search Files: "user32.dll" ============= C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll [2010-11-20 19:24][2010-11-20 19:24] 0833024 ____A (Microsoft Corporation) 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll [2010-11-20 19:24][2010-11-20 19:24] 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B C:\Windows\SysWOW64\user32.dll [2010-11-20 19:24][2014-03-04 01:16] 0872448 ____A (Microsoft Corporation) 03C34516E7CC1E4828BE373B79BEF1E7 C:\Windows\System32\user32.dll [2010-11-20 19:24][2010-11-20 19:24] 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B C:\Windows\ERDNT\cache86\user32.dll [2012-04-13 03:41][2010-11-20 19:24] 0833024 ____A (Microsoft Corporation) 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 C:\Windows\ERDNT\cache64\user32.dll [2012-04-13 03:41][2010-11-20 19:24] 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B X:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll [2010-11-20 01:50][2010-11-20 05:27] 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B X:\Windows\System32\user32.dll [2010-11-20 01:50][2010-11-20 05:27] 1008128 ____A (Microsoft Corporation) FE70103391A64039A921DBFFF9C7AB1B ====== End Of Search ======
  8. MrC, I don't have a good restore point. Here is the FRST.txt. Thanks Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 22-06-2014 Ran by SYSTEM on MININT-I2KLI7U on 24-06-2014 09:57:45 Running from J:\ Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States) Internet Explorer Version 10 Boot Mode: Recovery The current controlset is ControlSet002 ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log. The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Registry (Whitelisted) ================== HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe [2907240 2010-10-04] (Realtek Semiconductor Corp.) HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation) HKLM-x32\...\Run: [iAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [283160 2010-11-05] (Intel Corporation) HKLM-x32\...\Run: [iMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [112152 2010-12-03] (Intel Corporation) HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] () HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [976320 2009-12-03] (SEIKO EPSON CORPORATION) HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [847872 2009-12-02] (SEIKO EPSON CORPORATION) HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [523216 2011-09-09] (Cisco Systems, Inc.) HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [358336 2011-08-11] (Citrix Systems, Inc.) HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] - "C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe" "C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware" [54072 2014-05-12] (Malwarebytes Corporation) Winlogon\Notify\GoToAssist Express Customer: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_winlogonx64.dll (Citrix Online, a division of Citrix Systems, Inc.) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.) HKU\johnr\...\Run: [GoToAssist Express Expert] => C:\Program Files (x86)\Citrix\GoToAssist Express Expert\383\g2ax_start.exe [609144 2012-04-06] (Citrix Online, a division of Citrix Systems, Inc.) HKU\johnr\...\Run: [WinPatrol] => C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe [439360 2013-08-12] (BillP Studios) HKU\johnr\...\Run: [GoToAssist Remote Support Expert] => C:\Users\johnr\AppData\Local\Citrix\GoToAssist Remote Support Expert\637\g2ax_start.exe [610888 2014-02-12] (Citrix Online, a division of Citrix Systems, Inc.) Startup: C:\Users\johnr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flip.lnk ShortcutTarget: Flip.lnk -> C:\Program Files (x86)\Belkin\Flip\flip.exe (Belkin Corporation) ShellIconOverlayIdentifiers: EnabledUnlockedFDEIconOverlay -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.) ShellIconOverlayIdentifiers: UninitializedFdeIconOverlay -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.) ShellIconOverlayIdentifiers-x32: EnhancedStorageShell -> {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} => No File ShellIconOverlayIdentifiers-x32: SharingPrivate -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} => No File ==================== Services (Whitelisted) ================= S2 GoToAssist Remote Support Customer; C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\637\g2ax_service.exe [610888 2014-02-11] (Citrix Online, a division of Citrix Systems, Inc.) S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation) S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation) S2 MsDepSvc; C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe [67400 2011-04-01] (Microsoft Corporation) S3 msftesql$SYNCO_SQL; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [158568 2007-06-22] (Microsoft Corporation) S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation) S2 MSOLAP$SYNCO_SQL; C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe [31648608 2008-11-25] (Microsoft Corporation) S2 MSSQL$SYNCO_SQL; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [39626592 2008-11-25] (Microsoft Corporation) S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation) S2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [409720 2013-06-28] () S3 ReportServer$SYNCO_SQL; C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [14688 2008-11-25] (Microsoft Corporation) S2 SQLAgent$SYNCO_SQL; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [426336 2008-11-25] (Microsoft Corporation) S2 tcsd_win32.exe; C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1629696 2010-07-13] () S2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation) S2 WebFarmService; C:\Program Files\IIS\Microsoft Web Farm Framework\WebFarmService.exe [15600 2011-10-12] (Microsoft Corporation) S2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [5088256 2010-02-02] (Dell Inc.) S2 MSSQL$SQLEXPRESS; "D:\SQL2008\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [X] S2 SQLAgent$SQLEXPRESS; "D:\SQL2008\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [X] ==================== Drivers (Whitelisted) ==================== S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-08-14] (AVG Technologies) S3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [306536 2011-03-04] () S3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [1980648 2010-10-04] (Realtek Semiconductor Corp.) S1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [91352 2014-05-12] (Malwarebytes Corporation) S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation) S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation) S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-24] (Microsoft Corporation) S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation) S4 RsFx0153; C:\Windows\System32\DRIVERS\RsFx0153.sys [321992 2012-06-28] (Microsoft Corporation) S1 ws2ifsl; C:\Windows\system32\drivers\ws2ifsl.sys [22368 2013-08-21] (AVG Technologies CZ, s.r.o. ) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-06-24 09:56 - 2014-06-24 09:57 - 00000000 ____D () C:\FRST 2014-06-20 19:52 - 2014-06-20 19:52 - 00000000 _____ () C:\Windows\Minidump\062014-28126-01.dmp 2014-06-20 19:49 - 2014-06-20 19:49 - 00262144 _____ () C:\Windows\Minidump\062014-28548-02.dmp 2014-06-20 19:46 - 2014-06-20 19:46 - 00262144 _____ () C:\Windows\Minidump\062014-28938-02.dmp 2014-06-20 19:44 - 2014-06-20 19:44 - 00000000 _____ () C:\Windows\Minidump\062014-28345-01.dmp 2014-06-20 19:41 - 2014-06-20 19:41 - 00262144 _____ () C:\Windows\Minidump\062014-28267-01.dmp 2014-06-20 19:38 - 2014-06-20 19:38 - 00262144 _____ () C:\Windows\Minidump\062014-28454-02.dmp 2014-06-20 19:35 - 2014-06-20 19:35 - 00000000 _____ () C:\Windows\Minidump\062014-28844-02.dmp 2014-06-20 19:33 - 2014-06-20 19:33 - 00262144 _____ () C:\Windows\Minidump\062014-28922-01.dmp 2014-06-20 19:30 - 2014-06-20 19:30 - 00262144 _____ () C:\Windows\Minidump\062014-28766-01.dmp 2014-06-20 19:27 - 2014-06-20 19:27 - 00262144 _____ () C:\Windows\Minidump\062014-29156-02.dmp 2014-06-20 19:25 - 2014-06-20 19:25 - 00262144 _____ () C:\Windows\Minidump\062014-28594-01.dmp 2014-06-20 19:22 - 2014-06-20 19:22 - 00262144 _____ () C:\Windows\Minidump\062014-29031-01.dmp 2014-06-20 19:19 - 2014-06-20 19:19 - 00262144 _____ () C:\Windows\Minidump\062014-28485-02.dmp 2014-06-20 19:16 - 2014-06-20 19:16 - 00000000 _____ () C:\Windows\Minidump\062014-28938-01.dmp 2014-06-20 19:13 - 2014-06-20 19:14 - 00262144 _____ () C:\Windows\Minidump\062014-28860-01.dmp 2014-06-20 19:11 - 2014-06-20 19:11 - 00262144 _____ () C:\Windows\Minidump\062014-29281-01.dmp 2014-06-20 19:08 - 2014-06-20 19:08 - 00262144 _____ () C:\Windows\Minidump\062014-28204-01.dmp 2014-06-20 19:05 - 2014-06-20 19:05 - 00262144 _____ () C:\Windows\Minidump\062014-28860-02.dmp 2014-06-20 19:02 - 2014-06-20 19:02 - 00262144 _____ () C:\Windows\Minidump\062014-27924-01.dmp 2014-06-20 18:59 - 2014-06-20 18:59 - 00262144 _____ () C:\Windows\Minidump\062014-28454-01.dmp 2014-06-20 18:56 - 2014-06-20 18:56 - 00262144 _____ () C:\Windows\Minidump\062014-28672-02.dmp 2014-06-20 18:53 - 2014-06-20 18:53 - 00262144 _____ () C:\Windows\Minidump\062014-29546-01.dmp 2014-06-20 18:50 - 2014-06-20 18:51 - 00262144 _____ () C:\Windows\Minidump\062014-28126-02.dmp 2014-06-20 18:48 - 2014-06-20 18:48 - 00262144 _____ () C:\Windows\Minidump\062014-28329-02.dmp 2014-06-20 18:45 - 2014-06-20 18:45 - 00262144 _____ () C:\Windows\Minidump\062014-28906-01.dmp 2014-06-20 18:42 - 2014-06-20 18:42 - 00262144 _____ () C:\Windows\Minidump\062014-29390-02.dmp 2014-06-20 18:39 - 2014-06-20 18:39 - 00262144 _____ () C:\Windows\Minidump\062014-28594-02.dmp 2014-06-20 18:36 - 2014-06-20 18:36 - 00262144 _____ () C:\Windows\Minidump\062014-29187-01.dmp 2014-06-20 18:34 - 2014-06-20 18:34 - 00262144 _____ () C:\Windows\Minidump\062014-28641-03.dmp 2014-06-20 18:31 - 2014-06-20 18:31 - 00262144 _____ () C:\Windows\Minidump\062014-29047-01.dmp 2014-06-20 18:28 - 2014-06-20 18:28 - 00262144 _____ () C:\Windows\Minidump\062014-28548-01.dmp 2014-06-20 18:26 - 2014-06-20 18:26 - 00262144 _____ () C:\Windows\Minidump\062014-29374-01.dmp 2014-06-20 18:23 - 2014-06-20 18:23 - 00262144 _____ () C:\Windows\Minidump\062014-28641-02.dmp 2014-06-20 18:20 - 2014-06-20 18:20 - 00262144 _____ () C:\Windows\Minidump\062014-29312-01.dmp 2014-06-20 18:17 - 2014-06-20 18:17 - 00262144 _____ () C:\Windows\Minidump\062014-28298-01.dmp 2014-06-20 18:14 - 2014-06-20 18:14 - 00262144 _____ () C:\Windows\Minidump\062014-28953-02.dmp 2014-06-20 18:11 - 2014-06-20 18:11 - 00262144 _____ () C:\Windows\Minidump\062014-28407-01.dmp 2014-06-20 18:08 - 2014-06-20 18:09 - 00262144 _____ () C:\Windows\Minidump\062014-28688-02.dmp 2014-06-20 18:06 - 2014-06-20 18:06 - 00262144 _____ () C:\Windows\Minidump\062014-28516-01.dmp 2014-06-20 18:03 - 2014-06-20 18:03 - 00262144 _____ () C:\Windows\Minidump\062014-28563-01.dmp 2014-06-20 18:00 - 2014-06-20 18:00 - 00262144 _____ () C:\Windows\Minidump\062014-29265-01.dmp 2014-06-20 17:58 - 2014-06-20 17:58 - 00262144 _____ () C:\Windows\Minidump\062014-29000-01.dmp 2014-06-20 17:54 - 2014-06-20 17:54 - 00262144 _____ () C:\Windows\Minidump\062014-29359-02.dmp 2014-06-20 17:51 - 2014-06-20 17:51 - 00262144 _____ () C:\Windows\Minidump\062014-29374-02.dmp 2014-06-20 17:48 - 2014-06-20 17:48 - 00262144 _____ () C:\Windows\Minidump\062014-29343-01.dmp 2014-06-20 17:45 - 2014-06-20 17:45 - 00262144 _____ () C:\Windows\Minidump\062014-28532-01.dmp 2014-06-20 17:43 - 2014-06-20 17:43 - 00262144 _____ () C:\Windows\Minidump\062014-28111-01.dmp 2014-06-20 17:40 - 2014-06-20 17:40 - 00262144 _____ () C:\Windows\Minidump\062014-28438-01.dmp 2014-06-20 17:37 - 2014-06-20 17:37 - 00262144 _____ () C:\Windows\Minidump\062014-28626-01.dmp 2014-06-20 17:34 - 2014-06-20 17:34 - 00262144 _____ () C:\Windows\Minidump\062014-29296-01.dmp 2014-06-20 08:17 - 2014-06-20 08:17 - 00003720 ____N () C:\bootsqm.dat 2014-06-12 15:50 - 2014-06-12 15:50 - 00000000 ____D () C:\Users\jrau\AppData\Local\CrashDumps 2014-06-12 15:46 - 2014-06-12 15:46 - 00000430 _____ () C:\Windows\PFRO.log 2014-06-12 14:46 - 2014-06-12 14:46 - 00126456 _____ () C:\Users\norton\AppData\Local\GDIPFONTCACHEV1.DAT 2014-06-12 14:45 - 2014-06-12 14:45 - 00000000 ____H () C:\Users\norton\Documents\Default.rdp 2014-06-12 14:35 - 2014-06-20 19:52 - 429867423 _____ () C:\Windows\MEMORY.DMP 2014-06-12 14:32 - 2014-06-20 19:52 - 00014056 _____ () C:\Windows\setupact.log 2014-06-12 14:32 - 2014-06-12 14:32 - 00000000 _____ () C:\Windows\setuperr.log 2014-06-12 13:55 - 2014-06-12 14:15 - 00000000 ____D () C:\Windows\Microsoft Antimalware 2014-06-12 09:05 - 2014-06-20 03:42 - 00004044 _____ () C:\Windows\WindowsUpdate.log 2014-06-11 20:29 - 2014-06-11 20:33 - 00185254 _____ () C:\users\LIST.TXT 2014-06-11 18:54 - 2014-06-11 18:54 - 00000000 ____D () C:\Users\jrau\AppData\Local\NPE 2014-06-11 17:06 - 2014-06-11 18:42 - 00000000 ____D () C:\Users\norton\AppData\Local\NPE 2014-06-11 17:06 - 2014-06-11 17:06 - 00000000 ____D () C:\ProgramData\Norton 2014-06-11 16:57 - 2014-06-11 17:04 - 00032512 _____ () C:\Windows\System32\Drivers\hitmanpro37.sys 2014-06-11 16:42 - 2014-06-11 20:47 - 00000000 ____D () C:\Users\norton\AppData\Local\Google 2014-06-11 16:42 - 2014-06-11 16:42 - 00000020 ___SH () C:\Users\norton\ntuser.ini 2014-06-11 16:42 - 2014-06-11 16:42 - 00000000 ____D () C:\users\norton 2014-06-11 16:42 - 2014-05-21 04:42 - 00000000 ____D () C:\Users\norton\Documents\Visual Studio 2008 2014-06-11 16:42 - 2013-08-08 23:02 - 00000000 ____D () C:\Users\norton\Documents\Visual Studio 2012 2014-06-11 16:42 - 2013-01-11 05:21 - 00000000 ____D () C:\Users\norton\AppData\Roaming\TuneUp Software 2014-06-11 16:42 - 2011-08-09 23:07 - 00000000 ____D () C:\Users\norton\Documents\Visual Studio 2005 2014-06-11 16:42 - 2011-06-16 23:01 - 00000000 ____D () C:\Users\norton\Documents\Visual Studio 2010 2014-06-11 16:42 - 2011-06-13 05:21 - 00000000 ____D () C:\Users\norton\AppData\Roaming\Macromedia 2014-06-11 16:42 - 2011-06-12 23:02 - 00000000 ____D () C:\Users\norton\AppData\Local\Microsoft Help 2014-06-10 18:21 - 2014-06-10 18:21 - 00001899 _____ () C:\Users\Public\Desktop\HitmanPro.lnk 2014-06-10 18:21 - 2014-06-10 18:21 - 00000000 ____D () C:\Program Files\HitmanPro 2014-06-10 03:57 - 2014-06-10 03:57 - 00009278 _____ () C:\Windows\System32\.crusader 2014-06-10 03:49 - 2014-06-10 18:29 - 00000000 ____D () C:\ProgramData\HitmanPro 2014-06-09 10:51 - 2014-06-09 11:31 - 00000000 ___HD () C:\Users\Public\Documents\Report 2014-05-28 13:58 - 2014-05-28 13:58 - 00000000 ____D () C:\Users\johnr\AppData\Local\Microsoft_Corporation 2014-05-28 10:34 - 2012-06-28 21:22 - 00082888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\perf-MSSQL$SQLEXPRESS-sqlctr10.52.4000.0.dll 2014-05-28 10:34 - 2012-06-28 21:22 - 00057288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\perf-MSSQL10_50.SQLEXPRESS-sqlagtctr.dll 2014-05-28 10:34 - 2012-06-28 21:17 - 00088520 _____ (Microsoft Corporation) C:\Windows\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.52.4000.0.dll 2014-05-28 10:34 - 2012-06-28 21:17 - 00086984 _____ (Microsoft Corporation) C:\Windows\System32\perf-MSSQL10_50.SQLEXPRESS-sqlagtctr.dll 2014-05-28 10:33 - 2014-05-28 10:33 - 00000000 ____D () C:\Users\johnr\Documents\Integration Services Script Component 2014-05-28 10:32 - 2014-05-28 10:32 - 00000000 ____D () C:\Windows\System32\RsFx 2014-05-28 10:32 - 2014-05-28 10:32 - 00000000 ____D () C:\Users\johnr\Documents\Integration Services Script Task 2014-05-28 10:30 - 2014-05-28 10:30 - 00000000 ____D () C:\Program Files\Microsoft Visual Studio 9.0 2014-05-28 09:35 - 2014-05-28 09:37 - 357075912 _____ (Microsoft Corporation) C:\Users\johnr\Downloads\SQLEXPRWT_x64_ENU.exe 2014-05-28 07:46 - 2014-05-28 07:46 - 00013461 _____ () C:\Users\johnr\Documents\RestrictionComparison.xlsx ==================== One Month Modified Files and Folders ======= 2014-06-24 09:57 - 2014-06-24 09:56 - 00000000 ____D () C:\FRST 2014-06-24 04:59 - 2011-07-15 04:59 - 00000000 ____D () C:\localwork 2014-06-20 19:52 - 2014-06-20 19:52 - 00000000 _____ () C:\Windows\Minidump\062014-28126-01.dmp 2014-06-20 19:52 - 2014-06-12 14:35 - 429867423 _____ () C:\Windows\MEMORY.DMP 2014-06-20 19:52 - 2014-06-12 14:32 - 00014056 _____ () C:\Windows\setupact.log 2014-06-20 19:52 - 2013-03-11 05:08 - 00000000 ____D () C:\Windows\Minidump 2014-06-20 19:49 - 2014-06-20 19:49 - 00262144 _____ () C:\Windows\Minidump\062014-28548-02.dmp 2014-06-20 19:46 - 2014-06-20 19:46 - 00262144 _____ () C:\Windows\Minidump\062014-28938-02.dmp 2014-06-20 19:44 - 2014-06-20 19:44 - 00000000 _____ () C:\Windows\Minidump\062014-28345-01.dmp 2014-06-20 19:41 - 2014-06-20 19:41 - 00262144 _____ () C:\Windows\Minidump\062014-28267-01.dmp 2014-06-20 19:38 - 2014-06-20 19:38 - 00262144 _____ () C:\Windows\Minidump\062014-28454-02.dmp 2014-06-20 19:35 - 2014-06-20 19:35 - 00000000 _____ () C:\Windows\Minidump\062014-28844-02.dmp 2014-06-20 19:33 - 2014-06-20 19:33 - 00262144 _____ () C:\Windows\Minidump\062014-28922-01.dmp 2014-06-20 19:30 - 2014-06-20 19:30 - 00262144 _____ () C:\Windows\Minidump\062014-28766-01.dmp 2014-06-20 19:27 - 2014-06-20 19:27 - 00262144 _____ () C:\Windows\Minidump\062014-29156-02.dmp 2014-06-20 19:25 - 2014-06-20 19:25 - 00262144 _____ () C:\Windows\Minidump\062014-28594-01.dmp 2014-06-20 19:22 - 2014-06-20 19:22 - 00262144 _____ () C:\Windows\Minidump\062014-29031-01.dmp 2014-06-20 19:19 - 2014-06-20 19:19 - 00262144 _____ () C:\Windows\Minidump\062014-28485-02.dmp 2014-06-20 19:16 - 2014-06-20 19:16 - 00000000 _____ () C:\Windows\Minidump\062014-28938-01.dmp 2014-06-20 19:14 - 2014-06-20 19:13 - 00262144 _____ () C:\Windows\Minidump\062014-28860-01.dmp 2014-06-20 19:11 - 2014-06-20 19:11 - 00262144 _____ () C:\Windows\Minidump\062014-29281-01.dmp 2014-06-20 19:08 - 2014-06-20 19:08 - 00262144 _____ () C:\Windows\Minidump\062014-28204-01.dmp 2014-06-20 19:05 - 2014-06-20 19:05 - 00262144 _____ () C:\Windows\Minidump\062014-28860-02.dmp 2014-06-20 19:02 - 2014-06-20 19:02 - 00262144 _____ () C:\Windows\Minidump\062014-27924-01.dmp 2014-06-20 18:59 - 2014-06-20 18:59 - 00262144 _____ () C:\Windows\Minidump\062014-28454-01.dmp 2014-06-20 18:56 - 2014-06-20 18:56 - 00262144 _____ () C:\Windows\Minidump\062014-28672-02.dmp 2014-06-20 18:53 - 2014-06-20 18:53 - 00262144 _____ () C:\Windows\Minidump\062014-29546-01.dmp 2014-06-20 18:51 - 2014-06-20 18:50 - 00262144 _____ () C:\Windows\Minidump\062014-28126-02.dmp 2014-06-20 18:48 - 2014-06-20 18:48 - 00262144 _____ () C:\Windows\Minidump\062014-28329-02.dmp 2014-06-20 18:45 - 2014-06-20 18:45 - 00262144 _____ () C:\Windows\Minidump\062014-28906-01.dmp 2014-06-20 18:42 - 2014-06-20 18:42 - 00262144 _____ () C:\Windows\Minidump\062014-29390-02.dmp 2014-06-20 18:39 - 2014-06-20 