Jump to content

Blocking malicious website


Recommended Posts

I have noticed a wave of blocked malicious websites from malwarebytes pro.  They don't happen every time I turn the computer on, but when they do, they come in large blocks. They all seem to be from the same site: 222.186.101.77 from the process svchost.exe.  The ports will vary from day to day.  Both incoming and outgoing. On some days, my logs are full of these.  I've taken some steps to check for infections:

 

Safe mode with networking:

  • Zonealarm Extreme security full scan

Safe mode without networking:

  • Malwarebytes Pro full scan
  • Housecall full scan
  • TDSSkiller full scan
  • Bitdefender Rootkit Removal scan
  • Trend Micro RootkitBuster full scan
  • Sophos Virus Removal Tool scan

Normal mode:

  • RogueKiller scan
  • TDSSkiller scan
  • GMER scan
  • Bitdefender Rootkit Removal scan
  • RUBotted
  • Trend Micro RootkitBuster

I made sure the scanners were up to date before scanning.  Everything reported clean.  RogueKiller did find 2 registry entries however.  I've run DDS and will attach the logs along with some other logs from scanners I've run.

 

dds.txt

attach.txt

RKreport0_S_08312013_102643.txt

hijackthis.log

Link to post
Share on other sites

  • Replies 69
  • Created
  • Last Reply

Top Posters In This Topic

  • Staff

Hello rhammond17

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo

Link to post
Share on other sites

Hello Gringo,

Thanks for responding. I have run the two programs and will attach the logs.  Junkware was run as administrator.  I should note that I was not comfortable shutting off my protection while still connected to the internet, so I physically disconnected my system from the internet before shutting down Zonealarm and Malwarbytes.  Looking at the malwarebytes log, I don't see any blocked IP, but this is not unusual.  It does not happen all the time but comes in waves.  What disturbs me is that the blocked IPs are also outgoing as if something that I can't find with several tools is on my system.

 

Randy

 

#####################

ADWCleaner

#####################

 

# AdwCleaner v3.002 - Report created 02/09/2013 at 11:18:45
# Updated 01/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Randy - SHAIHULUD
# Running from : C:\Users\Randy\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Randy\AppData\Local\Conduit
Folder Deleted : C:\Users\Randy\AppData\LocalLow\Conduit
[!] Folder Deleted : C:\Users\Randy\AppData\Roaming\CheckPoint\ZoneAlarm LTD Toolbar
Folder Deleted : C:\Users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\fhhfcl5a.default\Conduit
Folder Deleted : C:\Users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\fhhfcl5a.default\ConduitCommon
Folder Deleted : C:\Users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\fhhfcl5a.default\ConduitEngine
Folder Deleted : C:\Users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\fhhfcl5a.default\StumbleUpon
File Deleted : C:\Windows\SysWOW64\conduitEngine.tmp
File Deleted : C:\Users\Randy\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\fhhfcl5a.default\searchplugins\zonealarm.xml
File Deleted : C:\Users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\fhhfcl5a.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2925418
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{48C9C8B0-A546-46C1-A81F-47A31E623E9D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\Software\Conduit
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502


-\\ Mozilla Firefox v17.0.1 (en-US)

[ File : C:\Users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\fhhfcl5a.default\prefs.js ]

Line Deleted : user_pref("CT2925418..clientLogIsEnabled", false);


Line Deleted : user_pref("CT2925418.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);

