Jump to content

Removal of Malware


Recommended Posts

Here are the log files frm re-running post 21.  Do you think the machine is now free of malware? and do you have any idea how it got on my machine as I had an up to date version of McAfee on my machine?

 

Combo Log:

ComboFix 13-08-12.01 - Carl 12/08/2013  20:39:36.5.2 - x86 NETWORK
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.3317.2767 [GMT 1:00]
Running from: c:\users\Carl\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-12 to 2013-08-12  )))))))))))))))))))))))))))))))
.
.
2013-08-12 19:46 . 2013-08-12 19:46 -------- d-----w- c:\users\Jill-Carl\AppData\Local\temp
2013-08-12 19:46 . 2013-08-12 19:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-08-12 19:46 . 2013-08-12 19:46 -------- d-----w- c:\users\Carl-Jill\AppData\Local\temp
2013-07-18 20:45 . 2013-07-18 20:45 -------- d-----w- C:\FRST
2013-07-18 20:14 . 2013-08-11 15:05 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-07-18 20:07 . 2013-07-18 20:25 -------- d-----w- c:\windows\ERUNT
2013-07-17 19:04 . 2013-07-17 19:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-07-17 19:04 . 2013-04-04 13:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-17 19:04 . 2013-07-17 19:04 -------- d-----w- c:\users\Carl\AppData\Local\Programs
2013-07-17 17:59 . 2013-07-17 17:59 -------- d-----w- c:\program files\CCleaner
2013-07-17 17:22 . 2013-07-17 17:22 -------- d-----w- c:\users\Carl\malwareBytes
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-14 10:17 . 2012-06-01 07:14 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-07-14 10:17 . 2011-06-15 19:32 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-06 19:15 . 2013-03-12 21:07 523685 ----a-w- c:\windows\system32\~.tmp
2013-06-11 23:43 . 2013-07-12 02:14 1767936 ----a-w- c:\windows\system32\wininet.dll
2013-06-11 23:43 . 2013-07-12 02:14 2877440 ----a-w- c:\windows\system32\jscript9.dll
2013-06-11 23:42 . 2013-07-12 02:14 61440 ----a-w- c:\windows\system32\iesetup.dll
2013-06-11 23:42 . 2013-07-12 02:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-06-11 22:51 . 2013-07-12 02:14 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2013-06-07 02:37 . 2013-07-12 02:14 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2013-06-05 03:05 . 2013-07-11 18:47 2347520 ----a-w- c:\windows\system32\win32k.sys
2013-06-04 04:53 . 2013-07-11 18:47 509440 ----a-w- c:\windows\system32\qedit.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GuideMenu"="U.EXE -HIDE" [X]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-01-13 6609440]
"BuffaloTools"="c:\program files\BUFFALO\BuffaloTools\BuffaloTools.exe" [2010-03-05 169336]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe /firstrun [2009-6-30 1316192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-01-13 81920]
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.362.0\BBSvc.exe [2012-02-13 193816]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-11-21 136176]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.362.0\SeaPort.exe [2012-02-13 240408]
R3 bftpusbx;BUFFALO TurboPC USB Filter;c:\windows\system32\drivers\bftpusbx.sys [2010-01-16 10624]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2012-09-28 19456]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2010-06-14 36608]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-11-21 136176]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-11-12 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 bftpdskc;BUFFALO TurboPC Cache Filter;c:\windows\system32\drivers\bftpdskc.sys [2010-01-08 39680]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - cmderd
*Deregistered* - cmdGuard
*Deregistered* - cmdHlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-14 10:06 1173456 ----a-w- c:\program files\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
.
------- Supplementary Scan -------
.

uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-08-12  20:48:20
ComboFix-quarantined-files.txt  2013-08-12 19:48
ComboFix2.txt  2013-08-07 20:58
ComboFix3.txt  2013-08-03 20:05
ComboFix4.txt  2013-08-01 20:21
ComboFix5.txt  2013-08-12 19:36
.
Pre-Run: 204,974,129,152 bytes free
Post-Run: 204,831,547,392 bytes free
.
- - End Of File - - 1709369D398B8C563E9436A583908848
A36C5E4F47E84449FF07ED3517B43A31
 

Mini Toolbox log:

MiniToolBox by Farbar  Version: 13-07-2013
Ran by Carl (administrator) on 12-08-2013 at 21:08:15
Running from "C:\Users\Carl\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X86)
Boot Mode: Minimal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Could not flush the DNS Resolver Cache: Function failed during execution.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1       localhost

========================= IP Configuration: ================================

 

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Home-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host google.com. Please check the name and try again.
Server:  UnKnown
Address:  127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.
Unable to contact IP driver. General failure.
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog5 06 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 07 C:\Windows\system32\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/12/2013 08:36:28 PM) (Source: System Restore) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\wbem\wmiprvse.exe; Description = ComboFix created restore point; Error = 0x8007043c).

Error: (08/12/2013 08:36:28 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007043c, This service cannot be started in Safe Mode
.

Operation:
   Instantiating VSS server

Error: (08/12/2013 08:36:28 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode. [0x8007043c, This service cannot be started in Safe Mode
]

Operation:
   Instantiating VSS server

Error: (08/12/2013 08:35:52 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2013 08:25:49 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2013 08:11:58 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2013 03:48:33 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2013 02:51:54 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2013 02:46:22 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2013 02:16:05 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

System errors:
=============
Error: (08/12/2013 09:07:29 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (08/12/2013 09:07:23 PM) (Source: DCOM) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/12/2013 09:07:16 PM) (Source: DCOM) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (08/12/2013 09:07:11 PM) (Source: Service Control Manager) (User: )
Description: The Power service terminated with the following error:
%%1062

Error: (08/12/2013 09:07:09 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
DfsC
discache
NetBIOS
NetBT
nsiproxy
Psched
rdbss
spldr
tdx
Wanarpv6
WfpLwf
ws2ifsl

Error: (08/12/2013 09:07:07 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness service depends the following service: NSI. This service might not be installed.

Error: (08/12/2013 09:07:07 PM) (Source: Service Control Manager) (User: )
Description: The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:
%%1068

Error: (08/12/2013 09:07:07 PM) (Source: Service Control Manager) (User: )
Description: The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:
%%1068

Error: (08/12/2013 09:07:07 PM) (Source: Service Control Manager) (User: )
Description: The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:
%%31

Error: (08/12/2013 09:07:07 PM) (Source: Service Control Manager) (User: )
Description: The IP Helper service depends the following service: NSI. This service might not be installed.

Microsoft Office Sessions:
=========================
Error: (08/12/2013 08:36:28 PM) (Source: System Restore)(User: )
Description: C:\Windows\system32\wbem\wmiprvse.exeComboFix created restore point0x8007043c

Error: (08/12/2013 08:36:28 PM) (Source: VSS)(User: )
Description: CoCreateInstance0x8007043c, This service cannot be started in Safe Mode

Operation:
   Instantiating VSS server

Error: (08/12/2013 08:36:28 PM) (Source: VSS)(User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}IVssCoordinatorEx20x8007043c, This service cannot be started in Safe Mode

Operation:
   Instantiating VSS server

Error: (08/12/2013 08:35:52 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2013 08:25:49 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2013 08:11:58 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2013 03:48:33 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2013 02:51:54 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2013 02:46:22 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/11/2013 02:16:05 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

CodeIntegrity Errors:
===================================
  Date: 2013-07-17 20:23:57.854
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\Mcafee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-17 20:23:57.839
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\Mcafee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-17 20:23:57.839
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Common Files\Mcafee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2010-06-01 22:15:59.399
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\msiltcfg.dll because the set of per-page image hashes could not be found on the system.

