Rootkit.0access infection

[dwcre]

I am running Windows Server 2008 Standard.  All my downloads are deleted.  Windows Update is not running.  I ran a scan deleted the found items.  See the following log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.24.07

Windows Server 2008 Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
DWCross :: DCR-SERVER [administrator]

7/24/2013 1:51:29 PM
mbam-log-2013-07-24 (13-51-29).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 512191
Time elapsed: 48 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\$Recycle.Bin\S-1-5-21-3478161825-3527343326-2822658981-1000\$RDD5748DD (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\DWCross\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\61f84ab9-37feb95a (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

 

I still cannot download email attachments or access Windows Update.  Reading some of the forums, I downloaded Rogue Killer and it turned out the following report:

 

RogueKiller V8.6.3 [Jul 17 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Server 2008 (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : DWCross [Admin rights]
Mode : Scan -- Date : 07/24/2013 16:11:46
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[DNS] HKLM\[...]\CCSet\[...]\{830E54FB-1968-4054-B754-2D2B11CA9BB2} : NameServer (216.146.35.35,216.146.36.36,8.8.8.8,10.0.0.2) -> FOUND
[DNS] HKLM\[...]\CS001\[...]\{830E54FB-1968-4054-B754-2D2B11CA9BB2} : NameServer (216.146.35.35,216.146.36.36,8.8.8.8,10.0.0.2) -> FOUND
[DNS] HKLM\[...]\CS003\[...]\{830E54FB-1968-4054-B754-2D2B11CA9BB2} : NameServer (216.146.35.35,216.146.36.36,8.8.8.8,10.0.0.2) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-21-3478161825-3527343326-2822658981-1000\$0f63b47f65cedf7ef0bcba0f2d84c016\n. [x]) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost
::1             localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Volume0 +++++
--- User ---
[MBR] d2210731fe35215d2b0509d24876f4d0
[bSP] 2d7b8b4910399633fcc302c4b8ca1ce8 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476935 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive1: Volume0 +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_07242013_161146.txt >>
RKreport[0]_S_07242013_145800.txt;RKreport[0]_S_07242013_153439.txt

 

I did not delete any files with Rogue Killer because I did not know what they were.

 

 

Can you help me?

[kevinf80]

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

 

Kevin

[dwcre]

Here is the FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-07-2013
Ran by DWCross (administrator) on 24-07-2013 17:38:40
Running from C:\Users\DWCross\firefoxdownloads
Microsoft® Windows Server® 2008 Standard  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Microsoft Corporation) C:\Windows\system32\LogonUI.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
() C:\Program Files\CyberLink\Shared Files\RichVideo.exe
(Microsoft Corporation) C:\Windows\system32\locator.exe
(Dyn, Inc.) C:\Program Files\DynDNS Updater\DynUpSvc.exe
(Microsoft Corporation) C:\Windows\system32\fxssvc.exe
(Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Windows\system32\rdpclip.exe
(Cyberlink Corp.) C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
() C:\Windows\System32\kygaSM.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
(Dyn, Inc.) C:\Program Files\DynDNS Updater\DynTray.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\Marketsplash by HP\HPLocalWebPrintAgent.exe
(Kyocera) C:\Program Files\Kyocera\FS-1016MFP_FS-1116MFP\FS-1016MFP\QLINK.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intuit Inc.) C:\Program Files\Intuit\QuickBooks 2009\QBW32.EXE
(WinZip Computing, S.L.) C:\Program Files\WinZip\WZQKPICK32.EXE
(OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.exe
(OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.bin
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
(Intuit, Inc.) C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [updateLBPShortCut] - C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM\...\Run: [RemoteControl] - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [71216 2007-03-15] (Cyberlink Corp.)
HKLM\...\Run: [LanguageShortcut] - C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [52256 2007-01-09] ()
HKLM\...\Run: [uCam_Menu] - C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe [218408 2008-12-04] (CyberLink Corp.)
HKLM\...\Run: [intuit SyncManager] - C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2643320 2012-10-08] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM\...\Run: [] -  [x]
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [37232 2008-06-12] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640376 2008-06-11] (Adobe Systems Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKCU\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2387968 2009-01-28] (Hewlett-Packard Company)
HKCR\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-3478161825-3527343326-2822658981-1000\$0f63b47f65cedf7ef0bcba0f2d84c016\n. ATTENTION! ====> ZeroAccess?
MountPoints2: {bc56c744-75f3-11de-a91a-806e6f6e6963} - D:\BlueBirds.exe
HKU\Administrator\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [ 2009-01-28] (Hewlett-Packard Company)
HKU\Administrator.DCR-server\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [ 2009-01-28] (Hewlett-Packard Company)
HKU\Chuck\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [ 2009-01-28] (Hewlett-Packard Company)
HKU\QBDataServiceUser19\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [ 2009-01-28] (Hewlett-Packard Company)
HKU\Rosabelle\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [ 2009-01-28] (Hewlett-Packard Company)
HKU\Rosabelle\...\Run: [QuickTime Task] - "C:\Program Files\QuickTime\QTTask.exe" -atboottime [ 2013-05-01] (Apple Inc.)
HKU\TEMP\...\Run: [LightScribe Control Panel] - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [ 2009-01-28] (Hewlett-Packard Company)
Lsa: [Notification Packages] scecli RASSFM
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\Administrator.DCR-server\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dyn Updater Tray Icon.lnk
ShortcutTarget: Dyn Updater Tray Icon.lnk -> C:\Program Files\DynDNS Updater\DynTray.exe (Dyn, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Marketsplash Print Software.lnk
ShortcutTarget: Marketsplash Print Software.lnk -> C:\Program Files\Hewlett-Packard\Marketsplash by HP\HPLocalWebPrintAgent.exe (Hewlett-Packard Company)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks 2009\QBW32.EXE (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.)
Startup: C:\Users\DWCross\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\Rosabelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
ShortcutTarget: OpenOffice.org 3.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
Startup: C:\Users\Rosabelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://mail.crossre.com/interfaces/sso/login.php
http://www.navicamls.net/
https://www.schwab.com/public/schwab/client_home
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU -Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/install-ie/alttiff.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 03 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 12 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 13 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 14 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 15 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 16 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 17 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 18 mswsock.dll File Not found (Microsoft Corporation)
Tcpip\..\Interfaces\{830E54FB-1968-4054-B754-2D2B11CA9BB2}: [NameServer]216.146.35.35,216.146.36.36,8.8.8.8,10.0.0.2