Line Deleted : user_pref("CT2925418.AppTrackingLastCheckTime", "Sat Aug 18 2012 09:44:28 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.CTID", "CT2925418");
Line Deleted : user_pref("CT2925418.CurrentServerDate", "26-8-2012");
Line Deleted : user_pref("CT2925418.DialogsAlignMode", "LTR");
Line Deleted : user_pref("CT2925418.DialogsGetterLastCheckTime", "Fri Aug 24 2012 20:32:56 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.DownloadReferralCookieData", "");
Line Deleted : user_pref("CT2925418.EMailNotifierPollDate", "Sat Aug 25 2012 21:57:02 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.FirstServerDate", "15-6-2011");
Line Deleted : user_pref("CT2925418.FirstTime", true);
Line Deleted : user_pref("CT2925418.FirstTimeFF3", true);
Line Deleted : user_pref("CT2925418.FixPageNotFoundErrors", true);
Line Deleted : user_pref("CT2925418.GroupingServerCheckInterval", 1440);

Line Deleted : user_pref("CT2925418.HasUserGlobalKeys", true);
Line Deleted : user_pref("CT2925418.Initialize", true);
Line Deleted : user_pref("CT2925418.InitializeCommonPrefs", true);
Line Deleted : user_pref("CT2925418.InstallationAndCookieDataSentCount", 3);
Line Deleted : user_pref("CT2925418.InstallationId", "ZoneAlarmExtremeSecurity_dual_CT2925418.exe");
Line Deleted : user_pref("CT2925418.InstallationType", "ConduitIntegration");
Line Deleted : user_pref("CT2925418.InstalledDate", "Tue Jun 14 2011 20:23:35 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.IsAlertDBUpdated", true);
Line Deleted : user_pref("CT2925418.IsGrouping", false);
Line Deleted : user_pref("CT2925418.IsMulticommunity", false);
Line Deleted : user_pref("CT2925418.IsOpenThankYouPage", false);
Line Deleted : user_pref("CT2925418.IsOpenUninstallPage", false);
Line Deleted : user_pref("CT2925418.LanguagePackLastCheckTime", "Sat Aug 25 2012 20:25:16 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.LanguagePackReloadIntervalMM", 1440);

Line Deleted : user_pref("CT2925418.LastLogin_3.10.0.1", "Tue Apr 17 2012 18:42:05 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.12.0.7", "Tue Apr 24 2012 22:42:59 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.12.2.3", "Wed May 30 2012 18:54:32 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.13.0.6", "Mon Jul 16 2012 19:52:00 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.14.1.0", "Tue Aug 21 2012 18:46:02 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.15.1.0", "Sat Aug 25 2012 19:12:02 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.3.7.0", "Mon Aug 15 2011 18:33:13 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.6.0.10", "Tue Sep 27 2011 19:33:50 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.7.0.6", "Tue Nov 08 2011 21:32:07 GMT-0800 (Pacific Standard Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.8.0.8", "Mon Dec 05 2011 22:05:40 GMT-0800 (Pacific Standard Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.8.1.0", "Sun Jan 15 2012 23:03:12 GMT-0800 (Pacific Standard Time)");
Line Deleted : user_pref("CT2925418.LastLogin_3.9.0.3", "Thu Mar 08 2012 20:37:10 GMT-0800 (Pacific Standard Time)");
Line Deleted : user_pref("CT2925418.LatestVersion", "3.14.1.0");
Line Deleted : user_pref("CT2925418.Locale", "en");
Line Deleted : user_pref("CT2925418.MCDetectTooltipHeight", "83");

Line Deleted : user_pref("CT2925418.MCDetectTooltipWidth", "295");
Line Deleted : user_pref("CT2925418.MyStuffEnabledAtInstallation", true);
Line Deleted : user_pref("CT2925418.SHRINK_TOOLBAR", 1);
Line Deleted : user_pref("CT2925418.SearchBoxWidth", 173);
Line Deleted : user_pref("CT2925418.SearchFromAddressBarIsInit", true);
Line Deleted : user_pref("CT2925418.SearchFromAddressBarUrl", "DEFAULT");
Line Deleted : user_pref("CT2925418.SearchInNewTabEnabled", true);
Line Deleted : user_pref("CT2925418.SearchInNewTabIntervalMM", 1440);
Line Deleted : user_pref("CT2925418.SearchInNewTabLastCheckTime", "Sat Aug 25 2012 20:25:16 GMT-0700 (Pacific Daylight Time)");