  Date: 2010-06-01 22:14:39.974
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\msiltcfg.dll because the set of per-page image hashes could not be found on the system.

  Date: 2010-06-01 22:07:02.360
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\msiltcfg.dll because the set of per-page image hashes could not be found on the system.

  Date: 2010-06-01 22:03:17.288
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\msiltcfg.dll because the set of per-page image hashes could not be found on the system.

  Date: 2010-06-01 22:01:58.653
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\msiltcfg.dll because the set of per-page image hashes could not be found on the system.

  Date: 2010-06-01 21:58:59.749
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\msiltcfg.dll because the set of per-page image hashes could not be found on the system.

  Date: 2010-06-01 21:54:42.378
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\msiltcfg.dll because the set of per-page image hashes could not be found on the system.

=========================== Installed Programs ============================

Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Additional ActiveTeach (Version: 1.00.0000)
Additional TTPP (Version: 1.00.0000)
Adobe AIR (Version: 3.1.0.4880)
Adobe Flash Player 11 ActiveX (Version: 11.8.800.94)
Adobe Flash Player 11 Plugin (Version: 11.7.700.224)
Adobe Reader 9.5.3 (Version: 9.5.3)
Adobe Shockwave Player 11.6 (Version: 11.6.3.633)
Apple Application Support (Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (Version: 2.1.3.127)
AS+A2 Biology for AQA (Version: 1.0.0.0)
Bonjour (Version: 3.0.0.10)
BUFFALO BuffaloTools Launcher
BUFFALO TurboCopy
BUFFALO TurboPC for FLASH/HDD
Bullzip PDF Printer 7.1.0.1218 (Version: 7.1.0.1218)
CameraHelperMsi (Version: 13.25.1010.0)
Canon Camera Window DC_DV 6 for ZoomBrowser EX (Version: 6.4.0.9)
Canon Camera Window MC 6 for ZoomBrowser EX (Version: 6.3.0.8)
Canon G.726 WMP-Decoder (Version: 1.1.0.4)
CANON iMAGE GATEWAY Registration Guide (Version: 1.0.0.2)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (Version: 1.3.1.5)
Canon Internet Library for ZoomBrowser EX (Version: 1.5.1.4)
Canon MovieEdit Task for ZoomBrowser EX (Version: 2.4.0.14)
Canon RAW Image Task for ZoomBrowser EX (Version: 0.9.3.9)
Canon RemoteCapture Task for ZoomBrowser EX (Version: 1.7.0.8)
Canon Utilities ZoomBrowser EX (Version: 5.8.0.74)
CCleaner (Version: 3.25)
Championship Manager 2007 (Version: 7.0.0)
Cisco EAP-FAST Module (Version: 2.1.6)
Cisco LEAP Module (Version: 1.0.12)
Cisco PEAP Module (Version: 1.0.13)
CM 03-04 (Version: 4.1.0)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Copy+
Corel GuideMenu (Version: 1.00.0000)
D3DX10 (Version: 15.4.2368.0902)
Dell Dock (Version: 2.0.0)
Dell Edoc Viewer (Version: 1.0.0)
Dell Getting Started Guide (Version: 1.00.0000)
Dell Support Center (Support Software) (Version: 2.2.09085)
Dell Wireless WLAN Card Utility (Version: 5.10.38.30)
Driver Mender (Version: 8.0.1)
erLT (Version: 1.20.138.34)
ERUNT 1.1j
Extension ActiveTeach (Version: 1.00.0000)
Extension TTPP (Version: 1.00.0000)
Google Chrome (Version: 28.0.1500.72)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4209.2358)
Google Update Helper (Version: 1.3.21.153)
GoToAssist 8.0.0.514
GPL Ghostscript Lite 8.70
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.1930)
Intel® TV Wizard
InterVideo WinDVD SE (Version: 8.0-B6.196)
iPod for Windows 2005-09-06 (Version: 3.8.0)
iTunes (Version: 11.0.4.4)
Java 6 Update 13 (Version: 6.0.130)
Junk Mail filter update (Version: 15.4.3502.0922)
LeapFrog Connect (Version: 4.2.9.15649)
LeapFrog Tag Plugin (Version: 4.2.9.15649)
Logitech Vid HD (Version: 7.2 (7248))
Logitech Webcam Software (Version: 2.0)
LWS Facebook (Version: 13.20.1166.0)
LWS Gallery (Version: 13.20.1166.0)
LWS Help_main (Version: 13.25.1016.0)
LWS Launcher (Version: 13.20.1166.0)
LWS Motion Detection (Version: 13.20.1176.0)
LWS Pictures And Video (Version: 13.25.1010.0)
LWS Twitter (Version: 13.20.1166.0)
LWS Video Mask Maker (Version: 13.10.1216.0)
LWS VideoEffects (Version: 13.25.1005.0)
LWS Webcam Software (Version: 13.20.1168.0)
LWS WLM Plugin (Version: 1.20.1166.0)
LWS YouTube Plugin (Version: 13.20.1166.0)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
McAfee Security Scan Plus (Version: 3.0.318.3)
Mesh Runtime (Version: 15.4.5722.2)
Messenger Companion (Version: 15.4.3502.0922)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Default Manager (Version: 2.1.54.0)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Outlook Connector (Version: 14.0.5118.5000)
Microsoft Office PowerPoint Viewer 2007 (English) (Version: 12.0.6612.1000)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Office Suite Activation Assistant (Version: 2.9)
Microsoft Silverlight (Version: 5.1.20513.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.58299)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Works (Version: 9.7.0621)
Microsoft XML Parser (Version: 8.20.8730.4)
MSVCRT (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Nikon Message Center 2 (Version: 2.1.0)
Nikon Movie Editor (Version: 2.3.0)
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Onzo Uploader (Version: 1.14.675)
PC Connectivity Solution (Version: 8.47.7.0)
PDFCreator (Version: 1.1.0)
PeerGuardian 2.0 (Version: 2.1.0.2)
Picture Control Utility (Version: 1.4.2)
Planning and Personalisation Tool (Version: 1.0.8)
Planning and Personalisation Tool (Version: 1.0.9)
QuickTime (Version: 7.74.80.86)
Realtek High Definition Audio Driver
Roxio Burn (Version: 1.0)
Roxio Burn (Version: 1.0.0)
Roxio Update Manager (Version: 6.0.0)
SAMSUNG SYMBIAN USB Download Driver (Version: 1.1.808.7165)
SAMSUNG USB Driver for Mobile Phones (Version: 1.3.650.0)
SamsungConnectivityCableDriver (Version: 6.83.6.2.1)
Science ActiveTeach (Version: 1.00.0000)
Science AP (Version: 1.00.0000)
Science TTPP (Version: 1.00.0000)
Segoe UI (Version: 15.4.2271.0615)
Shared C Run-time for x86 (Version: 10.0.0)
Skype Click to Call (Version: 5.6.8442)
Skype™ 5.10 (Version: 5.10.116)
Spelling Dictionaries Support For Adobe Reader 9 (Version: 9.0.0)
swMSM (Version: 12.0.0.1)
TomTom HOME 2.7.3.1894 (Version: 2.7.3.1894)
TomTom HOME Visual Studio Merge Modules (Version: 1.0.2)
Twenty First Century Additional Applied Science iPack (Version: 1.00.0000)
Twenty First Century Additional Science iPack (Version: 1.00.0000)
Twenty First Century Science iPack (Version: 1.00.0000)
Ulead DVD MovieFactory SE (Version: 5.6)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin) (Version: 4.2.9.15649)
ViewNX 2 (Version: 2.3.0)
Windows Driver Package - LeapFrog (FlyUsb) USB  (11/05/2008 1.1.1.0) (Version: 11/05/2008 1.1.1.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net  (09/10/2009 02.03.05.012) (Version: 09/10/2009 02.03.05.012)
Windows Driver Package - Nokia pccsmcfd  (08/22/2008 7.0.0.0) (Version: 08/22/2008 7.0.0.0)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3555.0308)
Windows Live Family Safety (Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live Messenger Companion Core (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
WinRAR 4.20 (32-bit) (Version: 4.20.0)
WinZip (Version:  8.1  (4331))
Yahoo! Install Manager
Year 7 ActiveTeach (Version: 1.0.0)
Year 7 Activity Pack (Version: 1.0.0)
Year 7 Assessment Pack (Version: 1.0.0)
Year 7 Planning Guide (Version: 1.0.0)
Year 8 ActiveTeach (Version: 1.0.0)
Year 8 Activity Pack (Version: 1.0.0)
Year 8 Assessment Pack (Version: 1.0.0)
Year 8 Planning Guide (Version: 1.0.0)
Year 9 ActiveTeach (Version: 1.0.0)
Year 9 Activity Pack (Version: 1.0.0)
Year 9 Assessment Pack (Version: 1.0.0)
Year 9 Planning Guide (Version: 1.0.0)