18:39 - 00262144 _____ () C:\Windows\Minidump\062014-28594-02.dmp 2014-06-20 18:36 - 2014-06-20 18:36 - 00262144 _____ () C:\Windows\Minidump\062014-29187-01.dmp 2014-06-20 18:34 - 2014-06-20 18:34 - 00262144 _____ () C:\Windows\Minidump\062014-28641-03.dmp 2014-06-20 18:31 - 2014-06-20 18:31 - 00262144 _____ () C:\Windows\Minidump\062014-29047-01.dmp 2014-06-20 18:28 - 2014-06-20 18:28 - 00262144 _____ () C:\Windows\Minidump\062014-28548-01.dmp 2014-06-20 18:26 - 2014-06-20 18:26 - 00262144 _____ () C:\Windows\Minidump\062014-29374-01.dmp 2014-06-20 18:23 - 2014-06-20 18:23 - 00262144 _____ () C:\Windows\Minidump\062014-28641-02.dmp 2014-06-20 18:20 - 2014-06-20 18:20 - 00262144 _____ () C:\Windows\Minidump\062014-29312-01.dmp 2014-06-20 18:17 - 2014-06-20 18:17 - 00262144 _____ () C:\Windows\Minidump\062014-28298-01.dmp 2014-06-20 18:14 - 2014-06-20 18:14 - 00262144 _____ () C:\Windows\Minidump\062014-28953-02.dmp 2014-06-20 18:11 - 2014-06-20 18:11 - 00262144 _____ () C:\Windows\Minidump\062014-28407-01.dmp 2014-06-20 18:09 - 2014-06-20 18:08 - 00262144 _____ () C:\Windows\Minidump\062014-28688-02.dmp 2014-06-20 18:06 - 2014-06-20 18:06 - 00262144 _____ () C:\Windows\Minidump\062014-28516-01.dmp 2014-06-20 18:03 - 2014-06-20 18:03 - 00262144 _____ () C:\Windows\Minidump\062014-28563-01.dmp 2014-06-20 18:00 - 2014-06-20 18:00 - 00262144 _____ () C:\Windows\Minidump\062014-29265-01.dmp 2014-06-20 17:58 - 2014-06-20 17:58 - 00262144 _____ () C:\Windows\Minidump\062014-29000-01.dmp 2014-06-20 17:54 - 2014-06-20 17:54 - 00262144 _____ () C:\Windows\Minidump\062014-29359-02.dmp 2014-06-20 17:51 - 2014-06-20 17:51 - 00262144 _____ () C:\Windows\Minidump\062014-29374-02.dmp 2014-06-20 17:48 - 2014-06-20 17:48 - 00262144 _____ () C:\Windows\Minidump\062014-29343-01.dmp 2014-06-20 17:45 - 2014-06-20 17:45 - 00262144 _____ () C:\Windows\Minidump\062014-28532-01.dmp 2014-06-20 17:43 - 2014-06-20 17:43 - 00262144 _____ () C:\Windows\Minidump\062014-28111-01.dmp 2014-06-20 17:40 - 2014-06-20 17:40 - 00262144 _____ () C:\Windows\Minidump\062014-28438-01.dmp 2014-06-20 17:37 - 2014-06-20 17:37 - 00262144 _____ () C:\Windows\Minidump\062014-28626-01.dmp 2014-06-20 17:34 - 2014-06-20 17:34 - 00262144 _____ () C:\Windows\Minidump\062014-29296-01.dmp 2014-06-20 08:17 - 2014-06-20 08:17 - 00003720 ____N () C:\bootsqm.dat 2014-06-20 03:42 - 2014-06-12 09:05 - 00004044 _____ () C:\Windows\WindowsUpdate.log 2014-06-12 15:50 - 2014-06-12 15:50 - 00000000 ____D () C:\Users\jrau\AppData\Local\CrashDumps 2014-06-12 15:46 - 2014-06-12 15:46 - 00000430 _____ () C:\Windows\PFRO.log 2014-06-12 15:46 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\Branding 2014-06-12 14:46 - 2014-06-12 14:46 - 00126456 _____ () C:\Users\norton\AppData\Local\GDIPFONTCACHEV1.DAT 2014-06-12 14:45 - 2014-06-12 14:45 - 00000000 ____H () C:\Users\norton\Documents\Default.rdp 2014-06-12 14:45 - 2014-04-16 03:38 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys 2014-06-12 14:32 - 2014-06-12 14:32 - 00000000 _____ () C:\Windows\setuperr.log 2014-06-12 14:15 - 2014-06-12 13:55 - 00000000 ____D () C:\Windows\Microsoft Antimalware 2014-06-11 20:47 - 2014-06-11 16:42 - 00000000 ____D () C:\Users\norton\AppData\Local\Google 2014-06-11 20:33 - 2014-06-11 20:29 - 00185254 _____ () C:\users\LIST.TXT 2014-06-11 18:54 - 2014-06-11 18:54 - 00000000 ____D () C:\Users\jrau\AppData\Local\NPE 2014-06-11 18:42 - 2014-06-11 17:06 - 00000000 ____D () C:\Users\norton\AppData\Local\NPE 2014-06-11 17:06 - 2014-06-11 17:06 - 00000000 ____D () C:\ProgramData\Norton 2014-06-11 17:04 - 2014-06-11 16:57 - 00032512 _____ () C:\Windows\System32\Drivers\hitmanpro37.sys 2014-06-11 16:42 - 2014-06-11 16:42 - 00000020 ___SH () C:\Users\norton\ntuser.ini 2014-06-11 16:42 - 2014-06-11 16:42 - 00000000 ____D () C:\users\norton 2014-06-10 18:29 - 2014-06-10 03:49 - 00000000 ____D () C:\ProgramData\HitmanPro 2014-06-10 18:21 - 2014-06-10 18:21 - 00001899 _____ () C:\Users\Public\Desktop\HitmanPro.lnk 2014-06-10 18:21 - 2014-06-10 18:21 - 00000000 ____D () C:\Program Files\HitmanPro 2014-06-10 03:57 - 2014-06-10 03:57 - 00009278 _____ () C:\Windows\System32\.crusader 2014-06-09 11:31 - 2014-06-09 10:51 - 00000000 ___HD () C:\Users\Public\Documents\Report 2014-06-09 11:17 - 2012-10-16 03:12 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-06-09 10:58 - 2014-03-10 13:30 - 00000000 ____D () C:\Users\johnr\AppData\Roaming\FileZilla 2014-06-09 10:52 - 2009-07-13 21:32 - 00000000 ____D () C:\Windows\System32\FxsTmp 2014-06-09 08:01 - 2011-06-17 05:07 - 00000000 ____D () C:\Users\johnr\Documents\SQL Server Management Studio 2014-06-09 04:05 - 2012-03-30 08:21 - 00000000 ____D () C:\ADBImp 2014-06-09 03:27 - 2012-10-16 03:12 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-06-05 03:46 - 2009-07-13 20:45 - 00021312 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-06-05 03:46 - 2009-07-13 20:45 - 00021312 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-06-05 03:21 - 2011-06-17 03:41 - 00000000 ____D () C:\users\johnr 2014-06-05 02:59 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-06-04 03:04 - 2009-07-13 21:13 - 01175008 _____ () C:\Windows\System32\PerfStringBackup.INI 2014-05-31 12:39 - 2011-06-29 12:56 - 00001261 _____ () C:\Windows\ODBC.INI 2014-05-31 12:31 - 2011-06-12 15:44 - 00000000 ____D () C:\ProgramData\Microsoft Help 2014-05-31 12:28 - 2011-06-12 09:20 - 00000000 ____D () C:\Program Files\Microsoft SQL Server 2014-05-31 12:28 - 2011-06-12 09:20 - 00000000 ____D () C:\Program Files (x86)\Microsoft SQL Server 2014-05-31 12:16 - 2014-04-16 03:37 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware 2014-05-31 10:48 - 2012-04-09 13:05 - 00001141 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2014-05-28 13:58 - 2014-05-28 13:58 - 00000000 ____D () C:\Users\johnr\AppData\Local\Microsoft_Corporation 2014-05-28 11:43 - 2011-06-17 03:41 - 00000000 ____D () C:\Users\johnr\AppData\Local\Microsoft Help 2014-05-28 10:33 - 2014-05-28 10:33 - 00000000 ____D () C:\Users\johnr\Documents\Integration Services Script Component 2014-05-28 10:32 - 2014-05-28 10:32 - 00000000 ____D () C:\Windows\System32\RsFx 2014-05-28 10:32 - 2014-05-28 10:32 - 00000000 ____D () C:\Users\johnr\Documents\Integration Services Script Task 2014-05-28 10:30 - 2014-05-28 10:30 - 00000000 ____D () C:\Program Files\Microsoft Visual Studio 9.0 2014-05-28 10:28 - 2011-06-12 09:07 - 00000000 ____D () C:\Program Files (x86)\Microsoft Visual Studio 9.0 2014-05-28 09:37 - 2014-05-28 09:35 - 357075912 _____ (Microsoft Corporation) C:\Users\johnr\Downloads\SQLEXPRWT_x64_ENU.exe 2014-05-28 07:46 - 2014-05-28 07:46 - 00013461 _____ () C:\Users\johnr\Documents\RestrictionComparison.xlsx Files to move or delete: ==================== C:\Users\johnr\gotomypc_533.exe C:\Users\johnr\gotomypc_540.exe C:\Users\johnr\gotomypc_635.exe C:\Users\jrau\gotomypc_533.exe C:\Users\jrau\gotomypc_540.exe ==================== Known DLLs (Whitelisted) ================ ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll [2010-11-20 19:24] - [2014-03-04 01:16] - 0872448 ____A (Microsoft Corporation) 03C34516E7CC1E4828BE373B79BEF1E7 C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== Restore Points ========================= ==================== Memory info =========================== Percentage of memory in use: 11% Total physical RAM: 8073.05 MB Available physical RAM: 7161.56 MB Total Pagefile: 8071.25 MB Available Pagefile: 7166.73 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:470.9 GB) (Free:377.92 GB) NTFS Drive d: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.11 GB) NTFS ==>[system with boot components (obtained from reading drive)] Drive e: (Data) (Fixed) (Total:292.97 GB) (Free:177.81 GB) NTFS Drive f: (Backup) (Fixed) (Total:166.87 GB) (Free:73.18 GB) NTFS Drive i: (KIS - MD) (CDROM) (Total:0.52 GB) (Free:0 GB) CDFS Drive j: (WDO_MEDIA64) (Removable) (Total:14.52 GB) (Free:14.25 GB) FAT32 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.5 GB) NTFS ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 932 GB) (Disk ID: 68026767) Partition 1: (Not Active) - (Size=39 MB) - (Type=DE) Partition 2: (Active) - (Size=750 MB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=931 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 932 GB) (Disk ID: 4A11BC2E) Partition 1: (Not Active) - (Size=39 MB) - (Type=DE) Partition 2: (Active) - (Size=752 MB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=471 GB) - (Type=07 NTFS) Partition 4: (Not Active) - (Size=460 GB) - (Type=OF Extended) ======================================================== Disk: 2 (MBR Code: Windows 7 or 8) (Size: 15 GB) (Disk ID: 0001532E) Partition 1: (Active) - (Size=15 GB) - (Type=0C) LastRegBack: 2014-06-07 20:08 ==================== End Of Log ============================
  9. Hello, I am infected with the Department of Justice Moneypak Ransomware and unable to remove it. I tried using HitmanPro, and Kaspersky Rescue Disk. I have another boot drive on the same computer and booted from that drive and ran Malwarebytes and Windows Defender on the infected drive but still no luck. I can only boot to Windows Safety Mode command prompt. I am running Window 7 64 bit. Any help would be welcome. Thanks, John
  10. It seems that the shockwave flash object was causing the issue. Once I disabled it IE is working fine. Thanks for all your help.