Line Deleted : user_pref("CT2925418.ServiceMapLastCheckTime", "Sat Aug 25 2012 20:25:16 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.SettingsLastCheckTime", "Sat Aug 25 2012 15:12:02 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.SettingsLastUpdate", "1344943776");
Line Deleted : user_pref("CT2925418.ThirdPartyComponentsInterval", 504);
Line Deleted : user_pref("CT2925418.ThirdPartyComponentsLastCheck", "Mon Aug 20 2012 19:56:24 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.ThirdPartyComponentsLastUpdate", "1331805997");

Line Deleted : user_pref("CT2925418.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
Line Deleted : user_pref("CT2925418.UserID", "UN29344043769470548");
Line Deleted : user_pref("CT2925418.ValidationData_Toolbar", 2);
Line Deleted : user_pref("CT2925418.alertChannelId", "1317307");
Line Deleted : user_pref("CT2925418.backendstorage.youtubelang", "5553");

Line Deleted : user_pref("CT2925418.globalFirstTimeInfoLastCheckTime", "Fri Aug 17 2012 19:53:33 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.homepageProtectorEnableByLogin", true);
Line Deleted : user_pref("CT2925418.initDone", true);
Line Deleted : user_pref("CT2925418.isAppTrackingManagerOn", true);
Line Deleted : user_pref("CT2925418.myStuffEnabled", true);
Line Deleted : user_pref("CT2925418.myStuffPublihserMinWidth", 400);

Line Deleted : user_pref("CT2925418.myStuffServiceIntervalMM", 1440);

Line Deleted : user_pref("CT2925418.oldAppsList", "129403465893419378,129403465893731879,111,129547531465455574,129454670619237939,129403465894356881,129403465895763137,1000080,129538368125733219,1000034,12979124306[...]
Line Deleted : user_pref("CT2925418.revertSettingsEnabled", false);
Line Deleted : user_pref("CT2925418.searchProtectorDialogDelayInSec", 10);
Line Deleted : user_pref("CT2925418.searchProtectorEnableByLogin", true);
Line Deleted : user_pref("CT2925418.testingCtid", "");
Line Deleted : user_pref("CT2925418.toolbarAppMetaDataLastCheckTime", "Sat Aug 25 2012 20:25:16 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.toolbarContextMenuLastCheckTime", "Sun Aug 19 2012 18:20:09 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CT2925418.usagesFlag", 2);
























Line Deleted : user_pref("CommunityToolbar.EngineOwner", "CT2925418");
Line Deleted : user_pref("CommunityToolbar.EngineOwnerGuid", "{a94e8dc9-07aa-45a7-8af2-a0375473a5cd}");
Line Deleted : user_pref("CommunityToolbar.EngineOwnerToolbarId", "zonealarm_extreme_security");

Line Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.15.1.0");

Line Deleted : user_pref("CommunityToolbar.OriginalEngineOwner", "CT2925418");
Line Deleted : user_pref("CommunityToolbar.OriginalEngineOwnerGuid", "{a94e8dc9-07aa-45a7-8af2-a0375473a5cd}");
Line Deleted : user_pref("CommunityToolbar.OriginalEngineOwnerToolbarId", "zonealarm_extreme_security");
Line Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2925418");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2925418");
Line Deleted : user_pref("CommunityToolbar.alert.alertDialogsGetterLastCheckTime", "Tue Jun 14 2011 20:23:35 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.alert.alertInfoInterval", 1440);
Line Deleted : user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Sat Aug 13 2011 10:14:48 GMT-0700 (Pacific Daylight Time)");

Line Deleted : user_pref("CommunityToolbar.alert.locale", "en");
Line Deleted : user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);
Line Deleted : user_pref("CommunityToolbar.alert.loginLastCheckTime", "Mon Aug 15 2011 18:33:12 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1305622559");
Line Deleted : user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);