========================= Devices: ================================

========================= Memory info: ===================================

Percentage of memory in use: 10%
Total physical RAM: 3317.18 MB
Available physical RAM: 2964.39 MB
Total Pagefile: 6632.64 MB
Available Pagefile: 6299.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 1944.86 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:581.11 GB) (Free:190.91 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:7.29 GB) NTFS
3 Drive e: (130717_1726) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
8 Drive l: (FULLARTON) (Removable) (Total:1.89 GB) (Free:0.42 GB) FAT

========================= Users: ========================================

User accounts for \\

Administrator            Carl                     Carl-Jill               
Guest                    Jill-Carl               

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

 

FSS log:

Farbar Service Scanner Version: 04-08-2013
Ran by Carl (administrator) on 12-08-2013 at 21:14:35
Running from "C:\Users\Carl\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X86)
Boot Mode: Minimal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Nsi Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.

nsiproxy Service is not running. Checking service configuration:
The start type of nsiproxy service is OK.
The ImagePath of nsiproxy service is OK.

tdx Service is not running. Checking service configuration:
The start type of tdx service is OK.
The ImagePath of tdx service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Other errors
There is no connection to network.
Attempt to access Google IP returned error. Other errors
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

PlugPlay Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open PlugPlay registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open PlugPlay registry key. The service key does not exist.

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2013-07-11 19:47] - [2013-05-27 05:57] - 0680960 ____A (Microsoft Corporation) 082CF481F659FAE0DE51AD060881EB47

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

  • Replies 73
  • Created
  • Last Reply

Top Posters In This Topic

  • Root Admin

No the computer is heavily messed up still and we may or may not be able to get it working correctly but we'll try.

The damage done is fairly extensive and not normal for malware to attack some of these items but none the less they show as screwed up.

PlugPlay Service is not running. Checking service configuration:

Checking Start type: ATTENTION!=====> Unable to open PlugPlay registry key. The service key does not exist.

Checking ImagePath: ATTENTION!=====> Unable to open PlugPlay registry key. The service key does not exist.

I'll work on it and get back to you. If I've not replied with an update to run within the next 24 hours please send me a private message reminder.

Thanks

Link to post
Share on other sites

  • Root Admin

Please click on START and type in CMD.EXE and when it shows on the menu right click over it and select "Run as administrator"

Then type the following line by line and pressing the Enter key at the end of each line and post back what they say.

DIR C:\Windows\system32\nsisvc.dll
DIR C:\Windows\system32\umpnpmgr.dll



Thanks

Link to post
Share on other sites

Please click on START and type in CMD.EXE and when it shows on the menu right click over it and select "Run as administrator"

Then type the following line by line and pressing the Enter key at the end of each line and post back what they say.

DIR C:\Windows\system32\nsisvc.dll

DIR C:\Windows\system32\umpnpmgr.dll

Thanks

 

DIR C:\Windows\system32\nsisvc.dll

14/07/2009 02:16 19,456 nsisvc.dll

1 file(s) 19,456 bytes

 

DIR C:\Windows\system32\umpnpmgr.dll

24/05/2011 11:44 293,376 umpnpmgr.dll

1 file(s) 293,376 bytes

 

Hpe this is the informatin you wanted??

Link to post
Share on other sites

Farbar Service Scanner Version: 04-08-2013
Ran by Carl (administrator) on 15-08-2013 at 21:39:50
Running from "C:\Users\Carl\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X86)
Boot Mode: Network
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2013-07-11 19:47] - [2013-05-27 05:57] - 0680960 ____A (Microsoft Corporation) 082CF481F659FAE0DE51AD060881EB47

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Link to post
Share on other sites

  • Root Admin

That log seems to indicate that the network is now working.  Is that correct?

 

Please run a new FRST scan and post back both logs.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


 

Link to post
Share on other sites

Yes I can  connect to the Internet but with limited connectivity but still cannot do anything else when logged on normally (eg. run programs).

 

Logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-08-2013
Ran by Carl (administrator) on 17-08-2013 08:28:03
Running from C:\Users\Carl\Desktop
Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Safe Mode (minimal)

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\userinit.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6609440 2009-01-13] (Realtek Semiconductor)
HKLM\...\Run: [buffaloTools] - C:\Program Files\BUFFALO\BuffaloTools\BuffaloTools.exe [169336 2010-03-05] (BUFFALO INC.)
HKLM\...\Run: [GuideMenu] - U.EXE -HIDE [x]
HKU\Carl-Jill\...\RunOnce: [WAB Migrate] - C:\Program Files\Windows Mail\wab.exe [ 2010-11-20] (Microsoft Corporation)
HKU\Carl-Jill\...\RunOnce: [DPAPIKeyMig] - C:\Windows\system32\dpapimig.exe [ 2009-07-14] (Microsoft Corporation)
Startup: C:\Users\Carl-Jill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
URLSearchHook: (No Name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM - {CE6722A2-4177-447A-9F57-D2069132BE9E} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF7&pc=MDDC&src=IE-SearchBox
SearchScopes: HKCU - DefaultScope {3B61C9E7-9424-486C-B9DC-DE044D3AC688} URL = http://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=971163&p={searchTerms}
SearchScopes: HKCU - {3B61C9E7-9424-486C-B9DC-DE044D3AC688} URL = http://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=971163&p={searchTerms}
SearchScopes: HKCU - {5AD788AE-0654-4525-B72C-96167BFB9C74} URL = http://uk.search.yahoo.com/search?fr=mcafee&p={SearchTerms}
SearchScopes: HKCU - {CE6722A2-4177-447A-9F57-D2069132BE9E} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF7&pc=MDDC&src=IE-SearchBox
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: No Name - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -  No File
BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU -No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: msdaipp - No CLSID Value -
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  No File
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Chrome:
=======