  11. I reset IE again and am still having the same problem. When the home page was set to www.msn.com IE wouldn't even open all the way; the site would beging to show and then hang-up sometimes with the "Discuss" addon enable/disable bar at the bottome. I was finally able to reset my home page to google and it opens fine but anytime I try to navigate to ANY other site it hangs up. Also, I noticed that it is now IE 10. Before all these issues began I was running IE 9. I assume during one of the reboots along the way and update ran. John
  12. I am still having issues with IE. When open IE it hangs trying to go www,msn.com and I can't navigate to any other URL. I have no problem in Safari, FireFox or Chrome. ========== OTL ========== ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Users\johnr\Desktop\cmd.bat deleted successfully. C:\Users\johnr\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYJAVA] User: All Users User: Classic .NET AppPool User: Default User: Default User User: DefaultAppPool User: johnr ->Java cache emptied: 0 bytes User: jrau ->Java cache emptied: 0 bytes User: Public Total Java Files Cleaned = 0.00 mb [EMPTYFLASH] User: All Users User: Classic .NET AppPool User: Default ->Flash cache emptied: 56466 bytes User: Default User ->Flash cache emptied: 0 bytes User: DefaultAppPool ->Flash cache emptied: 56466 bytes User: johnr ->Flash cache emptied: 523 bytes User: jrau ->Flash cache emptied: 3552 bytes User: Public Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 09022013_221140
  13. OTL.txt OTL logfile created on: 9/1/2013 8:30:34 PM - Run 1 OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\johnr\Desktop 64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 9.10.9200.16660) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 7.88 Gb Total Physical Memory | 5.23 Gb Available Physical Memory | 66.38% Memory free 15.77 Gb Paging File | 12.71 Gb Available in Paging File | 80.60% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 470.90 Gb Total Space | 375.96 Gb Free Space | 79.84% Space Free | Partition Type: NTFS Drive D: | 292.97 Gb Total Space | 232.75 Gb Free Space | 79.45% Space Free | Partition Type: NTFS Drive E: | 166.87 Gb Total Space | 73.19 Gb Free Space | 43.86% Space Free | Partition Type: NTFS Computer Name: JRAU-PC | User Name: johnr | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Users\johnr\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) PRC - C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios) PRC - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_user_customer.exe (Citrix Online, a division of Citrix Systems, Inc.) PRC - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_system_customer.exe (Citrix Online, a division of Citrix Systems, Inc.) PRC - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_service.exe (Citrix Online, a division of Citrix Systems, Inc.) PRC - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_comm_customer.exe (Citrix Online, a division of Citrix Systems, Inc.) PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) PRC - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Expert\498\g2ax_user_expert.exe (Citrix Online, a division of Citrix Systems, Inc.) PRC - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Expert\498\g2ax_start.exe (Citrix Online, a division of Citrix Systems, Inc.) PRC - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Expert\498\g2ax_comm_expert.exe (Citrix Online, a division of Citrix Systems, Inc.) PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) PRC - C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) PRC - C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe (Cisco Systems, Inc.) PRC - C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe (Citrix Systems, Inc.) PRC - C:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.) PRC - C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe (Citrix Systems, Inc.) PRC - C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.) PRC - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe (Intel Corporation) PRC - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe () PRC - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) PRC - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) PRC - C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION) PRC - C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe (SEIKO EPSON CORPORATION) PRC - C:\Program Files (x86)\Belkin\Flip\flip.exe (Belkin Corporation) ========== Modules (No Company Name) ========== MOD - C:\Program Files (x86)\Mozilla Firefox\mozjs.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\2b87cb064e64ff40778ca12322abb710\IAStorUtil.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\67fa9ea7086262a8c67abad2aa2d8975\System.Runtime.Remoting.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\28ea347a952d20959ac6ae02d7457d39\System.Windows.Forms.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5aa44bce7933e4de09d935848f868a4b\System.Drawing.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\09db78d6068543df01862a023aca785a\System.Xml.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\8f7d83126a3cf283e5ac97f2d6d99f12\System.Configuration.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\1f6f220f9efe936d1158c79b9d4b451f\WindowsBase.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\5d22a30e587e2cac106b81fb351e7c08\System.ni.dll () MOD - C:\Program Files (x86)\BillP Studios\WinPatrol\sqlite3.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\50ac055662e8876504c8121692aa1bdd\IAStorCommon.ni.dll () MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9a6c1b7af18b4d5a91dc7f8d6617522f\mscorlib.ni.dll () MOD - c:\Program Files (x86)\Common Files\Roxio Shared\DLLShared\SQLite352.dll () MOD - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe () ========== Services (SafeList) ========== SRV:64bit: - (NisSrv) -- c:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation) SRV:64bit: - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation) SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation) SRV:64bit: - (WebFarmService) -- C:\Program Files\IIS\Microsoft Web Farm Framework\WebFarmService.exe (Microsoft Corporation) SRV:64bit: - (MsDepSvc) -- C:\Program Files\IIS\Microsoft Web Deploy\MsDepSvc.exe (Microsoft Corporation) SRV:64bit: - (SecureStorageService) -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe (Wave Systems Corp.) SRV:64bit: - (TdmService) -- C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe (Wave Systems Corp.) SRV:64bit: - (wlcrasvc) -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation) SRV:64bit: - (Intel® -- C:\Windows\SysNative\IPROSetMonitor.exe (Intel Corporation) SRV:64bit: - (wltrysvc) -- C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE (Dell Inc.) SRV:64bit: - (EPSON_EB_RPCV4_04) -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE (SEIKO EPSON CORPORATION) SRV:64bit: - (EPSON_PM_RPCV4_04) -- C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE (SEIKO EPSON CORPORATION) SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation) SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation) SRV - (GoToAssist Remote Support Customer) -- C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_service.exe (Citrix Online, a division of Citrix Systems, Inc.) SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation) SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation) SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation) SRV - (sftvsa) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe (Microsoft Corporation) SRV - (sftlist) -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe (Microsoft Corporation) SRV - (vpnagent) -- C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe (Cisco Systems, Inc.) SRV - (CVPND) -- C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe (Cisco Systems, Inc.) SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe (Intel Corporation) SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe (Intel Corporation) SRV - (jhi_service) -- C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe (Intel Corporation) SRV - (RoxWatch12) -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe (Sonic Solutions) SRV - (RoxMediaDB12OEM) -- C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe (Sonic Solutions) SRV - (WAS) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation) SRV - (W3SVC) -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll (Microsoft Corporation) SRV - (AppHostSvc) -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll (Microsoft Corporation) SRV - (IAStorDataMgrSvc) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation) SRV - (tcsd_win32.exe) -- C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe () SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV:64bit: - (avgtp) -- C:\Windows\SysNative\drivers\avgtpx64.sys (AVG Technologies) DRV:64bit: - (NisDrv) -- C:\Windows\SysNative\drivers\NisDrvWFP.sys (Microsoft Corporation) DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation) DRV:64bit: - (GEARAspiWDM) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys (GEAR Software Inc.) DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation) DRV:64bit: - (Sftvol) -- C:\Windows\SysNative\drivers\Sftvollh.sys (Microsoft Corporation) DRV:64bit: - (Sftplay) -- C:\Windows\SysNative\drivers\Sftplaylh.sys (Microsoft Corporation) DRV:64bit: - (Sftredir) -- C:\Windows\SysNative\drivers\Sftredirlh.sys (Microsoft Corporation) DRV:64bit: - (Sftfs) -- C:\Windows\SysNative\drivers\Sftfslh.sys (Microsoft Corporation) DRV:64bit: - (vpnva) -- C:\Windows\SysNative\drivers\vpnva64.sys (Cisco Systems, Inc.) DRV:64bit: - (acsock) -- C:\Windows\SysNative\drivers\acsock64.sys (Cisco Systems, Inc.) DRV:64bit: - (ctxusbm) -- C:\Windows\SysNative\drivers\ctxusbm.sys (Citrix Systems, Inc.) DRV:64bit: - (CVPNDRVA) -- C:\Windows\SysNative\drivers\CVPNDRVA.sys () DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation) DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation) DRV:64bit: - (netvsc) -- C:\Windows\SysNative\drivers\netvsc60.sys (Microsoft Corporation) DRV:64bit: - (dmvsc) -- C:\Windows\SysNative\drivers\dmvsc.sys (Microsoft Corporation) DRV:64bit: - (SynthVid) -- C:\Windows\SysNative\drivers\VMBusVideoM.sys (Microsoft Corporation) DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices) DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company) DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation) DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices) DRV:64bit: - (nusb3xhc) -- C:\Windows\SysNative\drivers\nusb3xhc.sys (Renesas Electronics Corporation) DRV:64bit: - (nusb3hub) -- C:\Windows\SysNative\drivers\nusb3hub.sys (Renesas Electronics Corporation) DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation) DRV:64bit: - (e1cexpress) -- C:\Windows\SysNative\drivers\e1c62x64.sys (Intel Corporation) DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation) DRV:64bit: - (IntcDAud) -- C:\Windows\SysNative\drivers\IntcDAud.sys (Intel® Corporation) DRV:64bit: - (IntcAzAudAddService) -- C:\Windows\SysNative\drivers\RTDVHD64.sys (Realtek Semiconductor Corp.) DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\drivers\PxHlpa64.sys (Sonic Solutions) DRV:64bit: - (CVirtA) -- C:\Windows\SysNative\drivers\CVirtA64.sys (Cisco Systems, Inc.) DRV:64bit: - (BCM42RLY) -- C:\Windows\SysNative\drivers\bcm42rly.sys (Broadcom Corporation) DRV:64bit: - (BCM43XX) -- C:\Windows\SysNative\drivers\BCMWL664.SYS (Broadcom Corporation) DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.) DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation) DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology) DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation) DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation) DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation) DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.) DRV:64bit: - (DNE) -- C:\Windows\SysNative\drivers\dne64x.sys (Deterministic Networks, Inc.) DRV:64bit: - (PBADRV) -- C:\Windows\SysNative\drivers\PBADRV.SYS (Dell Inc) DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE:64bit: - HKLM\..\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve IE - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/ IE - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US IE - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 06 63 20 75 20 A7 CE 01 [binary data] IE - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR IE - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.search.defaultengine: "Google" FF - prefs.js..browser.search.defaultenginename: "Ask.com" FF - prefs.js..browser.search.order.1: "Ask.com" FF - prefs.js..browser.search.selectedEngine: "Ask.com" FF - prefs.js..browser.startup.homepage: "www.google.com" FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:23.0.1 FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3309350&SearchSource=2&CUI=UN26030166448337290&UM=2&q=" FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation) FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation) FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation) FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre7\bin\new_plugin\npjp2.dll File not found FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\lesstabs@lesstabs.com: C:\Program Files (x86)\Mozilla Firefox\extensions\lesstabs@lesstabs.com FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{a131ab52-77f3-4bd7-acc7-e2dfdfd298f0}: C:\Users\johnr\AppData\Roaming\Mozilla\FireFox\{a131ab52-77f3-4bd7-acc7-e2dfdfd298f0}.xpi FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2013/08/20 16:02:14 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2013/08/20 16:02:16 | 000,000,000 | ---D | M] [2012/12/09 15:45:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\johnr\AppData\Roaming\Mozilla\Extensions [2013/08/31 21:35:12 | 000,000,000 | ---D | M] (No name found) -- C:\Users\johnr\AppData\Roaming\Mozilla\Firefox\Profiles\ij2ykqmj.default\extensions [2013/03/12 11:39:34 | 000,002,308 | ---- | M] () -- C:\Users\johnr\AppData\Roaming\Mozilla\Firefox\Profiles\ij2ykqmj.default\searchplugins\askcom.xml [2013/08/20 16:02:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions [2013/08/20 16:02:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions [2013/08/20 16:02:19 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2011/08/11 12:18:12 | 000,128,960 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\CCMSDK.dll [2011/08/10 23:16:34 | 000,096,192 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\CgpCore.dll [2011/08/11 12:18:30 | 000,092,096 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\confmgr.dll [2011/08/11 12:18:08 | 000,022,976 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\ctxlogging.dll [2011/08/11 12:19:38 | 000,436,136 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npicaN.dll [2011/08/10 23:16:34 | 000,024,512 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\TcpPServ.dll [2012/12/12 21:16:55 | 000,000,000 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml ========== Chrome ========== CHR - default_search_provider: Ask (Enabled) CHR - default_search_provider: search_url = http://websearch.ask.com/redirect?client=cr&src=kw&tb=ORJ&o=&locale=&apn_uid=AD3AE346-80DF-47BF-A4E7-D685E53125E0&apn_ptnrs=TV&apn_sauid=5590EECE-D8D7-4D52-8BF0-86C05FBC45A7&apn_dtid=OSJ000YYUS&q={searchTerms} CHR - default_search_provider: suggest_url = http://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms} CHR - homepage: http://www.google.com/ CHR - plugin: Silverlight (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll CHR - Extension: Google Drive = C:\Users\johnr\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\ CHR - Extension: BrowserPlus2 = C:\Users\johnr\AppData\Local\Google\Chrome\User Data\Default\Extensions\iigplimlmgilpobjilfbfeilnpiigpgl\10.16.100.504_0\ O1 HOSTS File: ([2013/08/26 12:30:12 | 000,000,021 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.) O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O4:64bit: - HKLM..