FireFox:
========
FF ProfilePath: C:\Users\DWCross\AppData\Roaming\Mozilla\Firefox\Profiles\s2u3svcc.default
FF Homepage: hxxp://my.yahoo.com/|hxxp://mail.crossre.com/interfaces/sso/login.php|https://www.schwab.com/public/schwab/client_home|hxxp://www.navicamls.net/|hxxp://blog.commercialsource.com/
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin: @google.com/npPicasa3,version=3.0.0 - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Default - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3

========================== Services (Whitelisted) =================

R2 Dyn Updater; C:\Program Files\DynDNS Updater\DynUpSvc.exe [95608 2011-11-15] (Dyn, Inc.)
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [22016 2008-01-19] (Microsoft Corporation)
R2 QBVSS; C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2011-06-30] (Intuit Inc.)
R3 QuickBooksDB21; C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe [679936 2010-04-28] (Intuit, Inc.)
R2 RichVideo; C:\Program Files\CyberLink\Shared Files\RichVideo.exe [272024 2007-05-13] ()
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [78336 2009-04-11] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [13312 2008-01-19] (Microsoft Corporation)
R2 TermServLicensing; C:\Windows\System32\lserver.dll [468992 2009-04-11] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2008-01-19] (Microsoft Corporation)
R0 inic1620; C:\Windows\System32\DRIVERS\inic1620.sys [20480 2005-08-30] (Initio Corp.)
S4 ioatdma; C:\Windows\system32\drivers\qd26032.sys [31232 2008-01-19] (Intel Corporation)
R0 phylock; C:\Windows\System32\drivers\phylock.sys [20960 2010-06-08] (TeraByte, Inc.)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [88632 2008-01-19] (Microsoft Corporation)
S3 TBIMount; C:\Windows\System32\drivers\tbimount.sys [87648 2010-12-01] (TeraByte, Inc.)
S4 BTHMODEM; \SystemRoot\system32\drivers\bthmodem.sys [x]
S4 s3cap; \SystemRoot\system32\drivers\s3cap.sys [x]
S3 slabbus; system32\DRIVERS\slabbus.sys [x]
S3 slabser; system32\DRIVERS\slabser.sys [x]
S0 storflt; system32\drivers\storflt.sys [x]

==================== NetSvcs (Whitelisted) ===================

NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)

==================== One Month Created Files and Folders ========

2013-07-24 17:38 - 2013-07-24 17:38 - 00000000 ____D C:\FRST
2013-07-24 16:11 - 2013-07-24 16:11 - 00002461 _____ C:\Users\DWCross\Desktop\RKreport[0]_S_07242013_161146.txt
2013-07-24 15:50 - 2013-07-24 15:50 - 00000000 _____ C:\Users\DWCross\AppData\Local\Temp\is7732.tmp
2013-07-24 15:34 - 2013-07-24 15:34 - 00002427 _____ C:\Users\DWCross\Desktop\RKreport[0]_S_07242013_153439.txt
2013-07-24 14:58 - 2013-07-24 14:58 - 00002394 _____ C:\Users\DWCross\Desktop\RKreport[0]_S_07242013_145800.txt
2013-07-24 14:56 - 2013-07-24 15:33 - 00000000 ____D C:\Users\DWCross\Desktop\RK_Quarantine
2013-07-24 14:54 - 2013-07-24 17:38 - 00000000 ____D C:\Users\DWCross\AppData\Local\Temp\2
2013-07-24 13:49 - 2013-07-24 13:49 - 00915968 _____ C:\Users\DWCross\Downloads\RogueKiller.exe
2013-07-18 10:54 - 2013-07-18 10:54 - 00000000 ____D C:\Users\Administrator.DCR-server\AppData\Roaming\Apple Computer
2013-07-11 09:32 - 2013-07-11 09:32 - 00000000 ____D C:\Users\Rosabelle\AppData\Roaming\Apple Computer
2013-07-11 09:02 - 2013-07-11 09:02 - 00000000 ____D C:\Users\DWCross\AppData\Roaming\Apple Computer
2013-07-10 18:10 - 2013-07-24 11:42 - 00002859 _____ C:\Users\DWCross\AppData\Local\Temp\qtplugin.log
2013-07-10 18:10 - 2013-07-24 11:42 - 00001726 _____ C:\Users\Public\Desktop\QuickTime Player.lnk
2013-07-10 18:10 - 2013-07-24 11:42 - 00001336 _____ C:\Users\DWCross\AppData\Local\Temp\QTInstallCode.log
2013-07-10 18:10 - 2013-07-24 11:42 - 00000000 ____D C:\Program Files\QuickTime
2013-07-10 18:10 - 2013-07-10 18:10 - 00000000 ____D C:\ProgramData\Apple Computer
2013-07-10 18:10 - 2013-07-10 18:10 - 00000000 ____D C:\ProgramData\Apple
2013-07-10 18:10 - 2013-07-10 18:10 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-07-10 18:10 - 2013-07-10 18:10 - 00000000 ____D C:\Program Files\Apple Software Update
2013-07-10 08:39 - 2013-07-10 08:39 - 00000846 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-07-10 08:39 - 2013-07-10 08:39 - 00000000 ____D C:\ProgramData\Mozilla
2013-07-10 08:39 - 2013-07-10 08:39 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-07-10 08:39 - 2013-07-10 08:39 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-07-08 14:10 - 2013-07-08 14:10 - 00000906 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-08 13:34 - 2013-07-08 13:34 - 00017161 _____ C:\Users\DWCross\AppData\Local\Temp\hppldcoi.log