CHR DefaultSearchURL: (Google) - {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\28.0.1500.72\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\28.0.1500.72\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll (Sun Microsystems, Inc.)
CHR Plugin: (Java Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (YouTube) - C:\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0
CHR Extension: (Google Search) - C:\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0
CHR Extension: (SiteAdvisor) - C:\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.6.2.1341_0
CHR Extension: (Gmail) - C:\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx

========================== Services (Whitelisted) =================

S2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2008-12-18] (Stardock Corporation)
S2 ProtexisLicensing; C:\Program Files\Common Files\Protexis\License Service\PSIService.exe [174656 2006-11-02] ()
S3 RasMan; C:\Windows\System32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S3 SensrSvc; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S2 sprtsvc_DellSupportCenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2009-06-03] (SupportSoft, Inc.)
S2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2006-06-14] (Ulead Systems, Inc.)
S3 WebClient; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S2 wltrysvc; C:\Windows\System32\bcmwltry.exe [2809856 2009-01-19] (Dell Inc.)
S3 WPDBusEnum; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S3 WPFFontCache_v0400;

==================== Drivers (Whitelisted) ====================

S3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2009-01-19] (Broadcom Corporation)
R0 bftpdskc; C:\Windows\System32\drivers\bftpdskc.sys [39680 2010-01-08] (BUFFALO INC.)
S3 bftpusbx; C:\Windows\System32\drivers\bftpusbx.sys [10624 2010-01-16] (BUFFALO INC.)
S3 FlyUsb; C:\Windows\System32\DRIVERS\FlyUsb.sys [19456 2012-09-28] (LeapFrog)
S3 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [36608 2010-06-14] ()
R3 Iviaspi; C:\Windows\System32\drivers\iviaspi.sys [10368 2009-11-01] (InterVideo, Inc.)
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25824 2010-05-07] ()
S3 pgfilter; C:\Program Files\PeerGuardian2\pgfilter.sys [8192 2007-06-02] ()
S3 catchme; \??\C:\Users\Carl\AppData\Local\Temp\catchme.sys [x]
U3 TrueSight; \??\C:\Windows\system32\TrueSight.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-17 08:25 - 2013-08-17 08:24 - 01068993 _____ (Farbar) C:\Users\Carl\Desktop\FRST.exe
2013-08-17 08:24 - 2013-08-17 08:24 - 01068993 _____ (Farbar) C:\Users\Carl-Jill\Downloads\FRST.exe
2013-08-15 21:26 - 2013-08-15 21:22 - 00005892 _____ C:\Users\Carl\Desktop\PlugPlay.reg
2013-08-15 21:26 - 2013-08-15 21:19 - 00003286 _____ C:\Users\Carl\Desktop\nsi.reg
2013-08-12 21:14 - 2013-08-15 21:39 - 00003578 _____ C:\Users\Carl\Desktop\FSS.txt
2013-08-12 21:14 - 2013-08-12 20:30 - 00357143 _____ (Farbar) C:\Users\Carl\Desktop\FSS.exe
2013-08-12 21:08 - 2013-08-12 21:08 - 00024139 _____ C:\Users\Carl\Desktop\Result.txt
2013-08-12 21:05 - 2013-08-12 20:28 - 00760937 _____ (Farbar) C:\Users\Carl\Desktop\MiniToolBox.exe
2013-08-12 20:48 - 2013-08-12 20:48 - 00006123 _____ C:\ComboFix.txt
2013-08-11 15:44 - 2013-08-11 15:44 - 00000000 ____D C:\Users\Carl\Documents\1
2013-08-11 14:43 - 2013-08-07 22:36 - 00755512 _____ (Malwarebytes Corporation) C:\Users\Carl\Desktop\fixdamage.exe
2013-08-07 21:45 - 2013-08-12 20:23 - 05102975 ____R (Swearware) C:\Users\Carl\Desktop\ComboFix.exe
2013-08-06 20:29 - 2013-08-06 20:29 - 00000000 ____D C:\Users\Carl\Documents\mbar
2013-08-05 21:35 - 2013-08-05 21:02 - 00085936 _____ C:\Windows\FSS.exe
2013-08-05 21:15 - 2013-08-05 21:02 - 00085936 _____ C:\Users\Carl\Documents\FSS.exe
2013-08-01 20:41 - 2013-08-01 20:33 - 03191888 _____ (McAfee, Inc.) C:\Users\Carl\Desktop\MCPR.exe
2013-07-30 21:35 - 2011-06-26 07:45 - 00256000 _____ C:\Windows\PEV.exe
2013-07-30 21:35 - 2010-11-07 18:20 - 00208896 _____ C:\Windows\MBR.exe
2013-07-30 21:35 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-07-30 21:35 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-07-30 21:35 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-07-30 21:35 - 2000-08-31 01:00 - 00098816 _____ C:\Windows\sed.exe
2013-07-30 21:35 - 2000-08-31 01:00 - 00080412 _____ C:\Windows\grep.exe
2013-07-30 21:35 - 2000-08-31 01:00 - 00068096 _____ C:\Windows\zip.exe
2013-07-30 21:34 - 2013-08-12 20:48 - 00000000 ____D C:\Qoobox
2013-07-30 21:33 - 2013-07-30 22:12 - 00000000 ____D C:\Windows\erdnt
2013-07-18 21:45 - 2013-07-18 21:45 - 00000000 ____D C:\FRST
2013-07-18 21:27 - 2013-07-18 21:28 - 00006441 _____ C:\AdwCleaner[s1].txt
2013-07-18 21:26 - 2013-07-18 21:26 - 00080970 _____ C:\Users\Carl\Desktop\JRT.txt
2013-07-18 21:24 - 2004-11-02 12:10 - 00559341 _____ (Oleg N. Scherbakov) C:\Users\Carl\Desktop\JRT.exe
2013-07-18 21:14 - 2013-08-11 16:05 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-07-18 21:11 - 2013-07-18 21:11 - 00004568 _____ C:\Users\Carl\Desktop\RKreport[0]_S_07182013_211121.txt
2013-07-18 21:09 - 2013-07-18 21:12 - 00000000 ____D C:\Users\Carl\Desktop\RK_Quarantine
2013-07-18 21:07 - 2013-07-18 21:25 - 00000000 ____D C:\Windows\ERUNT
2013-07-18 21:07 - 2013-07-18 21:07 - 00000824 _____ C:\Users\Carl\Desktop\NTREGOPT.lnk
2013-07-18 21:07 - 2013-07-18 21:07 - 00000805 _____ C:\Users\Carl\Desktop\ERUNT.lnk
2013-07-18 20:59 - 2013-08-01 20:42 - 00000000 ____D C:\Users\Carl\Documents\System Fix
2013-07-18 20:22 - 2013-07-18 20:22 - 00017408 _____ C:\Users\Carl\Desktop\dds.txt
2013-07-18 20:22 - 2013-07-18 20:22 - 00012460 _____ C:\Users\Carl\Desktop\attach.txt