Line Deleted : user_pref("CommunityToolbar.alert.showTrayIcon", false);
Line Deleted : user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);
Line Deleted : user_pref("CommunityToolbar.alert.userId", "c8b7ff12-a9ed-4830-a000-f6022c9b3c73");
Line Deleted : user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Tue Apr 17 2012 18:42:05 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.globalUserId", "c841e358-f9fd-4387-828d-5ca29f70b510");
Line Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Line Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Line Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Tue Aug 21 2012 19:22:36 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoInterval", 1440);
Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Sat Aug 25 2012 21:25:26 GMT-0700 (Pacific Daylight Time)");

Line Deleted : user_pref("CommunityToolbar.notifications.locale", "en");
Line Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
Line Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Sat Aug 25 2012 20:25:18 GMT-0700 (Pacific Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
Line Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);

Line Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
Line Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
Line Deleted : user_pref("CommunityToolbar.notifications.userId", "997cbdbd-be09-4465-a47e-24574a4dfe10");

-\\ Google Chrome v29.0.1547.62

[ File : C:\Users\Randy\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [20948 octets] - [02/09/2013 11:16:03]
AdwCleaner[s0].txt - [21177 octets] - [02/09/2013 11:18:45]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [21238 octets] ##########
 

 

#####################

Junkware Removal Tool

#####################

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.7 (09.01.2013:1)
OS: Windows 7 Home Premium x64
Ran by Randy on Mon 09/02/2013 at 11:26:13.77
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 09/02/2013 at 11:32:01.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

Link to post
Share on other sites

  • Staff

Hello rhammond17

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
Link to post
Share on other sites

Hey Gringo,

    I ran combofix and will attach the log.  I disconnected the internet and shutdown zonealarm and malwarebytes, then ran combofix.  However, I didn't disable the run at startup for ZA or MB.  When combofix rebooted, it froze at Preparing Log report.  I let it run for a half hour before rebooting the machine.  I then shut down ZA and MB once again and disabled run at startup then reran combofix.  The second time it completed.  Fortunately, the log file shows the files deleted from the previous run.  One thing I noted was that CliSecureRT.dll was deleted both times. Hmmm....  I looked to see if combofix had indeed deleted it after the second run, and I couldn't find it.  However, I then rebooted my machine to get everything up and running again and I checked for CliSecureRT.dll and the file has returned to the same spot.

 

 A look in the malwarebytes log files shows no IP blocking yet today.

 

Randy

 

######################

ComboFix

######################

 