==================== One Month Modified Files and Folders =======

2013-07-24 17:38 - 2013-07-24 17:38 - 00000000 ____D C:\FRST
2013-07-24 17:38 - 2013-07-24 14:54 - 00000000 ____D C:\Users\DWCross\AppData\Local\Temp\2
2013-07-24 17:37 - 2009-09-11 10:50 - 00000438 ____H C:\Windows\Tasks\User_Feed_Synchronization-{7D14696C-0A7D-44A1-BEB4-1713A412BA5E}.job
2013-07-24 17:37 - 2009-07-22 14:08 - 00000438 ____H C:\Windows\Tasks\User_Feed_Synchronization-{DA4F1057-CD51-4527-822A-AAD1E051C25F}.job
2013-07-24 17:37 - 2008-01-19 07:35 - 00004832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-24 17:37 - 2008-01-19 07:35 - 00004832 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-24 17:34 - 2009-09-11 11:21 - 00000422 ____H C:\Windows\Tasks\User_Feed_Synchronization-{83EFDFF2-5E39-4116-BCE5-DC4692CB4561}.job
2013-07-24 17:08 - 2011-05-12 12:03 - 00000888 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-24 16:54 - 2012-04-03 07:59 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-24 16:11 - 2013-07-24 16:11 - 00002461 _____ C:\Users\DWCross\Desktop\RKreport[0]_S_07242013_161146.txt
2013-07-24 16:11 - 2009-07-22 14:12 - 00000000 ___RD C:\Users\DWCross\Desktop
2013-07-24 15:57 - 2009-07-22 14:12 - 00000000 ____D C:\Users\DWCross
2013-07-24 15:57 - 2008-01-19 05:40 - 00000000 __RHD C:\Users\Public\Desktop
2013-07-24 15:57 - 2008-01-19 04:45 - 00000188 _____ C:\Windows\win.ini
2013-07-24 15:54 - 2010-06-17 15:00 - 00000000 ____D C:\Program Files\Schwab
2013-07-24 15:52 - 2009-07-30 14:26 - 00000000 ____D C:\Rfwin
2013-07-24 15:52 - 2009-07-16 16:06 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-07-24 15:50 - 2013-07-24 15:50 - 00000000 _____ C:\Users\DWCross\AppData\Local\Temp\is7732.tmp
2013-07-24 15:50 - 2009-09-11 11:28 - 00000000 ___RD C:\Users\Administrator.DCR-server\Desktop
2013-07-24 15:50 - 2009-09-11 11:11 - 00000000 ___RD C:\Users\Chuck\Desktop
2013-07-24 15:50 - 2009-09-09 13:21 - 00000000 ____D C:\Program Files\Google
2013-07-24 15:50 - 2009-07-30 12:00 - 00000000 ___RD C:\Users\Rosabelle\Desktop
2013-07-24 15:50 - 2009-07-22 14:04 - 00000000 ___RD C:\Users\QBDataServiceUser19\Desktop
2013-07-24 15:34 - 2013-07-24 15:34 - 00002427 _____ C:\Users\DWCross\Desktop\RKreport[0]_S_07242013_153439.txt
2013-07-24 15:33 - 2013-07-24 14:56 - 00000000 ____D C:\Users\DWCross\Desktop\RK_Quarantine
2013-07-24 15:09 - 2012-12-21 16:09 - 00000382 _____ C:\Windows\Tasks\FreeFileViewerUpdateChecker.job
2013-07-24 14:58 - 2013-07-24 14:58 - 00002394 _____ C:\Users\DWCross\Desktop\RKreport[0]_S_07242013_145800.txt
2013-07-24 14:58 - 2008-01-19 04:56 - 00735158 _____ C:\Windows\system32\PerfStringBackup.INI
2013-07-24 14:54 - 2011-05-12 12:03 - 00000884 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-24 14:54 - 2009-08-21 15:37 - 00000000 ____D C:\Windows\system32\lserver
2013-07-24 14:54 - 2009-08-21 15:37 - 00000000 ____D C:\Windows\Application Compatibility Scripts
2013-07-24 14:54 - 2009-07-22 14:12 - 00000000 ____D C:\Users\DWCross\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LG Power Tools
2013-07-24 14:54 - 2008-01-19 07:47 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-24 14:42 - 2008-01-19 07:47 - 00032530 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-07-24 13:49 - 2013-07-24 13:49 - 00915968 _____ C:\Users\DWCross\Downloads\RogueKiller.exe
2013-07-24 13:25 - 2009-09-25 13:19 - 00001356 _____ C:\Users\Administrator.DCR-server\AppData\Local\d3d9caps.dat
2013-07-24 13:17 - 2009-09-11 11:28 - 00000000 ____D C:\Users\Administrator.DCR-server
2013-07-24 11:42 - 2013-07-10 18:10 - 00002859 _____ C:\Users\DWCross\AppData\Local\Temp\qtplugin.log
2013-07-24 11:42 - 2013-07-10 18:10 - 00001726 _____ C:\Users\Public\Desktop\QuickTime Player.lnk
2013-07-24 11:42 - 2013-07-10 18:10 - 00001336 _____ C:\Users\DWCross\AppData\Local\Temp\QTInstallCode.log
2013-07-24 11:42 - 2013-07-10 18:10 - 00000000 ____D C:\Program Files\QuickTime
2013-07-24 09:43 - 2009-07-22 14:02 - 00000000 ____D C:\Users\Public\Documents\Intuit
2013-07-24 09:20 - 2009-08-03 08:20 - 00001356 _____ C:\Users\Rosabelle\AppData\Local\d3d9caps.dat
2013-07-23 23:10 - 2013-06-12 16:42 - 00000508 _____ C:\Windows\Tasks\Image for Windows - Task 2.job
2013-07-23 22:00 - 2013-01-07 14:08 - 00000508 _____ C:\Windows\Tasks\Image for Windows - Task 1.job
2013-07-18 19:37 - 2012-04-03 07:59 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-07-18 19:37 - 2011-05-20 08:06 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-07-18 10:54 - 2013-07-18 10:54 - 00000000 ____D C:\Users\Administrator.DCR-server\AppData\Roaming\Apple Computer
2013-07-17 19:03 - 2009-08-21 12:35 - 00000000 ____D C:\Users\Rosabelle\AppData\Roaming\Adobe
2013-07-15 10:15 - 2009-07-22 13:44 - 00000000 ____D C:\Windows\system32\FxsTmp
2013-07-11 09:32 - 2013-07-11 09:32 - 00000000 ____D C:\Users\Rosabelle\AppData\Roaming\Apple Computer
2013-07-11 09:02 - 2013-07-11 09:02 - 00000000 ____D C:\Users\DWCross\AppData\Roaming\Apple Computer
2013-07-10 18:10 - 2013-07-10 18:10 - 00000000 ____D C:\ProgramData\Apple Computer
2013-07-10 18:10 - 2013-07-10 18:10 - 00000000 ____D C:\ProgramData\Apple
2013-07-10 18:10 - 2013-07-10 18:10 - 00000000 ____D C:\Program Files\Common Files\Apple
2013-07-10 18:10 - 2013-07-10 18:10 - 00000000 ____D C:\Program Files\Apple Software Update
2013-07-10 15:10 - 2011-05-02 16:19 - 00091451 _____ C:\Users\DWCross\Desktop\RETMonthly.xls_0.ods
2013-07-10 08:39 - 2013-07-10 08:39 - 00000846 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-07-10 08:39 - 2013-07-10 08:39 - 00000000 ____D C:\ProgramData\Mozilla
2013-07-10 08:39 - 2013-07-10 08:39 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2013-07-10 08:39 - 2013-07-10 08:39 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-07-10 08:39 - 2010-01-06 23:31 - 00000000 ____D C:\Users\DWCross\AppData\Roaming\Mozilla
2013-07-10 08:29 - 2009-07-22 14:32 - 00000000 ____D C:\Installs
2013-07-08 14:10 - 2013-07-08 14:10 - 00000906 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-07-08 14:10 - 2011-10-13 17:22 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-07-08 13:34 - 2013-07-08 13:34 - 00017161 _____ C:\Users\DWCross\AppData\Local\Temp\hppldcoi.log
2013-07-04 10:53 - 2009-07-30 09:50 - 00000000 ___RD C:\Data
2013-06-24 10:06 - 2009-07-22 14:01 - 00000090 _____ C:\Windows\QBChanUtil_Trigger.ini