\Run: [broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE (Dell Inc.) O4:64bit: - HKLM..\Run: [CANON DR2010C SVC] C:\Windows\SysNative\DR201SVC.dll (Canon Electronics) O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [igfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation) O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation) O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe (Cisco Systems, Inc.) O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.) O4 - HKLM..\Run: [Desktop Disc Tool] C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe () O4 - HKLM..\Run: [EEventManager] C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION) O4 - HKLM..\Run: [FUFAXSTM] C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe (SEIKO EPSON CORPORATION) O4 - HKLM..\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe (Intel Corporation) O4 - HKLM..\Run: [iMSS] C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe (Intel Corporation) O4 - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019..\Run: [GoToAssist Express Expert] C:\Program Files (x86)\Citrix\GoToAssist Express Expert\383\g2ax_start.exe (Citrix Online, a division of Citrix Systems, Inc.) O4 - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019..\Run: [GoToAssist Remote Support Expert] C:\Program Files (x86)\Citrix\GoToAssist Remote Support Expert\498\g2ax_start.exe (Citrix Online, a division of Citrix Systems, Inc.) O4 - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019..\Run: [WinPatrol] C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios) O4 - Startup: C:\Users\johnr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Flip.lnk = C:\Program Files (x86)\Belkin\Flip\flip.exe (Belkin Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Activities present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\..Trusted Domains: ed.gov ([fafsa] https in Trusted sites) O15 - HKU\S-1-5-21-3440588634-1009513163-3344267490-1019\..Trusted Domains: nyu.edu ([ssswforms.ssw] https in Trusted sites) O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16:64bit: - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26) O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab (Microsoft Office Template and Media Control) O16 - DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} http://localhost:49797/SSSW_WebForms/Reserved.ReportViewerWebControl.axd?Culture=1033&CultureOverrides=True&UICulture=1033&UICultureOverrides=True&ReportStack=1&ControlID=edf0c81716f24848b156ad5cc73d3f84&Mode=true&OpType=PrintCab&Arch=X86 (RSClientPrint 2008 Class) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab (Java Plug-in 10.25.2) O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://mywayphotos.riteaid.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab (Photo Upload Plugin Class) O16 - DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab (Java Plug-in 1.7.0_25) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab (Java Plug-in 10.25.2) O16 - DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} https://68.70.80.30/CACHE/stc/1/binaries/vpnweb.cab (Cisco AnyConnect Secure Mobility Client Web Control) O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T28L10NSP7-15458/webex/ieatgpc1.cab (GpcContainer Class) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=1007 (Performance Viewer Activex Control) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{083D706F-0552-4B1B-88C7-C242F3464370}: NameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2B96CE1C-8FB4-4067-9B42-726F48707A4E}: DhcpNameServer = 192.168.1.1 O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll File not found O18:64bit: - Protocol\Handler\livecall - No CLSID value found O18:64bit: - Protocol\Handler\ms-help - No CLSID value found O18:64bit: - Protocol\Handler\msnim - No CLSID value found O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found O18:64bit: - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll File not found O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found O18:64bit: - Protocol\Handler\wlpg - No CLSID value found O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll File not found O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll File not found O18:64bit: - Protocol\Filter\application/x-ica - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica; charset=euc-jp - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica; charset=ISO-8859-1 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica; charset=MS936 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica; charset=MS949 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica; charset=MS950 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF8 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica; charset=UTF-8 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica;charset=euc-jp - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica;charset=ISO-8859-1 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica;charset=MS936 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica;charset=MS949 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica;charset=MS950 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF8 - No CLSID value found O18:64bit: - Protocol\Filter\application/x-ica;charset=UTF-8 - No CLSID value found O18:64bit: - Protocol\Filter\ica - No CLSID value found O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica; charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=euc-jp {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=ISO-8859-1 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS936 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS949 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=MS950 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=UTF8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\application/x-ica;charset=UTF-8 {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.) O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation) O20:64bit: - Winlogon\Notify\GoToAssist Express Customer: DllName - (C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_winlogonx64.dll) - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_winlogonx64.dll (Citrix Online, a division of Citrix Systems, Inc.) O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation) O20:64bit: - Winlogon\Notify\spba: DllName - (C:\Program Files\Common Files\SPBA\homefus2.dll) - C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.) O32 - HKLM CDRom: AutoRun - 1 O34 - HKLM BootExecute: (autocheck autochk *) O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) O38 - SubSystems\\Windows: (ServerDll=sxssrv,4) ========== Files/Folders - Created Within 30 Days ========== [2013/09/01 20:29:17 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\johnr\Desktop\OTL.exe [2013/08/31 22:05:46 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Roaming\WinPatrol [2013/08/31 22:05:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol [2013/08/31 22:05:42 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate [2013/08/31 22:05:42 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\BillP Studios [2013/08/31 21:44:58 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Security Client [2013/08/31 21:44:56 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client [2013/08/31 21:25:51 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2013/08/31 12:20:40 | 000,000,000 | ---D | C] -- C:\Users\johnr\Desktop\backups [2013/08/31 11:29:49 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\johnr\Desktop\HijackThis.exe [2013/08/31 10:58:34 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner [2013/08/31 10:58:34 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2013/08/31 10:56:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit Reader [2013/08/31 10:56:44 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Roaming\Foxit Software [2013/08/31 10:56:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Foxit Software [2013/08/31 10:40:41 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller [2013/08/31 10:40:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VS Revo Group [2013/08/31 07:29:57 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD 9.5 [2013/08/22 21:05:20 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Local\Avg2013 [2013/08/22 10:04:51 | 000,000,000 | ---D | C] -- C:\DELLTOOLS [2013/08/22 09:03:16 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Local\{FD9F2615-6C07-496B-ADD4-95DC8F763865} [2013/08/20 16:02:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Firefox [2013/08/20 14:54:03 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Roaming\AVG [2013/08/20 14:53:24 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG [2013/08/20 14:53:17 | 000,000,000 | -HSD | C] -- C:\ProgramData\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F} [2013/08/15 03:06:36 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll [2013/08/15 03:06:36 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll [2013/08/15 03:06:35 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll [2013/08/15 03:06:35 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll [2013/08/15 03:06:35 | 000,089,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe [2013/08/15 03:06:35 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe [2013/08/15 03:06:35 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll [2013/08/15 03:06:35 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll [2013/08/15 03:06:35 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe [2013/08/15 03:06:35 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll [2013/08/15 03:06:35 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll [2013/08/15 03:06:34 | 003,958,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll [2013/08/15 03:06:34 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll [2013/08/15 03:06:34 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll [2013/08/15 03:06:34 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll [2013/08/14 21:07:22 | 001,472,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\crypt32.dll [2013/08/14 21:07:20 | 000,224,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wintrust.dll [2013/08/14 21:07:17 | 000,139,776 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cryptnet.dll [2013/08/14 21:07:04 | 001,888,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WMVDECOD.DLL [2013/08/14 21:07:04 | 001,620,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\WMVDECOD.DLL [2013/08/14 21:07:03 | 001,217,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rpcrt4.dll [2013/08/14 21:06:54 | 003,968,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe [2013/08/14 21:06:54 | 003,913,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe [2013/08/14 21:06:53 | 005,550,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe [2013/08/14 21:06:51 | 001,732,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntdll.dll [2013/08/14 21:06:51 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll [2013/08/14 21:06:51 | 000,243,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64.dll [2013/08/14 21:06:50 | 001,161,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\kernel32.dll [2013/08/14 21:06:50 | 000,362,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64win.dll [2013/08/14 21:06:50 | 000,338,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\conhost.exe [2013/08/14 21:06:50 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntvdm64.dll [2013/08/14 21:06:50 | 000,013,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wow64cpu.dll [2013/08/14 21:06:50 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll [2013/08/14 21:06:50 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-file-l1-1-0.dll [2013/08/14 21:06:50 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll [2013/08/14 21:06:50 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processthreads-l1-1-0.dll [2013/08/14 21:06:50 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-sysinfo-l1-1-0.dll [2013/08/14 21:06:50 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-synch-l1-1-0.dll [2013/08/14 21:06:50 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-misc-l1-1-0.dll [2013/08/14 21:06:50 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localregistry-l1-1-0.dll [2013/08/14 21:06:50 