==================== One Month Modified Files and Folders =======

2013-08-17 08:25 - 2012-11-11 22:49 - 01126665 _____ C:\Windows\WindowsUpdate.log
2013-08-17 08:24 - 2013-08-17 08:25 - 01068993 _____ (Farbar) C:\Users\Carl\Desktop\FRST.exe
2013-08-17 08:24 - 2013-08-17 08:24 - 01068993 _____ (Farbar) C:\Users\Carl-Jill\Downloads\FRST.exe
2013-08-17 08:20 - 2012-11-11 22:04 - 00011440 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-17 08:20 - 2012-11-11 22:04 - 00011440 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-17 08:17 - 2012-11-11 23:00 - 00730320 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-17 08:17 - 2012-09-03 21:37 - 00002131 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-08-17 08:12 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-17 08:12 - 2009-07-14 05:39 - 01860177 _____ C:\Windows\setupact.log
2013-08-15 21:39 - 2013-08-12 21:14 - 00003578 _____ C:\Users\Carl\Desktop\FSS.txt
2013-08-15 21:22 - 2013-08-15 21:26 - 00005892 _____ C:\Users\Carl\Desktop\PlugPlay.reg
2013-08-15 21:19 - 2013-08-15 21:26 - 00003286 _____ C:\Users\Carl\Desktop\nsi.reg
2013-08-12 21:08 - 2013-08-12 21:08 - 00024139 _____ C:\Users\Carl\Desktop\Result.txt
2013-08-12 21:06 - 2012-11-11 22:34 - 00058340 _____ C:\Windows\PFRO.log
2013-08-12 20:48 - 2013-08-12 20:48 - 00006123 _____ C:\ComboFix.txt
2013-08-12 20:48 - 2013-07-30 21:34 - 00000000 ____D C:\Qoobox
2013-08-12 20:46 - 2009-07-14 03:04 - 00000215 _____ C:\Windows\system.ini
2013-08-12 20:30 - 2013-08-12 21:14 - 00357143 _____ (Farbar) C:\Users\Carl\Desktop\FSS.exe
2013-08-12 20:28 - 2013-08-12 21:05 - 00760937 _____ (Farbar) C:\Users\Carl\Desktop\MiniToolBox.exe
2013-08-12 20:23 - 2013-08-07 21:45 - 05102975 ____R (Swearware) C:\Users\Carl\Desktop\ComboFix.exe
2013-08-11 16:05 - 2013-07-18 21:14 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-11 15:44 - 2013-08-11 15:44 - 00000000 ____D C:\Users\Carl\Documents\1
2013-08-11 14:47 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\system32\NDF
2013-08-07 22:36 - 2013-08-11 14:43 - 00755512 _____ (Malwarebytes Corporation) C:\Users\Carl\Desktop\fixdamage.exe
2013-08-06 20:29 - 2013-08-06 20:29 - 00000000 ____D C:\Users\Carl\Documents\mbar
2013-08-05 21:02 - 2013-08-05 21:35 - 00085936 _____ C:\Windows\FSS.exe
2013-08-05 21:02 - 2013-08-05 21:15 - 00085936 _____ C:\Users\Carl\Documents\FSS.exe
2013-08-03 20:46 - 2009-10-22 22:01 - 00000000 ____D C:\ProgramData\McAfee
2013-08-01 21:39 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\system32\config\Journal
2013-08-01 20:42 - 2013-07-18 20:59 - 00000000 ____D C:\Users\Carl\Documents\System Fix
2013-08-01 20:33 - 2013-08-01 20:41 - 03191888 _____ (McAfee, Inc.) C:\Users\Carl\Desktop\MCPR.exe
2013-07-31 01:54 - 2009-07-14 03:37 - 00000000 ___RD C:\Users\Public
2013-07-30 22:12 - 2013-07-30 21:33 - 00000000 ____D C:\Windows\erdnt
2013-07-30 21:38 - 2012-11-11 23:39 - 00001830 _____ C:\Users\Public\Desktop\McAfee Internet Security.lnk
2013-07-21 21:56 - 2009-10-29 21:28 - 00000000 ____D C:\Users\Carl\Tracing
2013-07-18 21:45 - 2013-07-18 21:45 - 00000000 ____D C:\FRST
2013-07-18 21:28 - 2013-07-18 21:27 - 00006441 _____ C:\AdwCleaner[s1].txt
2013-07-18 21:26 - 2013-07-18 21:26 - 00080970 _____ C:\Users\Carl\Desktop\JRT.txt
2013-07-18 21:25 - 2013-07-18 21:07 - 00000000 ____D C:\Windows\ERUNT
2013-07-18 21:12 - 2013-07-18 21:09 - 00000000 ____D C:\Users\Carl\Desktop\RK_Quarantine
2013-07-18 21:11 - 2013-07-18 21:11 - 00004568 _____ C:\Users\Carl\Desktop\RKreport[0]_S_07182013_211121.txt
2013-07-18 21:07 - 2013-07-18 21:07 - 00000824 _____ C:\Users\Carl\Desktop\NTREGOPT.lnk
2013-07-18 21:07 - 2013-07-18 21:07 - 00000805 _____ C:\Users\Carl\Desktop\ERUNT.lnk
2013-07-18 20:22 - 2013-07-18 20:22 - 00017408 _____ C:\Users\Carl\Desktop\dds.txt
2013-07-18 20:22 - 2013-07-18 20:22 - 00012460 _____ C:\Users\Carl\Desktop\attach.txt

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-07-11 20:26

==================== End Of Log ============================

 

Addition.txt

Link to post
Share on other sites

  • Root Admin

Please run the following which will clean out more junk and if that still does not help we'll move onto another round of Combofix and see if we can fix some more remaining issues.

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

fixlist.txt

Link to post
Share on other sites

log:

 

Malwarebytes Anti-Rootkit BETA 1.06.1.1005
www.malwarebytes.org

Database version: v2013.08.21.06

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
Internet Explorer 10.0.9200.16635
Carl :: HOME-PC [administrator]

21/08/2013 21:26:37
mbar-log-2013-08-21 (21-26-37).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 274946
Time elapsed: 7 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

  • Root Admin

Please run the following clean removal and reinstall.

 

MBAM Clean Removal Process
 

 

Then check for updates and run a new Quick Scan and post back that log please.

 

Next, download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


 

Link to post
Share on other sites

log 1:

 

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.26.05

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
Internet Explorer 10.0.9200.16635
Carl :: HOME-PC [administrator]

Protection: Disabled

26/08/2013 21:08:09
mbam-log-2013-08-26 (21-08-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 272755
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

log 2:

 