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3478161825-3527343326-2822658981-1000\$0f63b47f65cedf7ef0bcba0f2d84c016

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$0f63b47f65cedf7ef0bcba0f2d84c016

Files to move or delete:
====================
C:\Users\DWCross\GoToAssistDownloadHelper.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-07-24 15:00

==================== End Of Log ============================

 

and the Addition log:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-07-2013
Ran by DWCross at 2013-07-24 17:38:55
Running from C:\Users\DWCross\firefoxdownloads
Boot Mode: Normal
==========================================================


==================== Installed Programs =======================

32 Bit HP CIO Components Installer (Version: 4.1.1)
7500_7600_7700_Help (Version: 1.00.0000)
7-Zip 9.20
ACH Origination Application (Version: 19.40.0.8)
Adobe Acrobat  9 Standard - English, Français, Deutsch (Version: 9.0.0)
Adobe AIR (Version: 1.0.4990)
Adobe AIR (Version: 1.0.8.4990)
Adobe Flash Player 11 ActiveX (Version: 11.8.800.94)
Adobe Flash Player 11 Plugin (Version: 11.8.800.94)
Adobe Reader X (10.1.7) (Version: 10.1.7)
Apple Application Support (Version: 2.3.4)
Apple Software Update (Version: 2.1.3.127)
Avery Media Software 32 bit
Belarc Advisor 7.2
BPD_HPSU (Version: 1.00.0000)
BPD_Scan (Version: 3.00.0000)
BPDSoftware (Version: 82.0.173.000)
BPDSoftware_Ini (Version: 1.00.0000)
Brother P-touch Address Book 1.1 (Version: 1.1.033)
BufferChm (Version: 120.0.194.000)
C4580 (Version: 120.0.209.000)
CCleaner (Version: 3.01)
Copy (Version: 120.0.194.000)
CustomerResearchQFolder (Version: 1.00.0000)
Destination Component (Version: 110.0.0.0)
DeviceDiscovery (Version: 120.0.194.000)
DeviceManagementQFolder (Version: 1.00.0000)
DocProc (Version: 8.1.0.0)
DocProcQFolder (Version: 1.00.0000)
Dyn Updater (Version: 4.1.10)
eSupportQFolder (Version: 1.00.0000)
Fax (Version: 82.0.188.000)
File Type Assistant
Free File Viewer 2012 (Version: 2012.10.9.0)
Google Update Helper (Version: 1.3.21.153)
GoToMeeting 5.1.0.880 (HKCU Version: 5.1.0.880)
HP Customer Participation Program 8.0 (Version: 8.0)
HP Imaging Device Functions 12.0 (Version: 12.0)
HP OCR Software 8.0 (Version: 8.0)
HP Officejet 7500 E910 Basic Device Software (Version: 22.0.334.0)
HP Officejet 7500 E910 Help (Version: 140.0.93.93)
HP Officejet Pro All-In-One Series (Version: 1.0)
HP Photosmart C4500 All-In-One Driver Software12.0 Rel .4 (Version: 12.0)
HP Photosmart Essential (Version: 1.12.0.46)
HP Product Detection (Version: 9.7.2)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 8.0 (Version: 8.0)
HP Update (Version: 5.002.005.003)
HPProductAssistant (Version: 82.0.173.000)
HPSSupply (Version: 120.0.194.000)
I.R.I.S. OCR (Version: 12.3.4)
Image for Windows 2.61 Trial
Java Auto Updater (Version: 2.0.6.1)
Java 6 Update 27 (Version: 6.0.270)
L7600 (Version: 50.0.165.000)
LG CyberLink LabelPrint (Version: 2.0.3605)
LG CyberLink PowerBackup (Version: 2.5.4511)
LG CyberLink PowerDVD 7.0 (Version: 7.0.3409.a)
LG CyberLink PowerProducer (Version: 085312a(3.7)_Vista_LG)
LG CyberLink YouCam (Version: 1.0.2609)
LightScribe System Software (Version: 1.18.1.1)
Linksys Bi-Admin
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
MarketResearch (Version: 82.0.174.000)
Marketsplash Print Software (Version: 1.0.0.31)
Marketsplash Shortcuts (Version: 1.0.0.9)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218 (Version: 9.0.21022.218)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft XML Parser (Version: 8.70.1104.04)
Mozilla Firefox 22.0 (x86 en-US) (Version: 22.0)
Mozilla Maintenance Service (Version: 22.0)
MPM (Version: 1.00.0000)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
neroxml (Version: 1.0.0)
Network (Version: 120.0.194.000)
NetZero For Cosmi (Version: 1.0.0)
OpenOffice.org 3.3 (Version: 3.3.9567)
PC Attorney (Version: 2.1.0000)
Pdf995
PdfEdit995
Personal Trainer Studio - Deed-Chek Subdivide 10.0 Edition
Picasa 3 (Version: 3.9)
Print Server Driver
ProductContext (Version: 50.0.165.000)
PS_AIO_04_C4580_Software_Min (Version: 120.0.209.000)
QuickBooks (Version: 21.0.4013.904)
QuickBooks Pro 2011 (Version: 21.0.4013.904)
QuickTime (Version: 7.74.80.86)
RETTS Real Estate Management System
Scan (Version: 12.0.0.0)
Shipping Assistant 3.6 (Version: 3.6.103.0)
Shop for HP Supplies (Version: 12)
Signature995
SketchUp 8 (Version: 3.0.16846)
SmartWebPrinting (Version: 140.0.186.000)
SolutionCenter (Version: 82.0.188.000)
Speccy (Version: 1.10)
Status (Version: 120.0.194.000)
Suite (Version: 1.00.0000)
SupportSoft Assisted Service (Version: 15)
Tax Forms Helper 2011 10.0
Tax Forms Helper 2012 10.5
TBIView 4.24 - TBIMount 1.06
Toolbox (Version: 120.0.194.000)
Toolbox (Version: 82.0.173.000)
TrayApp (Version: 120.0.194.000)
UnloadSupport (Version: 11.0.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
WebReg (Version: 120.0.194.000)
WinZip 16.0 (Version: 16.0.9715)
 

==================== Restore Points  =========================

Could not list Restore Points.