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-processenvironment-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-namedpipe-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-memory-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-libraryloader-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-interlocked-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-heap-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-string-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-rtlsupport-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-io-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-handle-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-fibers-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-errorhandling-l1-1-0.dll [2013/08/14 21:06:50 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-console-l1-1-0.dll [2013/08/14 21:06:49 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\setup16.exe [2013/08/14 21:06:49 | 000,016,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntvdm64.dll [2013/08/14 21:06:49 | 000,007,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\instnm.exe [2013/08/14 21:06:49 | 000,006,144 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-security-base-l1-1-0.dll [2013/08/14 21:06:49 | 000,005,120 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-file-l1-1-0.dll [2013/08/14 21:06:49 | 000,005,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wow32.dll [2013/08/14 21:06:49 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-threadpool-l1-1-0.dll [2013/08/14 21:06:49 | 000,004,608 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processthreads-l1-1-0.dll [2013/08/14 21:06:49 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-sysinfo-l1-1-0.dll [2013/08/14 21:06:49 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-synch-l1-1-0.dll [2013/08/14 21:06:49 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localregistry-l1-1-0.dll [2013/08/14 21:06:49 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-localization-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-rtlsupport-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-processenvironment-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-namedpipe-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-misc-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-memory-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-libraryloader-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-heap-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-xstate-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-util-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-string-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-profile-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-profile-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-io-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-interlocked-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-handle-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-fibers-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-errorhandling-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-delayload-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-delayload-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-debug-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-debug-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-core-datetime-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-datetime-l1-1-0.dll [2013/08/14 21:06:49 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-core-console-l1-1-0.dll [2013/08/14 21:06:49 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\user.exe [2013/08/11 16:37:29 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Roaming\Kernel for Windows Data Recovery [2013/08/08 21:27:22 | 000,000,000 | ---D | C] -- C:\SaveEdit [2013/08/08 17:40:15 | 000,000,000 | ---D | C] -- C:\Users\johnr\Desktop\saved games [2013/08/08 16:19:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Windows Kits [2013/08/08 16:15:05 | 000,000,000 | ---D | C] -- C:\Program Files\IIS Express [2013/08/08 16:15:05 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IIS Express [2013/08/08 16:12:36 | 000,000,000 | ---D | C] -- C:\Users\johnr\Documents\Visual Studio 2012 [2013/08/08 16:10:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Help Viewer [2013/08/08 16:09:23 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server Compact Edition [2013/08/08 15:44:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Visual Studio 11.0 [2013/08/08 15:44:06 | 000,000,000 | ---D | C] -- C:\Windows\symbols [2013/08/08 15:41:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Package Cache [2013/08/08 14:45:59 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Roaming\Open Download Manager [2013/08/08 14:45:46 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\GorillaPrice [2013/08/08 14:45:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\OpenDownloaderManager [2013/08/08 14:29:59 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Local\Conduit [2013/08/08 14:29:53 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Local\CRE [2013/08/08 14:29:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit [2013/08/08 14:27:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip [2013/08/08 14:27:10 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\7-Zip [2013/08/08 14:27:04 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Local\DefineExt [2013/08/08 13:11:59 | 000,000,000 | ---D | C] -- C:\Users\johnr\AppData\Local\Daring_Development_Inc [2013/08/08 13:06:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MyPC Backup [2013/08/06 03:00:29 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\MRT [2013/03/24 16:14:56 | 001,393,736 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Users\johnr\gotomypc_635.exe [2011/07/14 11:33:19 | 001,062,984 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Users\johnr\gotomypc_540.exe [2011/06/24 08:33:40 | 001,063,320 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Users\johnr\gotomypc_533.exe ========== Files - Modified Within 30 Days ========== [2013/09/01 20:29:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\johnr\Desktop\OTL.exe [2013/09/01 19:47:01 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2013/09/01 10:42:38 | 001,081,358 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2013/09/01 10:42:38 | 000,877,510 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2013/09/01 10:42:38 | 000,197,492 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2013/09/01 10:34:08 | 000,021,312 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2013/09/01 10:34:08 | 000,021,312 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2013/09/01 10:25:07 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2013/09/01 10:24:13 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2013/09/01 10:24:01 | 2053,844,991 | -HS- | M] () -- C:\hiberfil.sys [2013/08/31 21:45:08 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif [2013/08/31 11:29:16 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\johnr\Desktop\HijackThis.exe [2013/08/31 10:58:34 | 000,000,857 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk [2013/08/31 10:56:48 | 000,002,113 | ---- | M] () -- C:\Users\johnr\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk [2013/08/31 10:56:48 | 000,002,089 | ---- | M] () -- C:\Users\Public\Desktop\Foxit Reader.lnk [2013/08/31 10:40:41 | 000,001,303 | ---- | M] () -- C:\Users\johnr\Desktop\Revo Uninstaller.lnk [2013/08/31 07:22:48 | 003,771,904 | ---- | M] () -- C:\Users\johnr\Desktop\RogueKillerX64.exe [2013/08/30 22:48:39 | 000,002,218 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk [2013/08/27 07:07:24 | 000,165,376 | ---- | M] () -- C:\Users\johnr\Desktop\SystemLook_x64.exe [2013/08/26 12:30:12 | 000,000,021 | RHS- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2013/08/20 14:14:35 | 000,007,599 | ---- | M] () -- C:\Users\johnr\AppData\Local\Resmon.ResmonCfg [2013/08/15 08:06:47 | 000,002,348 | -H-- | M] () -- C:\Users\johnr\Documents\Default.rdp [2013/08/14 18:19:49 | 000,045,856 | ---- | M] (AVG Technologies) -- C:\Windows\SysNative\drivers\avgtpx64.sys [2013/08/08 21:21:00 | 001,073,480 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2013/08/08 20:39:59 | 000,008,192 | -H-- | M] () -- C:\Users\johnr\Desktop\Gibbed.Borderlands2.SaveEdit.suo [2013/08/08 17:11:14 | 000,001,046 | ---- | M] () -- C:\Users\johnr\Desktop\Gibbed.Borderlands2.SaveEdit.sln [2013/08/08 15:53:52 | 511,141,888 | ---- | M] () -- C:\Users\johnr\Desktop\vs2012_webexp_enu.iso [2013/08/08 14:30:03 | 000,000,009 | ---- | M] () -- C:\END [2013/08/08 14:17:06 | 000,471,424 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT ========== Files Created - No Company Name ========== [2013/08/31 21:45:08 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif [2013/08/31 21:45:01 | 000,002,152 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk [2013/08/31 10:58:34 | 000,000,857 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk [2013/08/31 10:56:48 | 000,002,113 | ---- | C] () -- C:\Users\johnr\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk [2013/08/31 10:56:48 | 000,002,089 | ---- | C] () -- C:\Users\Public\Desktop\Foxit Reader.lnk [2013/08/31 10:56:47 | 000,216,064 | ---- | C] () -- C:\Windows\SysWow64\gcapi_dll.dll [2013/08/31 10:40:41 | 000,001,303 | ---- | C] () -- C:\Users\johnr\Desktop\Revo Uninstaller.lnk [2013/08/31 07:34:36 | 003,771,904 | ---- | C] () -- C:\Users\johnr\Desktop\RogueKillerX64.exe [2013/08/27 07:11:36 | 000,165,376 | ---- | C] () -- C:\Users\johnr\Desktop\SystemLook_x64.exe [2013/08/11 14:34:28 | 000,007,599 | ---- | C] () -- C:\Users\johnr\AppData\Local\Resmon.ResmonCfg [2013/08/08 21:52:28 | 000,343,552 | ---- | C] () -- C:\Users\johnr\Desktop\Gibbed.Borderlands2.SaveEdit (2).exe [2013/08/08 17:11:14 | 000,008,192 | -H-- | C] () -- C:\Users\johnr\Desktop\Gibbed.Borderlands2.SaveEdit.suo [2013/08/08 17:11:14 | 000,001,046 | ---- | C] () -- C:\Users\johnr\Desktop\Gibbed.Borderlands2.SaveEdit.sln [2013/08/08 15:49:44 | 511,141,888 | ---- | C] () -- C:\Users\johnr\Desktop\vs2012_webexp_enu.iso [2013/08/08 14:29:34 | 000,000,009 | ---- | C] () -- C:\END [2013/06/04 17:21:01 | 000,213,544 | -H-- | C] () -- C:\Windows\SysWow64\mlfcache.dat [2013/01/23 08:12:06 | 000,009,584 | ---- | C] () -- C:\Windows\SysWow64\ractrlkeyhook.dll [2012/08/26 19:45:54 | 000,357,073 | ---- | C] () -- C:\Users\johnr\order_history.pdf [2012/07/29 20:18:36 | 000,001,919 | ---- | C] () -- C:\Users\johnr\PossibleDups2.pdf [2012/07/29 20:15:03 | 000,003,106 | ---- | C] () -- C:\Users\johnr\PossibleDups1.pdf [2012/07/15 07:25:09 | 000,027,520 | ---- | C] () -- C:\Users\johnr\AppData\Local\dt.dat [2012/05/17 21:16:39 | 000,000,936 | ---- | C] () -- C:\Users\johnr\export.sql [2012/05/01 21:23:03 | 000,050,979 | ---- | C] () -- C:\Users\johnr\Watch Hill Vacation Rental - VRBO 234335 - 2 BR RI Cottage, Private Watch Hill Cottage 5 Min_ Walk to Beach.htm [2012/02/23 12:06:43 | 000,000,160 | ---- | C] () -- C:\Windows\setscan.ini [2011/12/16 17:28:27 | 048,363,251 | ---- | C] () -- C:\Users\johnr\export.tsv [2011/11/06 20:10:48 | 000,000,000 | ---- | C] () -- C:\Windows\EEventManager.INI [2011/11/06 14:15:04 | 000,000,288 | ---- | C] () -- C:\Users\johnr\.JavaPowUpload.properties [2011/11/04 12:44:54 | 000,073,220 | ---- | C] () -- C:\Windows\SysWow64\EPPICPrinterDB.dat [2011/11/04 12:44:54 | 000,031,053 | ---- | C] () -- C:\Windows\SysWow64\EPPICPattern131.dat [2011/11/04 12:44:54 | 000,029,114 | ---- | C] () -- C:\Windows\SysWow64\EPPICPattern1.dat [2011/11/04 12:44:54 | 000,027,417 | ---- | C] () -- C:\Windows\SysWow64\EPPICPattern121.dat [2011/11/04 12:44:54 | 000,021,021 | ---- | C] () -- C:\Windows\SysWow64\EPPICPattern3.dat [2011/11/04 12:44:54 | 000,015,670 | ---- | C] () -- C:\Windows\SysWow64\EPPICPattern5.dat [2011/11/04 12:44:54 | 000,013,280 | ---- | C] () -- C:\Windows\SysWow64\EPPICPattern2.dat [2011/11/04 12:44:54 | 000,010,673 | ---- | C] () -- C:\Windows\SysWow64\EPPICPattern4.dat [2011/11/04 12:44:54 | 000,004,943 | ---- | C] () -- C:\Windows\SysWow64\EPPICPattern6.dat [2011/11/04 12:44:54 | 000,001,140 | ---- | C] () -- C:\Windows\SysWow64\EPPICPresetData_PT.dat [2011/11/04 12:44:54 | 000,001,140 | ---- | C] () -- C:\Windows\SysWow64\EPPICPresetData_BP.dat [2011/11/04 12:44:54 | 000,001,137 | ---- | C] () -- C:\Windows\SysWow64\EPPICPresetData_ES.dat [2011/11/04 12:44:54 | 000,001,130 | ---- | C] () -- C:\Windows\SysWow64\EPPICPresetData_FR.dat [2011/11/04 12:44:54 | 000,001,130 | ---- | C] () -- C:\Windows\SysWow64\EPPICPresetData_CF.dat [2011/11/04 12:44:54 | 000,001,104 | ---- | C] () -- C:\Windows\SysWow64\EPPICPresetData_EN.dat [2011/11/04 12:44:54 | 000,000,097 | ---- | C] () -- C:\Windows\SysWow64\PICSDK.ini [2011/11/04 12:42:59 | 000,000,079 | ---- | C] () -- C:\Windows\EWF630.ini [2011/10/28 13:52:16 | 000,000,395 | ---- | C] () -- C:\Users\johnr\Untitled.sql [2011/07/30 14:09:37 | 010,407,696 | ---- | C] () -- C:\Users\johnr\Eligibility_1118.csv [2011/07/24 22:51:12 | 016,973,683 | ---- | C] () -- C:\Users\johnr\MEDHIST.csv ========== ZeroAccess Check ========== [2009/07/14 00:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 [HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64 "" = C:\Windows\SysNative\shell32.dll -- [2013/02/27 01:52:56 | 014,172,672 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] "" = %SystemRoot%\system32\shell32.dll -- [2013/02/27 00:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Apartment [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 21:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 23:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Free [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64 "" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 21:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation) "ThreadingModel" = Both [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] < End of report >
  14. I tried these steps now when I go into IE it askes me enable or diable the "Discuss" add-on. I click disable and IE hanges up. I try just closing the window and IE hanges up. I'm afraid to click Enable.
  15. I also tried typing www.malwarebytes.org and www.malwareremoval.com in to IE and it hung-up but not a problem in FireFox. Weird?