 Results of screen317's Security Check version 0.99.73 
 Windows 7 Service Pack 1 x86 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Java 6 Update 13 
 Java version out of Date!
 Adobe Flash Player  11.7.700.224 
 Adobe Reader 9 Adobe Reader out of Date!
 Google Chrome 28.0.1500.95 
 Google Chrome 29.0.1547.57 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 
````````````````````End of Log``````````````````````

Link to post
Share on other sites

  • Root Admin

Please uninstall all versions of Java.  If you can do without Java that would be the best.

 

Please update your Adobe Acrobat as well. 

 

If you have trouble removing Java please let me know.

 

 

How is the computer running now? 

Are there still any signs of an infection?

Link to post
Share on other sites

Please uninstall all versions of Java.  If you can do without Java that would be the best. I CAN'T UNINSTALL JAVA AS IN SAFE MODE IT WON'T LET ME AND IN NORMAL MODE IT SAYS I DON'T HAVE THE PERMISSION TO DO SO.  ANNOYING!!!!!

 

Please update your Adobe Acrobat as well. TRIED TO INSTALL NEW ADOBE AND WAS DOWNLOADING AND CLICKING INSTALL BUT IT WAS NOT RUNNING THROUGH THE INSTALL.

 

If you have trouble removing Java please let me know.

 

 

How is the computer running now? IT IS BETTER BUT STILL NOT GREAT, I CAN'T INSTALL OR UNINSTALL PROGRAMS AND DEVICE MANAGER DOES NOT RUN AND IT SAYS IT DOES NOT EXIST.

Are there still any signs of an infection?  YES AND NO, I NEVER NOTICED ANY REAL SIGNS UNTIL IT WAS TOO LATE AND IT APPEARS TO STILL BE THE SAME.  ARE WE APPROACHING THE POINT WHERE IT WILL BE  A CASE OF HAVING TO FORMAT THE MACHINE.  IF IT IS I WILL HAVE TO TAKE ACTIONS BEFORE THAT AS I HAVE A BOAT LOAD OF INFORMATION ON THIS MACHINE WHICH I HAVE NEVER BACKED UP (STUPID I KNOW).

 

Thanks again for all of your help, it is greatly appreciated by me.  Sorry for the CAPS by the way.

Link to post
Share on other sites

  • Root Admin

Well I thought we had fixed most of it back around post #22 but we can run scans again and see what's going on.

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender

    [*]Press "Scan". [*]It will create a log (FSS.txt) in the same directory the tool is run. [*]Please copy and paste the log to your reply.


 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


 

Link to post
Share on other sites

FSS log:

 

Farbar Service Scanner Version: 28-08-2013
Ran by Carl (administrator) on 28-08-2013 at 22:04:17
Running from "C:\Users\Carl\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.

System Restore Disabled Policy:
========================

Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll
[2013-07-11 19:47] - [2013-05-27 05:57] - 0680960 ____A (Microsoft Corporation) 082CF481F659FAE0DE51AD060881EB47

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

 

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-08-2013
Ran by Carl (administrator) on 28-08-2013 22:06:46
Running from C:\Users\Carl\Desktop
Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Intel Corporation) C:\Windows\system32\igfxsrvc.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [6609440 2009-01-13] (Realtek Semiconductor)
HKLM\...\Run: [buffaloTools] - C:\Program Files\BUFFALO\BuffaloTools\BuffaloTools.exe [169336 2010-03-05] (BUFFALO INC.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKU\Carl-Jill\...\RunOnce: [WAB Migrate] - C:\Program Files\Windows Mail\wab.exe [ 2010-11-20] (Microsoft Corporation)
HKU\Carl-Jill\...\RunOnce: [DPAPIKeyMig] - C:\Windows\system32\dpapimig.exe [ 2009-07-14] (Microsoft Corporation)
Startup: C:\Users\Carl-Jill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: msdaipp - No CLSID Value -
Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

Chrome:
=======

CHR DefaultSearchURL: (Google) - {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\28.0.1500.72\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\28.0.1500.72\pdf.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\28.0.1500.72\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll No File
CHR Plugin: (Java Platform SE 6 U13) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.2) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (YouTube) - C:\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0
CHR Extension: (Google Search) - C:\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0
CHR Extension: (Gmail) - C:\Users\Carl\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx

========================== Services (Whitelisted) =================

S2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2008-12-18] (Stardock Corporation)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 ProtexisLicensing; C:\Program Files\Common Files\Protexis\License Service\PSIService.exe [174656 2006-11-02] ()
S3 RasMan; C:\Windows\System32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S3 SensrSvc; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S2 sprtsvc_DellSupportCenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2009-06-03] (SupportSoft, Inc.)
S2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [61440 2006-06-14] (Ulead Systems, Inc.)
S3 WebClient; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S2 wltrysvc; C:\Windows\System32\bcmwltry.exe [2809856 2009-01-19] (Dell Inc.)
S3 WPDBusEnum; C:\Windows\system32\svchost.exe [20992 2009-07-14] (Microsoft Corporation)
S3 WPFFontCache_v0400;

==================== Drivers (Whitelisted) ====================

S3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2009-01-19] (Broadcom Corporation)
R0 bftpdskc; C:\Windows\System32\drivers\bftpdskc.sys [39680 2010-01-08] (BUFFALO INC.)
S3 bftpusbx; C:\Windows\System32\drivers\bftpusbx.sys [10624 2010-01-16] (BUFFALO INC.)
R0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-14] (Microsoft Corporation)
S3 FlyUsb; C:\Windows\System32\DRIVERS\FlyUsb.sys [19456 2012-09-28] (LeapFrog)
S3 FsUsbExDisk; C:\Windows\system32\FsUsbExDisk.SYS [36608 2010-06-14] ()
R3 Iviaspi; C:\Windows\System32\drivers\iviaspi.sys [10368 2009-11-01] (InterVideo, Inc.)
S3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25824 2010-05-07] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 catchme; \??\C:\Users\Carl\AppData\Local\Temp\catchme.sys [x]
U3 TrueSight; \??\C:\Windows\system32\TrueSight.sys [x]
U3 mbr; \??\C:\ComboFix\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-08-28 22:04 - 2013-08-28 22:04 - 00003577 _____ C:\Users\Carl\Desktop\FSS.txt
2013-08-28 22:03 - 2013-08-28 21:41 - 00358571 _____ (Farbar) C:\Users\Carl\Desktop\FSS.exe
2013-08-28 21:58 - 2013-08-28 21:58 - 00006160 _____ C:\ComboFix.txt
2013-08-28 21:43 - 2013-08-28 21:40 - 05114728 ____R (Swearware) C:\Users\Carl\Desktop\ComboFix.exe
2013-08-26 21:17 - 2013-08-26 20:58 - 00891144 _____ C:\Users\Carl\Desktop\SecurityCheck.exe
2013-08-26 21:05 - 2013-08-26 21:05 - 00001069 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-26 21:05 - 2013-08-26 21:05 - 00000000 ____D C:\Users\Carl\AppData\Roaming\Malwarebytes
2013-08-26 21:05 - 2013-08-26 21:05 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-26 21:05 - 2013-08-26 21:05 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-08-26 21:05 - 2013-08-26 21:03 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Carl\Desktop\mbam-setup-1.75.0.1300.exe
2013-08-26 21:05 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-08-26 20:54 - 2013-08-26 20:51 - 00080456 _____ (Malwarebytes Corporation) C:\Users\Carl\Desktop\mbam-clean-1.60.2.0003.exe
2013-08-17 08:24 - 2013-08-17 08:24 - 01068993 _____ (Farbar) C:\Users\Carl-Jill\Downloads\FRST.exe
2013-08-11 15:44 - 2013-08-28 21:40 - 00000000 ____D C:\Users\Carl\Documents\1
2013-08-06 20:29 - 2013-08-06 20:29 - 00000000 ____D C:\Users\Carl\Documents\mbar
2013-08-05 21:35 - 2013-08-05 21:02 - 00085936 _____ C:\Windows\FSS.exe
2013-08-05 21:15 - 2013-08-05 21:02 - 00085936 _____ C:\Users\Carl\Documents\FSS.exe
2013-07-30 21:35 - 2011-06-26 07:45 - 00256000 _____ C:\Windows\PEV.exe
2013-07-30 21:35 - 2010-11-07 18:20 - 00208896 _____ C:\Windows\MBR.exe