==================== Hosts content: ==========================

2008-01-19 04:46 - 2006-09-18 17:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {0D3FDE63-AC71-4AEC-AE03-86FAB7609ABB} - System32\Tasks\User_Feed_Synchronization-{83EFDFF2-5E39-4116-BCE5-DC4692CB4561} => C:\Windows\system32\msfeedssync.exe [2011-05-31] (Microsoft Corporation)
Task: {3777C6B6-4EF6-4FBF-B082-6331DCA50DF3} - System32\Tasks\FreeFileViewerUpdateChecker => C:\Program Files\FreeFileViewer\FFVCheckForUpdates.exe [2012-10-13] (Bitberry Software)
Task: {47EFE11B-F8C3-4C20-BFED-9325A1786A28} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-05-12] (Google Inc.)
Task: {491C9688-17A0-45EF-9657-771CBDAE7823} - System32\Tasks\Image for Windows - Task 2 => C:\Program Files\TeraByte Unlimited\Image for Windows\V2\imagew.exe [2010-12-04] (TeraByte Unlimited)
Task: {572F4DE2-C5FD-41A0-B948-F0A1C7688C7C} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerCeipAssistant => C:\Windows\system32\ceipdata.exe [2009-04-11] (Microsoft Corporation)
Task: {60E1F3EB-D26C-4D69-B733-3E5D501124DC} - System32\Tasks\User_Feed_Synchronization-{30E669F5-5288-43F4-ACED-0371CB8DA81D} => C:\Windows\system32\msfeedssync.exe [2011-05-31] (Microsoft Corporation)
Task: {63DED9DB-39A2-4585-AC33-2AFD7ECC69D6} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-05-12] (Google Inc.)
Task: {8180385E-9F01-414E-BE79-08668ADE95AF} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {8458F451-3CAE-4032-BDE8-F38FB1F0C4B1} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server\ServerRoleCollector => C:\Windows\system32\ceiprole.exe [2009-04-11] (Microsoft Corporation)
Task: {91F6CD4C-D7A8-4C69-A108-481BE26EA811} - System32\Tasks\User_Feed_Synchronization-{7E9555A5-EBEE-446A-9809-A18330AFAD03} => C:\Windows\system32\msfeedssync.exe [2011-05-31] (Microsoft Corporation)
Task: {9A6749F1-D890-4A71-8E77-D4FD67B1137F} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-07-18] (Adobe Systems Incorporated)
Task: {A9B24974-47C6-468B-AA74-A511D9F9F580} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {ACBC6D2B-8CAF-4B3B-8674-1563E47AB6EC} - System32\Tasks\User_Feed_Synchronization-{DA4F1057-CD51-4527-822A-AAD1E051C25F} => C:\Windows\system32\msfeedssync.exe [2011-05-31] (Microsoft Corporation)
Task: {B0B9FF5D-7B50-4C18-9EB9-1E5C3AC0F46E} - System32\Tasks\hpUrlLauncher.exe => C:\Program Files\HP\HP Officejet 7500 E910\Bin\utils\hpUrlLauncher.exe [2010-06-14] (Hewlett-Packard Co.)
Task: {B256E7F7-41EC-48E7-A52D-5C21F6170B54} - System32\Tasks\User_Feed_Synchronization-{518FE07D-DC5B-41DE-BC5B-C1019DB14AC8} => C:\Windows\system32\msfeedssync.exe [2011-05-31] (Microsoft Corporation)
Task: {BA003EEC-C058-4214-BB9B-43681CBC240A} - System32\Tasks\Microsoft\Windows\termsrv\licensing\TlsWarning => C:\Windows\system32\tlsbln.exe [2009-04-11] (Microsoft Corporation)
Task: {C0D53485-FFCE-44E6-B60D-4670F2AE1725} - System32\Tasks\User_Feed_Synchronization-{7D14696C-0A7D-44A1-BEB4-1713A412BA5E} => C:\Windows\system32\msfeedssync.exe [2011-05-31] (Microsoft Corporation)
Task: {C13BD08A-D92A-4426-B898-3A54B7A99EFE} - System32\Tasks\Image for Windows - Task 1 => C:\Program Files\TeraByte Unlimited\Image for Windows\V2\imagew.exe [2010-12-04] (TeraByte Unlimited)
Task: {D286A394-0EA5-4860-BBE3-D6A36814245E} - System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries => C:\Windows\system32\rundll32.exe [2006-11-02] (Microsoft Corporation)
Task: {DEDC0DCF-1F3E-4C66-A549-53F6F785739A} - System32\Tasks\Microsoft\Windows\Server Manager\ServerManager => C:\Windows\system32\ServerManagerLauncher.exe [2008-01-19] (Microsoft Corporation)
Task: {F7EA3A84-54CE-444D-A50C-0F862D7E4177} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => c:\program files\windows defender\MpCmdRun.exe No File
Task: {FC196101-720E-4AAD-9AB0-530E904BC234} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-19] (Microsoft Corporation)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\FreeFileViewerUpdateChecker.job => C:\Program Files\FreeFileViewer\FFVCheckForUpdates.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\Image for Windows - Task 1.job => C:\Program Files\TeraByte Unlimited\Image for Windows\V2\imagew.exe
Task: C:\Windows\Tasks\Image for Windows - Task 2.job => C:\Program Files\TeraByte Unlimited\Image for Windows\V2\imagew.exe
Task: C:\Windows\Tasks\User_Feed_Synchronization-{7D14696C-0A7D-44A1-BEB4-1713A412BA5E}.job => C:\Windows\system32\msfeedssync.exe
Task: C:\Windows\Tasks\User_Feed_Synchronization-{83EFDFF2-5E39-4116-BCE5-DC4692CB4561}.job => C:\Windows\system32\msfeedssync.exe
Task: C:\Windows\Tasks\User_Feed_Synchronization-{DA4F1057-CD51-4527-822A-AAD1E051C25F}.job => C:\Windows\system32\msfeedssync.exe