  16. Gringo, I followed the last steps and also installed MSE and WinPatrol. Everything looked good except - when in IE I tried clikcing several times on the 2 more information links and the browser hung-up. When I tried the same thing in FireFox I went to the correct sites without a problem. I then tried in IE another workstation and did not have problem. Any reason I would not be able to access these sites? PC Safety and Security - What Do I Need? from my friends at Tech Support Forum COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal
  17. ESET Scan results: C:\Users\johnr\AppData\Local\Babylon\Setup\Setup.exe a variant of Win32/Toolbar.Babylon.H application C:\Users\johnr\Downloads\7zip-setup.exe Win32/DownloadAdmin.G application C:\Users\johnr\Downloads\cnet2_ldapbrowser-4_5_10625_0-x86-eng_msi.exe a variant of Win32/InstallCore.D application C:\Users\johnr\Downloads\installer_adobe_flash_player_English.exe Win32/Toolbar.Babylon application C:\Users\johnr\Downloads\winzip160.exe Win32/OpenCandy application E:\SynCoDb\C_Drive\lj133\disk2\ServUDaemon.exe Win32/ServU-Daemon application E:\SynCoDb\G_Drive\SQLData\serv-u32.exe probably a variant of Win32/ServU-Daemon application
  18. Below are the requested logs. I did not run into any issues when running these steps. The computer seems OK now. Thanks. MBAM log: Malwarebytes Anti-Malware (PRO) 1.75.0.1300 www.malwarebytes.org Database version: v2013.08.31.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16660 johnr :: JRAU-PC [administrator] Protection: Disabled 8/31/2013 11:16:17 AM mbam-log-2013-08-31 (11-16-17).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 303809 Time elapsed: 4 minute(s), 31 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Hijack Log Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 11:31:39 AM, on 8/31/2013 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Internet Explorer v10.0 (10.00.9200.16660) Boot mode: Normal Running processes: C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_user_customer.exe C:\Program Files (x86)\Citrix\GoToAssist Remote Support Expert\498\g2ax_start.exe C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe C:\Program Files (x86)\Belkin\Flip\flip.exe C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE C:\Program Files (x86)\Canon Electronics\DR2010C\TouchDR.exe C:\Program Files (x86)\Citrix\ICA Client\concentr.exe C:\Program Files (x86)\Citrix\GoToAssist Remote Support Expert\498\g2ax_comm_expert.exe C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Program Files (x86)\Citrix\GoToAssist Remote Support Expert\498\g2ax_user_expert.exe C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\johnr\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll (file missing) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (file missing) O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe O4 - HKLM\..\Run: [iMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe" O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" O4 - HKLM\..\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" O4 - HKLM\..\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" O4 - HKLM\..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [DR-2010C CaptureOnTouch] "C:\Program Files (x86)\Canon Electronics\DR2010C\TouchDR.exe" LOGON O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [GoToAssist Express Expert] "C:\Program Files (x86)\Citrix\GoToAssist Express Expert\383\g2ax_start.exe" "/Trigger RunAtLogon" O4 - HKCU\..\Run: [GoToAssist Remote Support Expert] "C:\Program Files (x86)\Citrix\GoToAssist Remote Support Expert\498\g2ax_start.exe" "/Trigger RunAtLogon" O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe -update activex O4 - Startup: Flip.lnk = C:\Program Files (x86)\Belkin\Flip\flip.exe O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} (RSClientPrint 2008 Class) - http://localhost:49797/SSSW_WebForms/Reserved.ReportViewerWebControl.axd?Culture=1033&CultureOverrides=True&UICulture=1033&UICultureOverrides=True&ReportStack=1&ControlID=edf0c81716f24848b156ad5cc73d3f84&Mode=true&OpType=PrintCab&Arch=X86 O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://mywayphotos.riteaid.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab O16 - DPF: {CC679CB8-DC4B-458B-B817-D447B3B6AC31} (Cisco AnyConnect Secure Mobility Client Web Control) - https://68.70.80.30/CACHE/stc/1/binaries/vpnweb.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://akamaicdn.webex.com/client/WBXclient-T28L10NSP7-15458/webex/ieatgpc1.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com//activex/ractrl.cab?lmi=1007 O17 - HKLM\System\CCS\Services\Tcpip\..\{083D706F-0552-4B1B-88C7-C242F3464370}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{083D706F-0552-4B1B-88C7-C242F3464370}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{083D706F-0552-4B1B-88C7-C242F3464370}: NameServer = 192.168.1.1 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll (file missing) O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll (file missing) O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll O18 - Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O18 - Filter hijack: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing) O23 - Service: EPSON V5 Service4(04) (EPSON_EB_RPCV4_04) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE O23 - Service: EPSON V3 Service4(04) (EPSON_PM_RPCV4_04) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing) O23 - Service: GoToAssist Remote Support Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_service.exe O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToMyPC\g2svc.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe O23 - Service: Intel® PROSet Monitoring Service - Unknown owner - C:\Windows\system32\IProsetMonitor.exe (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel® Identity Protection Technology Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing) O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe O23 - Service: NTRU TSS v1.2.1.34 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files (x86)\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: Intel® Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: Cisco AnyConnect Secure Mobility Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing) O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing) O23 - Service: DW WLAN Tray Service (wltrysvc) - Dell Inc. - C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 17937 bytes
  19. As requested. I have not been using the computer on a regular basis but so far it is behaving fine. Task manager is showing about 23% Physical memory use and 1-3% processor when no apps are running. 07:32:07.0288 6692 ============================================================ 07:32:07.0288 6692 Scan finished 07:32:07.0288 6692 ============================================================ 07:32:07.0293 6684 Detected object count: 3 07:32:07.0293 6684 Actual detected object count: 3 07:32:53.0359 6684 SecureStorageService ( UnsignedFile.Multi.Generic ) - skipped by user 07:32:53.0360 6684 SecureStorageService ( UnsignedFile.Multi.Generic ) - User select action: Skip 07:32:53.0361 6684 tcsd_win32.exe ( UnsignedFile.Multi.Generic ) - skipped by user 07:32:53.0361 6684 tcsd_win32.exe ( UnsignedFile.Multi.Generic ) - User select action: Skip 07:32:53.0362 6684 wltrysvc ( UnsignedFile.Multi.Generic ) - skipped by user 07:32:53.0362 6684 wltrysvc ( UnsignedFile.Multi.Generic ) - User select action: Skip 07:34:19.0713 2924 Deinitialize success RoqueKiller: RogueKiller V8.6.7 _x64_ [Aug 28 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : johnr [Admin rights] Mode : Remove -- Date : 08/31/2013 07:37:30 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 9 ¤¤¤ [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED [HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2) [HJ POL] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1) [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified. [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2) [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> REPLACED (1) [HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1) [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) ¤¤¤ Scheduled tasks : 2 ¤¤¤ [V2][ROGUE ST] 4726 : wscript.exe - C:\Users\johnr\AppData\Local\Temp\launchie.vbs //B -> DELETED [V2][sUSP PATH] {9F6E4CCC-4344-4635-AA80-670E2371427B} : C:\Users\johnr\Desktop\Gibbed.Borderlands2.SaveEdit.exe [x] -> DELETED ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST31000524AS +++++ --- User --- [MBR] 72c7376692e03f0e672356ecc5c73492 [bSP] cd7bd33cdd7722782ff166c71db0b1fa : Windows Vista MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 752 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1622016 | Size: 482200 Mo 3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 989167616 | Size: 470876 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_D_08312013_073730.txt >> RKreport[0]_S_08202013_155901.txt;RKreport[0]_S_08232013_110613.txt;RKreport[0]_S_08312013_073710.txt
  20. Below is the combofix results. After combofix ran and rebooted, I can finally connect to the Internet in Safe mode and Regular mode. Before I could not connect at all. Thanks! This is all great but I still don't know if the issue that started this all, slowing/freezing of computer is still there. John ComboFix 13-08-27.02 - johnr 08/29/2013 23:55:20.10.4 - x64 NETWORK Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8073.6419 [GMT -4:00] Running from: c:\users\johnr\Desktop\ComboFix.exe Command switches used :: c:\users\johnr\Desktop\CFScript.txt SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . . --------------- FCopy --------------- . c:\windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys --> c:\windows\System32\drivers\AFD.SYS . ((((((((((((((((((((((((( Files Created from 2013-07-28 to 2013-08-30 ))))))))))))))))))))))))))))))) . . 2013-08-30 04:02 . 2013-08-30 04:02 -------- d-----w- c:\users\Public\AppData\Local\temp 2013-08-30 04:02 . 2013-08-30 04:02 -------- d-----w- c:\users\jrau\AppData\Local\temp 2013-08-30 04:02 . 2013-08-30 04:02 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp 2013-08-30 04:02 . 2013-08-30 04:02 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-08-30 04:02 . 2013-08-30 04:02 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp 2013-08-23 01:05 . 2013-08-23 01:05 -------- d-----w- c:\users\johnr\AppData\Local\Avg2013 2013-08-22 14:04 . 2013-08-27 03:42 -------- d-----w- C:\DELLTOOLS 2013-08-20 18:54 . 2013-08-20 18:54 -------- d-----w- c:\users\johnr\AppData\Roaming\AVG 2013-08-20 18:53 . 2013-08-20 18:55 -------- d-----w- c:\programdata\AVG 2013-08-20 18:53 . 2013-08-20 18:53 -------- d-sh--w- c:\programdata\{D1D4879F-2279-49C9-AEBF-3B95C84EAA8F} 2013-08-15 01:07 . 2013-07-09 05:46 1472512 ----a-w- c:\windows\system32\crypt32.dll 2013-08-15 01:06 . 2013-07-09 05:03 3968960 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe 2013-08-11 20:37 . 2013-08-11 20:37 -------- d-----w- c:\users\johnr\AppData\Roaming\Kernel for Windows Data Recovery 2013-08-09 01:27 . 2013-08-09 01:27 -------- d-----w- C:\SaveEdit 2013-08-08 20:19 . 2013-08-08 20:19 -------- d-----w- c:\program files (x86)\Windows Kits 2013-08-08 20:15 . 2013-08-08 20:15 -------- d-----w- c:\program files\IIS Express 2013-08-08 20:15 . 2013-08-08 20:15 -------- d-----w- c:\program files (x86)\IIS Express 2013-08-08 20:12 . 2013-08-09 07:03 1131520 ----a-w- c:\programdata\Microsoft\VWDExpress\11.0\1033\ResourceCache.dll 2013-08-08 20:10 . 2013-08-08 20:10 -------- d-----w- c:\program files (x86)\Microsoft Help Viewer 2013-08-08 20:09 . 2013-08-08 20:09 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition 2013-08-08 19:44 . 2013-08-16 01:42 -------- d-----w- c:\program files (x86)\Microsoft Visual Studio 11.0 2013-08-08 19:44 . 2013-08-08 19:44 -------- d-----w- c:\windows\symbols 2013-08-08 19:41 . 2013-08-16 01:43 -------- d-----w- c:\programdata\Package Cache 2013-08-08 18:45 . 2013-08-08 18:54 -------- d-----w- c:\users\johnr\AppData\Roaming\Open Download Manager 2013-08-08 18:45 . 2013-08-16 01:39 -------- d-----w- c:\program files (x86)\GorillaPrice 2013-08-08 18:45 . 2013-08-08 19:06 -------- d-----w- c:\program files (x86)\OpenDownloaderManager 2013-08-08 18:29 . 2013-08-08 18:42 -------- d-----w- c:\users\johnr\AppData\Local\Conduit 2013-08-08 18:29 . 2013-08-08 18:30 -------- d-----w- c:\program files (x86)\Conduit 2013-08-08 18:29 . 2013-08-08 18:29 -------- d-----w- c:\users\johnr\AppData\Local\CRE 2013-08-08 18:27 . 2013-08-08 18:27 -------- d-----w- c:\program files (x86)\7-Zip 2013-08-08 18:27 . 2013-08-08 19:55 -------- d-----w- c:\users\johnr\AppData\Local\DefineExt 2013-08-08 17:11 . 2013-08-08 17:11 -------- d-----w- c:\users\johnr\AppData\Local\Daring_Development_Inc 2013-08-08 17:06 . 2013-08-08 19:03 -------- d-----w- c:\program files (x86)\MyPC Backup 2013-08-06 07:00 . 2013-08-15 07:03 -------- d-----w- c:\windows\system32\MRT . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-08-21 11:49 . 2009-07-14 00:10 22368 ----a-w- c:\windows\system32\drivers\WS2IFSL.SYS 2013-08-15 07:01 . 2011-06-12 17:49 78161360 ----a-w- c:\windows\system32\MRT.exe 2013-08-14 22:19 . 2012-12-13 01:16 45856 ----a-w- c:\windows\system32\drivers\avgtpx64.sys 2013-07-24 02:27 . 