ComboFix 13-09-02.02 - Randy 09/02/2013  16:44:28.2.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.16384.13910 [GMT -7:00]
Running from: c:\users\Randy\Desktop\ComboFix.exe
FW: ZoneAlarm Extreme Security Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Extreme Security Anti-Spyware *Disabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Randy\AppData\Local\Temp\acc98a83-4789-42d6-8c8f-ba0c09eb1879\CliSecureRT.dll
.
---- Previous Run -------
.
c:\users\Randy\AppData\Local\Temp\acc98a83-4789-42d6-8c8f-ba0c09eb1879\CliSecureRT.dll
c:\users\Randy\Desktop\Setup.exe
c:\windows\msvcr71.dll
c:\windows\SysWow64\frapsvid.dll
c:\windows\SysWow64\lsm.exe
c:\windows\SysWow64\regobj.dll
c:\windows\SysWow64\tmpE881.tmp
c:\windows\SysWow64\tmpEB8F.tmp
D:\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-02 to 2013-09-02  )))))))))))))))))))))))))))))))
.
.
2013-09-02 23:54 . 2013-09-02 23:54    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-09-02 18:26 . 2013-09-02 18:26    --------    d-----w-    c:\windows\ERUNT
2013-09-02 18:15 . 2013-09-02 18:18    --------    d-----w-    C:\AdwCleaner
2013-08-31 17:26 . 2013-08-31 17:26    41984    ----a-w-    c:\windows\system32\drivers\winusb.sys.bak
2013-08-31 17:26 . 2013-08-31 17:26    109696    ----a-w-    c:\windows\system32\drivers\USBAUDIO.sys.bak
2013-08-31 17:26 . 2013-08-31 17:26    80464    ----a-w-    c:\windows\system32\drivers\sisraid4.sys.bak
2013-08-31 17:26 . 2013-08-31 17:26    114752    ----a-w-    c:\windows\system32\drivers\lsi_fc.sys.bak
2013-08-31 17:26 . 2013-08-31 17:26    78848    ----a-w-    c:\windows\system32\drivers\IPMIDrv.sys.bak
2013-08-31 17:25 . 2013-08-31 17:25    85384    ----a-w-    c:\windows\system32\drivers\ftser2k.sys.bak
2013-08-31 17:25 . 2013-08-31 17:25    108832    ----a-w-    c:\windows\system32\drivers\fltsrv.sys.bak
2013-08-31 17:25 . 2013-08-31 17:25    45568    ----a-w-    c:\windows\system32\drivers\circlass.sys.bak
2013-08-31 17:25 . 2013-08-31 17:25    87632    ----a-w-    c:\windows\system32\drivers\arc.sys.bak
2013-08-31 17:25 . 2013-08-31 17:25    60928    ----a-w-    c:\windows\system32\drivers\amdppm.sys.bak
2013-08-31 17:11 . 2013-08-31 17:11    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-08-31 17:10 . 2013-08-31 17:10    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-08-29 02:33 . 2013-08-06 08:58    9515512    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{3AB90D83-37D8-4ED8-8C25-50BBD6EACF52}\mpengine.dll
2013-08-28 02:15 . 2009-08-20 07:50    24416    ----a-r-    c:\windows\system32\AdobePDFUI.dll
2013-08-25 07:41 . 2013-08-25 07:41    0    ----a-w-    c:\windows\SysWow64\winlogon.exe
2013-08-25 07:41 . 2013-08-25 07:41    0    ----a-w-    c:\windows\SysWow64\smss.exe
2013-08-25 07:41 . 2013-08-25 07:41    0    ----a-w-    c:\windows\SysWow64\services.exe
2013-08-25 07:41 . 2013-08-25 07:41    0    ----a-w-    c:\windows\SysWow64\lsass.exe
2013-08-24 16:44 . 2013-08-24 16:44    --------    d-----w-    c:\programdata\Sophos
2013-08-24 16:43 . 2013-08-24 16:43    73728    ----a-r-    c:\users\Randy\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-24 16:43 . 2013-08-24 16:43    73728    ----a-r-    c:\users\Randy\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-24 16:43 . 2013-08-24 16:43    73728    ----a-r-    c:\users\Randy\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2013-08-17 08:49 . 2013-06-27 09:57    172920    ----a-w-    c:\windows\system32\drivers\idmwfp.sys