==================== Faulty Device Manager Devices =============

Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Officejet Pro L7600
Description: Officejet Pro L7600
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Officejet 7500 E910
Description: Officejet 7500 E910
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Officejet Pro L7600
Description: Officejet Pro L7600
Class Guid: {4d36e979-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (07/24/2013 02:55:54 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/24/2013 02:55:54 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/24/2013 02:55:54 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/24/2013 01:35:24 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/24/2013 01:35:24 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/24/2013 01:35:24 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/24/2013 01:26:37 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/24/2013 01:26:37 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/24/2013 01:26:37 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (07/24/2013 01:18:04 PM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle


System errors:
=============
Error: (07/24/2013 02:55:31 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (07/24/2013 02:54:38 PM) (Source: Service Control Manager) (User: )
Description: storflt

Error: (07/24/2013 02:54:33 PM) (Source: Service Control Manager) (User: )
Description: IPsec Policy AgentBFE

Error: (07/24/2013 02:54:33 PM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBFE

Error: (07/24/2013 01:49:58 PM) (Source: PlugPlayManager) (User: )
Description: The device 'WDC WD5000AACS-00ZUB SCSI Disk Device' (SCSI\Disk&Ven_WDC&Prod_WD5000AACS-00ZUB&Rev_01.0\5&23a76177&0&000000) disappeared from the system without first being prepared for removal.

Error: (07/24/2013 01:34:31 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (07/24/2013 01:33:38 PM) (Source: Service Control Manager) (User: )
Description: storflt

Error: (07/24/2013 01:33:33 PM) (Source: Service Control Manager) (User: )
Description: IPsec Policy AgentBFE

Error: (07/24/2013 01:33:33 PM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBFE

Error: (07/24/2013 01:26:19 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)


Microsoft Office Sessions:
=========================
Error: (07/24/2013 02:55:54 PM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/24/2013 02:55:54 PM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/24/2013 02:55:54 PM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/24/2013 01:35:24 PM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/24/2013 01:35:24 PM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/24/2013 01:35:24 PM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/24/2013 01:26:37 PM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/24/2013 01:26:37 PM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/24/2013 01:26:37 PM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (07/24/2013 01:18:04 PM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle


CodeIntegrity Errors:
===================================
  Date: 2013-07-24 14:36:03.746
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_b31e1252666640f6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-24 14:36:03.507
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_b31e1252666640f6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-24 14:36:03.266
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_b31e1252666640f6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-24 14:36:03.013
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_b31e1252666640f6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-24 14:36:02.767
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_b31e1252666640f6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-24 14:36:02.528
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_b31e1252666640f6\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-24 14:34:48.167
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-24 14:34:47.922
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-24 14:34:47.670
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-07-24 14:34:47.420
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 29%
Total physical RAM: 4095.11 MB
Available physical RAM: 2872.77 MB
Total Pagefile: 8357.43 MB
Available Pagefile: 7334.62 MB
Total Virtual: 2047.88 MB
Available Virtual: 1890.7 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.76 GB) (Free:429.53 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 6BDA731C)
Partition 1: (Active) - (Size=466 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

Thanks!

[kevinf80]

OK, we continue:

 

Download attached fixlist.txt file and save it to the Desktop.

 

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

 

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

download RKill from here: http://www.bleepingcomputer.com/download/rkill/

 

There are three buttons to choose from with different names on, select the first one and save it to your desktop.

 

 

•  

   

• Double-click on the Rkill desktop icon to run the tool.

   

   

• If using Vista or Windows 7, right-click on it and Run As Administrator.

   

   

• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

   

   

• A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.

   

   

• If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.

   

   

• If the tool does not run from any of the links provided, please let me know.

   

   

 

 

Next,

 

Download http://www.bleepingcomputer.com/download/adwcleaner/ by Xplode onto your Desktop.

 

 

•  

   

•   Please close all open programs and internet browsers.

   

   

•   Double click on Adwcleaner.exe to run the tool.

   

   

•   Click on Delete.

   

   

•   Confirm each time with OK.

   

   

•   Your computer will be rebooted automatically. A text file will open after the restart.

   

   

•   Please post the content of that logfile in your reply.

   

   

•   You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

   

   

 

 

Next,

 

Open Malwarebytes, check for updates then run Quick scan. Full instructions follow if  Malwarebytes is not installed:

 

Download Malwarebytes from one of the following links and save it to your desktop.:

 

 

http://www.malwarebytes.org/mbam.php 

http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml[/url]

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

 

Double Click mbam-setup.exe to install the application.

 

•  

   

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.

   

   

• If an update is found, it will download and install the latest version.

   

   

• Once the program has loaded, select "Perform Quick Scan", then click Scan.

   

   

• The scan may take some time to finish,so please be patient.

   

   

• When the scan is complete, click OK, then Show Results to view the results.

   

   

• Make sure that everything is checked, and click Remove Selected.

   

   

• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)

   

   

• Please save the log to a location you will remember.

   

   

• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

   

   

• Copy and paste the entire report in your next reply.

   

   

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

 

Let me see those logs in next reply, also give an update on any remaining issues or concerns...

 

Kevin...

fixlist.txt

[dwcre]

Here are the logs:

 

Rkill 2.5.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 07/24/2013 06:27:00 PM in x86 mode.
Windows Version: Windows Server ® 2008 Standard Service Pack 2

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * ALERT: ZEROACCESS Reparse Point/Junction found!