2013-07-30 21:35 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2013-07-30 21:35 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2013-07-30 21:35 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2013-07-30 21:35 - 2000-08-31 01:00 - 00098816 _____ C:\Windows\sed.exe
2013-07-30 21:35 - 2000-08-31 01:00 - 00080412 _____ C:\Windows\grep.exe
2013-07-30 21:35 - 2000-08-31 01:00 - 00068096 _____ C:\Windows\zip.exe
2013-07-30 21:34 - 2013-08-28 21:58 - 00000000 ____D C:\Qoobox
2013-07-30 21:33 - 2013-07-30 22:12 - 00000000 ____D C:\Windows\erdnt

==================== One Month Modified Files and Folders =======

2013-08-28 22:04 - 2013-08-28 22:04 - 00003577 _____ C:\Users\Carl\Desktop\FSS.txt
2013-08-28 21:58 - 2013-08-28 21:58 - 00006160 _____ C:\ComboFix.txt
2013-08-28 21:58 - 2013-07-30 21:34 - 00000000 ____D C:\Qoobox
2013-08-28 21:56 - 2009-07-14 03:04 - 00000215 _____ C:\Windows\system.ini
2013-08-28 21:43 - 2012-11-11 22:49 - 01207029 _____ C:\Windows\WindowsUpdate.log
2013-08-28 21:43 - 2012-11-11 22:04 - 00011440 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-08-28 21:43 - 2012-11-11 22:04 - 00011440 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-08-28 21:42 - 2013-08-28 22:05 - 01072975 _____ (Farbar) C:\Users\Carl\Desktop\FRST.exe
2013-08-28 21:41 - 2013-08-28 22:03 - 00358571 _____ (Farbar) C:\Users\Carl\Desktop\FSS.exe
2013-08-28 21:41 - 2012-11-11 23:00 - 00730320 _____ C:\Windows\system32\PerfStringBackup.INI
2013-08-28 21:40 - 2013-08-28 21:43 - 05114728 ____R (Swearware) C:\Users\Carl\Desktop\ComboFix.exe
2013-08-28 21:40 - 2013-08-11 15:44 - 00000000 ____D C:\Users\Carl\Documents\1
2013-08-28 21:37 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-08-28 21:37 - 2009-07-14 05:39 - 01924209 _____ C:\Windows\setupact.log
2013-08-27 23:02 - 2009-10-30 09:28 - 00000000 ____D C:\Users\Carl\AppData\Local\Adobe
2013-08-26 21:05 - 2013-08-26 21:05 - 00001069 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-08-26 21:05 - 2013-08-26 21:05 - 00000000 ____D C:\Users\Carl\AppData\Roaming\Malwarebytes
2013-08-26 21:05 - 2013-08-26 21:05 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-08-26 21:05 - 2013-08-26 21:05 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-08-26 21:03 - 2013-08-26 21:05 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Carl\Desktop\mbam-setup-1.75.0.1300.exe
2013-08-26 20:58 - 2013-08-26 21:17 - 00891144 _____ C:\Users\Carl\Desktop\SecurityCheck.exe
2013-08-26 20:55 - 2012-11-11 22:34 - 00091222 _____ C:\Windows\PFRO.log
2013-08-26 20:51 - 2013-08-26 20:54 - 00080456 _____ (Malwarebytes Corporation) C:\Users\Carl\Desktop\mbam-clean-1.60.2.0003.exe
2013-08-25 10:54 - 2013-07-18 21:14 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-20 21:11 - 2012-09-03 21:37 - 00002131 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-08-17 09:38 - 2009-11-01 20:28 - 00000000 ____D C:\Carl's Stuff
2013-08-17 08:24 - 2013-08-17 08:24 - 01068993 _____ (Farbar) C:\Users\Carl-Jill\Downloads\FRST.exe
2013-08-11 14:47 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\system32\NDF
2013-08-06 20:29 - 2013-08-06 20:29 - 00000000 ____D C:\Users\Carl\Documents\mbar
2013-08-05 21:02 - 2013-08-05 21:35 - 00085936 _____ C:\Windows\FSS.exe
2013-08-05 21:02 - 2013-08-05 21:15 - 00085936 _____ C:\Users\Carl\Documents\FSS.exe
2013-08-03 20:46 - 2009-10-22 22:01 - 00000000 ____D C:\ProgramData\McAfee
2013-08-01 21:39 - 2009-07-14 03:37 - 00000000 ____D C:\Windows\system32\config\Journal
2013-08-01 20:42 - 2013-07-18 20:59 - 00000000 ____D C:\Users\Carl\Documents\System Fix
2013-07-31 01:54 - 2009-07-14 03:37 - 00000000 ___RD C:\Users\Public
2013-07-30 22:12 - 2013-07-30 21:33 - 00000000 ____D C:\Windows\erdnt
2013-07-30 21:38 - 2012-11-11 23:39 - 00001830 _____ C:\Users\Public\Desktop\McAfee Internet Security.lnk

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-07-11 20:26

==================== End Of Log ============================

ComboFix.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Please download and save the following file to your computer.

 

Then double-click on it to run it.  It should create 2 files on your desktop.  Please post the results back on your next reply.

 

If you're antivirus tries to block the download then please temporarily allow or disable your antivirus to save and run it.  Once done make sure you re-enable your antivirus.

 

CheckBFEServices.exe

 

Thanks

 

Link to post
Share on other sites

Log 1:

 

CheckBFE.bat  Version: 08/28/2013 6:00:00 PM
CheckBFE was designed for checking the Base Filtering Engine Service and some other services
CheckBFE was ran on: 2013-08-29_20294277
CheckBFE was ran from: "C:\Users\Carl\AppData\Local\Temp\checkbfe.bat"
 
This batch file should have created the following 2 files:
C:\Users\Carl\Desktop\BFE.txt
C:\Users\Carl\Desktop\BFE_Registry.txt
 
 
Please attach both of those files to your next reply
 
 
Checking the permissions on the file: c:\windows\system32\bfe.dll
 
Current Directory is: C:\Users\Carl\AppData\Local\Temp
dir check using SYSTEM32 for BFE.DLL
 Volume in drive C is OS
 Volume Serial Number is B0D9-C246

 Directory of C:\Windows\System32

20/11/2010  13:18           494,592 BFE.DLL
               1 File(s)        494,592 bytes
               0 Dir(s)  206,401,421,312 bytes free
 
dir check using SYSNATIVE for BFE.DLL
 
Current Directory is: C:\Windows\System32
 
Running icacls on 32-Bit
C:\Windows\system32\bfe.dll NT SERVICE\TrustedInstaller:(F)
                            BUILTIN\Administrators:(RX)
                            NT AUTHORITY\SYSTEM:(RX)
                            BUILTIN\Users:(RX)

Successfully processed 1 files; Failed processing 0 files
 
Running icacls on 64-Bit
 
 
SC QC BFE (Base Filtering Engine)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: bfe
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
        LOAD_ORDER_GROUP   : NetworkProvider
        TAG                : 0
        DISPLAY_NAME       : Base Filtering Engine
        DEPENDENCIES       : RpcSs
        SERVICE_START_NAME : NT AUTHORITY\LocalService
 
SC QUERYEX BFE

SERVICE_NAME: bfe
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 972
        FLAGS              :
 
SC EnumDepend BFE
[sC] EnumDependentServices: entriesread = 4

SERVICE_NAME: RemoteAccess
DISPLAY_NAME: Routing and Remote Access
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

SERVICE_NAME: PolicyAgent
DISPLAY_NAME: IPsec Policy Agent
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

SERVICE_NAME: MpsSvc
DISPLAY_NAME: Windows Firewall
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

SERVICE_NAME: IKEEXT
DISPLAY_NAME: IKE and AuthIP IPsec Keying Modules
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SC QC NetBT (NetBIOS over TCP/IP)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: NetBT
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 1   SYSTEM_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : System32\DRIVERS\netbt.sys
        LOAD_ORDER_GROUP   : PNP_TDI
        TAG                : 12
        DISPLAY_NAME       : NetBT
        DEPENDENCIES       : Tdx
                           : tcpip
        SERVICE_START_NAME :
 
SC QUERYEX NetBT

SERVICE_NAME: NetBT
        TYPE               : 1  KERNEL_DRIVER 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC Tcpip (TCP/IP Protocol Driver)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: Tcpip
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 0   BOOT_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : \SystemRoot\System32\drivers\tcpip.sys
        LOAD_ORDER_GROUP   : PNP_TDI
        TAG                : 3
        DISPLAY_NAME       : TCP/IP Protocol Driver
        DEPENDENCIES       :
        SERVICE_START_NAME :
 
SC QUERYEX Tcpip

SERVICE_NAME: Tcpip
        TYPE               : 1  KERNEL_DRIVER 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC Tdx (NetIO Legacy TDI Support Driver)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: Tdx
        TYPE               : 1  KERNEL_DRIVER
        START_TYPE         : 1   SYSTEM_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : system32\DRIVERS\tdx.sys
        LOAD_ORDER_GROUP   : PNP_TDI