2013-07-24 02:27 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll 2013-07-24 02:27 . 2012-05-09 00:50 867240 ----a-w- c:\windows\SysWow64\npDeployJava1.dll 2013-07-24 02:27 . 2011-06-03 19:42 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll 2013-07-14 15:38 . 2013-07-14 15:38 135168 ----a-r- c:\users\johnr\AppData\Roaming\Microsoft\Installer\{DF49D66D-D2D3-46DA-878B-F0BFC7795276}\NewShortcut4_DF49D66DD2D346DA878BF0BFC7795276.exe 2013-07-14 15:38 . 2013-07-14 15:38 135168 ----a-r- c:\users\johnr\AppData\Roaming\Microsoft\Installer\{DF49D66D-D2D3-46DA-878B-F0BFC7795276}\NewShortcut3_DF49D66DD2D346DA878BF0BFC7795276.exe 2013-07-14 15:38 . 2013-07-14 15:38 135168 ----a-r- c:\users\johnr\AppData\Roaming\Microsoft\Installer\{DF49D66D-D2D3-46DA-878B-F0BFC7795276}\flip.exe_74D1249290AA4DEEA569FED77E7A3831.exe 2013-07-09 04:45 . 2013-08-15 01:06 44032 ----a-w- c:\windows\apppatch\acwow64.dll 2013-06-05 03:34 . 2013-07-11 02:07 3153920 ----a-w- c:\windows\system32\win32k.sys 2013-06-04 06:00 . 2013-07-11 02:07 624128 ----a-w- c:\windows\system32\qedit.dll 2013-06-04 04:53 . 2013-07-11 02:07 509440 ----a-w- c:\windows\SysWow64\qedit.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "GoToAssist Express Expert"="c:\program files (x86)\Citrix\GoToAssist Express Expert\383\g2ax_start.exe" [2012-04-06 609144] "GoToAssist Remote Support Expert"="c:\program files (x86)\Citrix\GoToAssist Remote Support Expert\498\g2ax_start.exe" [2013-02-11 611400] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-11-06 283160] "IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2010-12-03 112152] "RemoteControl9"="c:\program files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336] "PDVD9LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [2010-04-29 50472] "RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112] "Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544] "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736] "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320] "FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-03 847872] "Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2011-09-09 523216] "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720] "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888] "DR-2010C CaptureOnTouch"="c:\program files (x86)\Canon Electronics\DR2010C\TouchDR.exe" [2009-04-24 679936] "ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2011-08-11 358336] "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-31 152392] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816] . c:\users\johnr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Flip.lnk - c:\program files (x86)\Belkin\Flip\flip.exe [2006-8-22 385024] OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE /tsr [2013-1-8 228448] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 0 (0x0) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) "PromptOnSecureDesktop"= 0 (0x0) "DisableCAD"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv . R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x] R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x] R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [x] R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [x] R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x] R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x] R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [x] R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x] R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x] R2 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [x] R2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [x] R2 msftesql$SYNCO_SQL;SQL Server FullText Search (SYNCO_SQL);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe;c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [x] R2 MSOLAP$SYNCO_SQL;SQL Server Analysis Services (SYNCO_SQL);c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe;c:\program files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe [x] R2 MSSQL$SYNCO_SQL;SQL Server (SYNCO_SQL);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe;c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [x] R2 ReportServer$SYNCO_SQL;SQL Server Reporting Services (SYNCO_SQL);c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe;c:\program files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe [x] R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x] R2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x] R2 SQLAgent$SYNCO_SQL;SQL Server Agent (SYNCO_SQL);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE;c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE [x] R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x] R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x] R2 WebFarmService;Web Farm Controller Service;c:\program files\IIS\Microsoft Web Farm Framework\WebFarmService.exe;c:\program files\IIS\Microsoft Web Farm Framework\WebFarmService.exe [x] R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock64.sys;c:\windows\SYSNATIVE\DRIVERS\acsock64.sys [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x] R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys;c:\windows\SYSNATIVE\DRIVERS\netvsc60.sys [x] R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x] R3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x] R3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x] R3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x] R3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x] R3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x] R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys;c:\windows\SYSNATIVE\DRIVERS\VMBusVideoM.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x] S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys;c:\windows\SYSNATIVE\drivers\avgtpx64.sys [x] S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_service.exe Start=service;c:\program files (x86)\Citrix\GoToAssist Remote Support Customer\498\g2ax_service.exe Start=service [x] S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x] S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - AFD . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost] iissvcs REG_MULTI_SZ w3svc was apphost REG_MULTI_SZ apphostsvc . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-07-31 23:48 1173456 ----a-w- c:\program files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2013-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-16 11:12] . 2013-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-16 11:12] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay] @="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}" [HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}] 2010-10-16 21:17 138608 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay] @="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}" [HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}] 2010-10-16 21:17 138608 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtDCpl64.exe" [2010-10-04 2907240] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-12-09 167960] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-12-09 391704] "Persistence"="c:\windows\system32\igfxpers.exe" [2010-12-09 417304] "Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-02 5712896] "CANON DR2010C SVC"="DR201SVC.dll" [2009-09-15 158720] . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105 Trusted Zone: ed.gov\fafsa Trusted Zone: nyu.edu\ssswforms.ssw TCP: Interfaces\{083D706F-0552-4B1B-88C7-C242F3464370}: NameServer = 192.168.1.1 FF - ProfilePath - c:\users\johnr\AppData\Roaming\Mozilla\Firefox\Profiles\ij2ykqmj.default\ FF - prefs.js: browser.search.selectedEngine - Ask.com FF - prefs.js: browser.startup.homepage - www.google.com FF - ExtSQL: 2013-08-08 14:29; {650598e1-b35a-45d3-b607-896d7acb64c3}; c:\users\johnr\AppData\Roaming\Mozilla\Firefox\Profiles\ij2ykqmj.default\extensions\{650598e1-b35a-45d3-b607-896d7acb64c3} . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MsDepSvc] "ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc" -- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msftesql$SYNCO_SQL] "ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:SYNCO_SQL" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.11" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\*Ó] "7C3447BAD3C86E14291EF7E2744D82BC"="22:\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQL.3\\Setup\\RSVirtualRootServerPath" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}] @Denied: (A) (Everyone) "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3] @Denied: (A) (Everyone) . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0] "Key"="ActionsPane3" "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2013-08-30 00:04:17 ComboFix-quarantined-files.txt 2013-08-30 04:04 ComboFix2.txt 2013-08-21 11:44 . Pre-Run: 399,689,912,320 bytes free Post-Run: 398,918,430,720 bytes free . - - End Of File - - 69957425692D2A63BC26CAEEEA35425F
  21. Gringo, As of yet, I haven't touch the ComboFix. Should I kill it? Thanks
  22. It is still running after 9-10 hours and has not move past Stage 4.
  23. After running for 2 hours ComboFix is only on Stage 4. I am going to let it run over night.
  24. Below is the Systemlook output. Also, in task manager one of the svhost.exe is using about 50% of cpu and 400,000K of memory without any applications started. Thanks SystemLook 30.07.11 by jpshortstuff Log created at 07:23 on 27/08/2013 by johnr Administrator - Elevation successful ========== filefind ========== Searching for "afd.sys" C:\Windows\System32\drivers\AFD.SYS --a---- 22368 bytes [17:34 16/02/2012] [11:49 21/08/2013] 42B7E1AA0C7EC54652A50585793F1885 C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17514_none_360e4801750ca991\afd.sys --a---- 499712 bytes [03:24 21/11/2010] [03:24 21/11/2010] D31DC7A16DEA4A9BAF179F3D6FBDB38C C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17603_none_3618198975057170\afd.sys --a---- 499200 bytes [20:26 16/06/2011] [02:34 25/04/2011] D5B031C308A409A0A576BFF4CF083D30 C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.17752_none_35e10b89752ee0f5\afd.sys --a---- 498688 bytes [17:34 16/02/2012] [03:59 28/12/2011] 1C7857B62DE5994A75B054A9FD4C3825 C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21712_none_3695e61e8e2c13d4\afd.sys --a---- 499200 bytes [20:26 16/06/2011] [03:09 25/04/2011] F4AD06143EAC303F55D0E86C40802976 C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.1.7601.21887_none_364f3a028e605345\afd.sys --a---- 498176 bytes [17:34 16/02/2012] [04:01 28/12/2011] 36A14FD1A23F57046361733B792CA8DB -= EOF =-
  25. Hi Gringo, Here it is: Farbar Service Scanner Version: 18-08-2013 Ran by johnr (administrator) on 26-08-2013 at 23:42:55 Running from "C:\DELLTOOLS" Microsoft Windows 7 Professional Service Pack 1 (X64) Boot Mode: Normal **************************************************************** Internet Services: ============ Connection Status: ============== Localhost is accessible. There is no connection to network. Attempt to access Google IP returned error. Attempt to access Google.com returned error: Other errors Attempt to access Yahoo.com returned error: Other errors Windows Firewall: ============= Firewall Disabled Policy: ================== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=DWORD:0 System Restore: ============ System Restore Disabled Policy: ======================== Action Center: ============ wscsvc Service is not running. Checking service configuration: The start type of wscsvc service is OK. The ImagePath of wscsvc service is OK. The ServiceDll of wscsvc service is OK. Windows Update: ============ wuauserv Service is not running. Checking service configuration: The start type of wuauserv service is OK. The ImagePath of wuauserv service is OK. The ServiceDll of wuauserv service is OK. BITS Service is not running. Checking service configuration: The start type of BITS service is set to Demand. The default start type is Auto. The ImagePath of BITS service is OK. The ServiceDll of BITS service is OK. Windows Autoupdate Disabled Policy: ============================ Windows Defender: ============== Other Services: ============== File Check: ======== C:\Windows\System32\nsisvc.dll => MD5 is legit C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit C:\Windows\System32\dhcpcore.dll => MD5 is legit C:\Windows\System32\drivers\afd.sys [2012-02-16 13:34] - [2013-08-21 07:49] - 0022368 ____A (AVG Technologies CZ, s.r.o. ) 42B7E1AA0C7EC54652A50585793F1885 ATTENTION!=====> C:\Windows\System32\drivers\afd.sys IS INFECTED. C:\Windows\System32\drivers\tdx.sys => MD5 is legit C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit C:\Windows\System32\dnsrslvr.dll => MD5 is legit C:\Windows\System32\mpssvc.dll => MD5 is legit C:\Windows\System32\bfe.dll => MD5 is legit C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit C:\Windows\System32\SDRSVC.dll => MD5 is legit C:\Windows\System32\vssvc.exe => MD5 is legit C:\Windows\System32\wscsvc.dll => MD5 is legit C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit C:\Windows\System32\wuaueng.dll => MD5 is legit C:\Windows\System32\qmgr.dll => MD5 is legit C:\Windows\System32\es.dll => MD5 is legit C:\Windows\System32\cryptsvc.dll => MD5 is legit C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit **** End of log ****
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.