     * C:\Windows\winsxs\x86_security-malware-windows-defender-events_31bf3856ad364e35_6.0.6001.18000_none_b5980035bb993743\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpClient.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpRtMon.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpRtPlug.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpSigDwn.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6001.18000_none_57bcb0ca582f18c5\MsMpRes.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpClient.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpRtMon.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpRtPlug.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpSigDwn.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpSoftEx.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Windows\winsxs\x86_security-malware-windows-defender_31bf3856ad364e35_6.0.6002.18005_none_59a829d65550e411\MsMpRes.dll => c:\windows\system32\config [File]

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost
  ::1             localhost

Program finished at: 07/24/2013 06:28:14 PM
Execution time: 0 hours(s), 1 minute(s), and 14 seconds(s)
 

 

First AdwCleaner log:

 

# AdwCleaner v2.306 - Logfile created 07/24/2013 at 18:31:16
# Updated 19/07/2013 by Xplode
# Operating system : Windows Server ® 2008 Standard Service Pack 2 (32 bits)
# User : DWCross - DCR-SERVER
# Boot Mode : Normal
# Running from : C:\Users\DWCross\firefoxdownloads\AdwCleaner.exe
# Option [search]


***** [services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Freecause
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\facetheme
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\Freeze.com
Key Found : HKLM\Software\InstallIQ
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16490

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\DWCross\AppData\Roaming\Mozilla\Firefox\Profiles\s2u3svcc.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1437 octets] - [24/07/2013 18:31:16]

########## EOF - C:\AdwCleaner[R1].txt - [1497 octets] ##########
 

Next ADWCleaner log:

 

# AdwCleaner v2.306 - Logfile created 07/24/2013 at 18:31:47
# Updated 19/07/2013 by Xplode
# Operating system : Windows Server ® 2008 Standard Service Pack 2 (32 bits)
# User : DWCross - DCR-SERVER
# Boot Mode : Normal
# Running from : C:\Users\DWCross\firefoxdownloads\AdwCleaner.exe
# Option [Delete]


***** [services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Freecause
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\facetheme
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16490

[OK] Registry is clean.

-\\ Mozilla Firefox v22.0 (en-US)

File : C:\Users\DWCross\AppData\Roaming\Mozilla\Firefox\Profiles\s2u3svcc.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1566 octets] - [24/07/2013 18:31:16]
AdwCleaner[s1].txt - [1515 octets] - [24/07/2013 18:31:47]

########## EOF - C:\AdwCleaner[s1].txt - [1575 octets] ##########

 

MBAM log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.24.07

Windows Server 2008 Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
DWCross :: DCR-SERVER [administrator]

7/24/2013 6:40:12 PM
mbam-log-2013-07-24 (18-40-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 367572
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

THANK YOU!  THANK YOU!

I went to IE and was able to download and open attachment in email.  This was a major issue for me as I send and receive contracts and other important docs multiple times daily.  Many of the sites I utilize regularly require IE to work and open files.

THANK YOU!

[dwcre]

I have one issue remaining.  I still cannot access Windows Update.  The message says:  "Windows Update cannot currently check for updates, because the service is not running.  You may need to restart your computer."  This is the same message I was getting before.

[kevinf80]

The first step in my last reply should have produced a log named Fixlog.txt I do not see that log in your reply? Also run the following:

 

Download Services Repair tool, available here - http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe and Save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.

 

Tell me if the update issue is fixed...

[dwcre]

Sorry.  Missed that one.  Here it is.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-07-2013
Ran by DWCross at 2013-07-24 18:20:23 Run:1
Running from C:\Users\DWCross\firefoxdownloads
Boot Mode: Normal

==============================================

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000003\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
C:\Users\DWCross\AppData\Local\Temp\is7732.tmp => Moved successfully.

"C:\Users\DWCross\AppData\Local\Temp\2" directory move:

C:\Users\DWCross\AppData\Local\Temp\2\AdobeARM.log => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\DIO6807.tmp => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\DIO8D41.tmp => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\DIO9BF3.tmp => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\DIODC6C.tmp => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\DWCross.bmp => Moved successfully.
Could not move "C:\Users\DWCross\AppData\Local\Temp\2\FXSAPIDebugLogFile.txt" => Scheduled to move on reboot.
C:\Users\DWCross\AppData\Local\Temp\2\hpqddusr.log => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\MAR3A12.tmp => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\MAR3EE4.tmp => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\Rocky Mt Counter offer.pdf => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\Set539C.tmp => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\setAB9B.tmp => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\STSBD10.tmp => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\Twiford.IV.Perry.2013.PDF => Moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\_iu14D2N.tmp => Moved successfully.
Could not move "C:\Users\DWCross\AppData\Local\Temp\2\~DF989E.tmp" => Scheduled to move on reboot.
C:\Users\DWCross\AppData\Local\Temp\2\{864FD942-BB52-405E-B441-DD8C239EDCDE}\{AA7D3354-2F37-4153-8500-CDC665E01CBB}\install.log => Moved successfully.
Could not move "C:\Users\DWCross\AppData\Local\Temp\2\sv7e6.tmp\sv7e9.tmp" => Scheduled to move on reboot.
C:\Users\DWCross\AppData\Local\Temp\2\ImageDebug\AutoPosToneMap.txt => Moved successfully.
Could not move "C:\Users\DWCross\AppData\Local\Temp\2" directory. => Scheduled to move on reboot.

C:\$Recycle.Bin\S-1-5-21-3478161825-3527343326-2822658981-1000\$0f63b47f65cedf7ef0bcba0f2d84c016 => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$0f63b47f65cedf7ef0bcba0f2d84c016 => Deleted successfully.
C:\Users\DWCross\GoToAssistDownloadHelper.exe => Moved successfully.

=========== Result of Scheduled Files to move ===========
C:\Users\DWCross\AppData\Local\Temp\2\FXSAPIDebugLogFile.txt => Is moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\~DF989E.tmp => Is moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2\sv7e6.tmp\sv7e9.tmp => Is moved successfully.
C:\Users\DWCross\AppData\Local\Temp\2 => Moved successfully.

==== End of Fixlog ====

[dwcre]

Ran the services repair tool.  Now I can't connect to server via Remote Desktop.  I was able to go to server and log in.  Windows Update is now working.  What could have affected Remote Desktop?

[kevinf80]

I`m not really sure about that issue, can you open the following link and see if that information helps in anyway...

 

http://social.technet.microsoft.com/Forums/windowsserver/en-US/c5e95700-c7cb-4d98-9f40-edef2cdb3a74/win2008-server-standard-rdp-stopped-working-to-it

 

 

Also run the following online av scan and post its log:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/home/products/online-scanner/ to run an online scan from ESET.

 

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the Run ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  Click Start
  
• When asked, allow the add/on to be installed
  Click Start
  
• Make sure that the option Remove found threats is unticked
  
• Click on Advanced Settings, ensure the options
  
• Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  Click Scan
  
• wait for the virus definitions to be downloaded
  
• Wait for the scan to finish
  

 

When the scan is complete

 

• If no threats were found
  
• put a checkmark in "Uninstall application on close"
  
• close program
  
• report to me that nothing was found
  

 

If threats were found

 

• click on "list of threats found"
  
• click on "export to text file" and save it as ESET SCAN and save to the desktop
  
• Click on back
  
• put a checkmark in "Uninstall application on close"
  
• click on finish
  

 

close program

 

copy and paste the report here

 

Kevin....