        TAG                : 4
        DISPLAY_NAME       : NetIO Legacy TDI Support Driver
        DEPENDENCIES       : Tcpip
        SERVICE_START_NAME :
 
SC QUERYEX Tdx

SERVICE_NAME: Tdx
        TYPE               : 1  KERNEL_DRIVER 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC RpcSs (Remote Procedure Call (RPC))
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: RpcSs
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k rpcss
        LOAD_ORDER_GROUP   : COM Infrastructure
        TAG                : 0
        DISPLAY_NAME       : Remote Procedure Call (RPC)
        DEPENDENCIES       : RpcEptMapper
                           : DcomLaunch
        SERVICE_START_NAME : NT AUTHORITY\NetworkService
 
WC QUERYEX RpcSs

SERVICE_NAME: RpcSs
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 644
        FLAGS              :
 
SC QC DcomLaunch (DCOM Server Process Launcher)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: DcomLaunch
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k DcomLaunch
        LOAD_ORDER_GROUP   : COM Infrastructure
        TAG                : 0
        DISPLAY_NAME       : DCOM Server Process Launcher
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 
SC QUERYEX DcomLaunch

SERVICE_NAME: DcomLaunch
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 568
        FLAGS              :
 
SC QC RpcEptMapper (RPC Endpoint Mapper)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: RpcEptMapper
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k RPCSS
        LOAD_ORDER_GROUP   : COM Infrastructure
        TAG                : 0
        DISPLAY_NAME       : RPC Endpoint Mapper
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\NetworkService
 
SC QUERYEX RpcEptMapper

SERVICE_NAME: RpcEptMapper
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 644
        FLAGS              :
 
SC QC RemoteAccess (Routing and Remote Access)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: RemoteAccess
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 4   DISABLED
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Routing and Remote Access
        DEPENDENCIES       : RpcSS
                           : Bfe
                           : RasMan
                           : Http
                           : +NetBIOSGroup
        SERVICE_START_NAME : localSystem
 
SC QUERYEX RemoteAccess

SERVICE_NAME: RemoteAccess
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC PolicyAgent (IPsec Policy Agent)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: PolicyAgent
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : IPsec Policy Agent
        DEPENDENCIES       : Tcpip
                           : bfe
        SERVICE_START_NAME : NT Authority\NetworkService
 
SC QUERYEX PolicyAgent

SERVICE_NAME: PolicyAgent
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1120
        FLAGS              :
 
SC QC SharedAccess (Internet Connection Sharing (ICS))
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: SharedAccess
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : SharedAccess
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
 
SC QUERYEX SharedAccess

SERVICE_NAME: SharedAccess
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC Netman (Network Connections)
[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

 
SC QUERYEX Netman
[sC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

 
SC QC nsi (Network Store Interface Service)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: nsi
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k LocalService
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Network Store Interface Service
        DEPENDENCIES       : nsiproxy
        SERVICE_START_NAME : NT Authority\LocalService
 
SC QUERYEX nsi

SERVICE_NAME: nsi
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 832
        FLAGS              :
 
SC QC WinMgmt (Windows Management Instrumentation)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: WinMgmt
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Management Instrumentation
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : localSystem
 
SC QUERYEX WinMgmt

SERVICE_NAME: WinMgmt
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 772
        FLAGS              :
 
SC QC RasMan (Remote Access Connection Manager)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: RasMan
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Remote Access Connection Manager
        DEPENDENCIES       : Tapisrv
                           : SstpSvc
        SERVICE_START_NAME : localSystem
 
SC QUERYEX RasMan

SERVICE_NAME: RasMan
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC Tapisrv (Telephony - Provides Telephony API (TAPI) support for programs that control telephony devices on the local computer)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: Tapisrv
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k NetworkService
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Telephony
        DEPENDENCIES       : PlugPlay
                           : RpcSs
        SERVICE_START_NAME : NT AUTHORITY\NetworkService
 
SC QUERYEX Tapisrv

SERVICE_NAME: Tapisrv
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC SstpSvc (Secure Socket Tunneling Protocol Service)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: SstpSvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k LocalService
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Secure Socket Tunneling Protocol Service
        DEPENDENCIES       :
        SERVICE_START_NAME : NT Authority\LocalService
 
SC QUERYEX SstpSvc

SERVICE_NAME: SstpSvc
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC VSS (Volume Shadow Copy - Manages and implements Volume Shadow Copies used for backup and other purposes)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: VSS
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\vssvc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Volume Shadow Copy
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem
 
SC QUERYEX VSS

SERVICE_NAME: VSS
        TYPE               : 10  WIN32_OWN_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC wuauserv (Windows Update - Enables the detection, download, and installation of updates for Windows and other programs)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: wuauserv
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Update
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : LocalSystem
 
SC QUERYEX wuauserv

SERVICE_NAME: wuauserv
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC bits (Background Intelligent Transfer Service)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: bits
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START  (DELAYED)
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k netsvcs
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Background Intelligent Transfer Service
        DEPENDENCIES       : RpcSs
                           : EventSystem
        SERVICE_START_NAME : LocalSystem
 
SC QUERYEX bits

SERVICE_NAME: bits
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC EventSystem (COM+ Supports System Event Notification Service)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: EventSystem
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k LocalService
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : COM+ Event System
        DEPENDENCIES       : rpcss
        SERVICE_START_NAME : NT AUTHORITY\LocalService
 
SC QUERYEX EventSystem

SERVICE_NAME: EventSystem
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1084  (0x43c)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
 
SC QC SDRSVC (Provides Windows Backup and Restore capabilities)
[sC] QueryServiceConfig SUCCESS

SERVICE_NAME: SDRSVC
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k SDRSVC
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Backup
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : localSystem
 
SC QUERYEX SDRSVC

SERVICE_NAME: SDRSVC
        TYPE               : 10  WIN32_OWN_PROCESS 
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.