[dwcre]

Here is the ESET scan:

 

C:\Installs\Tools\Tools\ipscan.exe Win32/NetTool.Portscan.C application
C:\Installs\Tools\Tools\system tools\ipscan.exe Win32/NetTool.Portscan.C application
C:\Installs\Tools\Tools\Utilities\ipscan.exe Win32/NetTool.Portscan.C application
C:\Program Files\Windows Defender.old\en-US\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU6BIMH7\index[1].htm HTML/Iframe.B.Gen virus
C:\Users\Administrator.DCR-server\Downloads\7-ZipInstaller.exe Win32/FreeInstaller application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU6BIMH7\index[1].htm HTML/Iframe.B.Gen virus
 

[dwcre]

I found my Remote Desktop issue.  The exception box on Windows Firewall got unchecked during one of the processes we did yesterday

[kevinf80]

Well spotted with the FW issue... Ok run the following:

 

Download OTM from either of the following links and save to your Desktop:

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe  

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion....

• Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :FilesC:\Program Files\Windows Defender.old\en-US\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU6BIMH7\index[1].htmC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU6BIMH7\index[1].htm:Commands[EmptyTemp]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.
 

Post that log, also give update on any remaining issues or concerns....

 

Kevin....

[dwcre]

All processes killed
Error: Unable to interpret <:FilesC:\Program Files\Windows Defender.old\en-US\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU6BIMH7\index[1].htmC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU6BIMH7\index[1].htm:Commands[EmptyTemp]> in the current context!
 
OTM by OldTimer - Version 3.1.21.0 log created on 07252013_121052
 

Is this what the log should look like?  Before I got to you, I changed the Windows Defender filename to Windows Defender.old trying to fix my issues.  Got that from another forum site. Should I change name back and run OTM again?

[kevinf80]

No need to change the name, OTM will usually remove as per the list from ESET, When OTM gives a reply as above it means it cannot interpret the file address or commands given.

Is it possible the script in the code box was not copied correctly, if the colon was missing from before Files, can give such a reply from OTM, can you try one more time and see what happens, make sure the colon is in place as such.. :Files

 

:FilesC:\Program Files\Windows Defender.old\en-US\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU6BIMH7\index[1].htmC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU6BIMH7\index[1].htm:Commands[EmptyTemp]

[dwcre]

This looks more like it:

 

All processes killed
========== FILES ==========
C:\Program Files\Windows Defender.old\en-US\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU6BIMH7\index[1].htm moved successfully.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HU6BIMH7\index[1].htm not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 15007710 bytes
->Temporary Internet Files folder emptied: 47281124 bytes
->Java cache emptied: 13425894 bytes
->Flash cache emptied: 705 bytes
 
User: Administrator.DCR-server
->Temp folder emptied: 2124735 bytes
->Temporary Internet Files folder emptied: 19875983 bytes
->Java cache emptied: 25495460 bytes
->FireFox cache emptied: 14240133 bytes
->Flash cache emptied: 596 bytes
 
User: All Users
 
User: Chuck
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 9183613 bytes
->Java cache emptied: 25493434 bytes
->Flash cache emptied: 560 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: DWCross
->Temp folder emptied: 12306194 bytes
->Temporary Internet Files folder emptied: 58759103 bytes
->Java cache emptied: 121243327 bytes
->FireFox cache emptied: 32818743 bytes
->Flash cache emptied: 36545 bytes
 
User: Public
 
User: QBDataServiceUser19
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: QBDataServiceUser21
->Temp folder emptied: 1554432 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes
 
User: Rosabelle
->Temp folder emptied: 103545404 bytes
->Temporary Internet Files folder emptied: 31036623 bytes
->Java cache emptied: 36569108 bytes
->Flash cache emptied: 492 bytes
 
User: TEMP
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 350336 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 158051013 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 740 bytes
RecycleBin emptied: 3845562 bytes
 
Total Files Cleaned = 698.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 07252013_154411
 

[kevinf80]

Yes that is what we should see, ok how is your system responding now, any remaining issues or concerns?

[dwcre]

Everything seems to be fine except Windows Defender.   Since I changed the folder name, the paths do not work.

 

In services, it is not running.  Desciption reads: <Failed to Read Description. Error Code: 2>

[dwcre]

Everything seems to be fine except Windows Defender.   Since I changed the folder name, the paths do not work.

 

In services, it is not running.  Desciption reads: <Failed to Read Description. Error Code: 2>

I renamed the folder without .old and my problem downloading attachments returned.  I renamed it .old again and the problem went away.

[kevinf80]

Remove the .old extension one more time, run the service repair tool as you did previously. Any difference?

[AdvancedSetup]

Are you still with us?

[dwcre]

Are you still with us?

[dwcre]

Sorry. Work backed up. My IT guy got back from vacation and stopped by. We installed MS Security Essentials which overrides Windows Defender. This resolved my remaining issue. Thanks again for your help. This was a nightmare at the worst possible time. How do I close the thread?

[kevinf80]

Delete the following from your Desktop or whatever folder you ran them from:

RKill
FRST

Navigate to and delete:

C:\FRST

Next,

Remove ESET Online Scanner (Only if installed)

• Click Start, type programs and features in the Search box, and then press ENTER.
• Click to select the product to be uninstalled from the listing of installed products(ESET Online Scanner), and then click Uninstall/Change from the bar that displays the available tasks to remove ESET.
  

Only re-boot if prompted

Next,

• Download OTC by OldTimer from here http://oldtimer.geekstogo.com/OTC.exe or here http://www.itxassociates.com/OT-Tools/OTC.exe and save to your Desktop.
• Double click icon to start the program.
  If you are using Vista or Windows 7 accept UAC
• Then Click the big button.
• You will get a prompt saying "Begining Cleanup Process". Please select Yes.
• Restart your computer when prompted.
• This will remove tools we have used and itself.
  

Any tools/logs remaining on the Desktop can be deleted.

Let me know those steps complete OK, also if any remaining issues or concerns. If all is ok i`ll ask one of the mods to close out the thread....

Thank you,

Kevin...

[dwcre]

Everything cleaned up and working normal. 

 

Thank you!

 

David