2013-08-15 02:54 . 2013-08-15 02:54    --------    d-----w-    c:\programdata\Trend Micro
2013-08-15 02:52 . 2013-08-15 02:52    --------    d-----w-    c:\program files (x86)\Trend Micro
2013-08-14 02:34 . 2013-06-15 04:32    39936    ----a-w-    c:\windows\system32\drivers\tssecsrv.sys
2013-08-14 02:34 . 2013-07-09 05:51    1217024    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-08-14 02:34 . 2013-07-09 04:52    663552    ----a-w-    c:\windows\SysWow64\rpcrt4.dll
2013-08-14 02:34 . 2013-07-25 09:25    1888768    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-08-14 02:34 . 2013-07-25 08:57    1620992    ----a-w-    c:\windows\SysWow64\WMVDECOD.DLL
2013-08-14 02:34 . 2013-07-09 05:52    224256    ----a-w-    c:\windows\system32\wintrust.dll
2013-08-14 02:34 . 2013-07-09 05:46    184320    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-08-14 02:34 . 2013-07-09 05:46    1472512    ----a-w-    c:\windows\system32\crypt32.dll
2013-08-14 02:34 . 2013-07-09 05:46    139776    ----a-w-    c:\windows\system32\cryptnet.dll
2013-08-14 02:34 . 2013-07-09 04:52    175104    ----a-w-    c:\windows\SysWow64\wintrust.dll
2013-08-14 02:34 . 2013-07-09 04:46    140288    ----a-w-    c:\windows\SysWow64\cryptsvc.dll
2013-08-14 02:34 . 2013-07-09 04:46    1166848    ----a-w-    c:\windows\SysWow64\crypt32.dll
2013-08-14 02:34 . 2013-07-09 04:46    103936    ----a-w-    c:\windows\SysWow64\cryptnet.dll
2013-08-14 02:33 . 2013-07-06 06:03    1910208    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-08-13 04:54 . 2013-08-13 04:54    --------    dc-h--w-    c:\programdata\{6C01D0A2-AD25-4414-A44B-50D3159D1D9F}
2013-08-13 04:51 . 2013-08-13 04:51    --------    dc-h--w-    c:\programdata\{8D8448B4-DB2F-40BD-A53E-EA29A2EADDC4}
2013-08-13 04:50 . 2013-08-13 04:50    --------    dc-h--w-    c:\programdata\{03B61650-6A02-427E-8669-446D635453DD}
2013-08-13 04:49 . 2013-08-13 04:49    --------    dc-h--w-    c:\programdata\{74DB3B90-1497-4A6E-90BA-B176EFE13649}
2013-08-13 04:49 . 2013-08-13 04:49    --------    dc-h--w-    c:\programdata\{21E31F3C-3F9E-42A7-8D5C-6B93D935F5CE}
2013-08-13 04:48 . 2013-08-13 04:48    --------    dc-h--w-    c:\programdata\{2E6321BB-FAC3-49D4-A09B-950445E829D2}
2013-08-13 04:47 . 2013-08-13 04:47    --------    dc-h--w-    c:\programdata\{3B9A3AE3-5BE1-4645-A31C-753724255564}
2013-08-13 04:47 . 2013-08-13 04:47    --------    dc-h--w-    c:\programdata\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}
2013-08-13 04:46 . 2013-08-13 04:46    --------    dc-h--w-    c:\programdata\{68662BBC-37F9-4D7A-AF98-3BB4D33BC0F1}
2013-08-13 04:43 . 2013-08-13 04:43    --------    dc-h--w-    c:\programdata\{E051D9C8-9503-489B-8E90-21CEB1DF11C1}
2013-08-13 04:40 . 2013-08-13 04:40    --------    dc-h--w-    c:\programdata\{B2B57FBA-DA61-4D1B-A585-4D382AFF525E}
2013-08-13 04:35 . 2013-08-13 04:35    --------    dc-h--w-    c:\programdata\{C5CAF473-C900-4049-BCE5-A93E0EBA7EF2}
2013-08-13 04:29 . 2013-08-13 04:29    --------    dc-h--w-    c:\programdata\{F92C204F-6C39-4D56-B100-EC929C871966}
2013-08-13 04:18 . 2013-08-13 04:18    --------    dc-h--w-    c:\programdata\{7E15FB3A-A743-4BAD-9286-E6F67959668B}
2013-08-13 04:07 . 2013-08-13 04:07    --------    dc-h--w-    c:\programdata\{7BE4FC83-B14E-4B45-8B6E-796413BA5083}
2013-08-13 03:51 . 2012-10-31 16:51    33240    ----a-w-    c:\windows\system32\drivers\GEARAspiWDM.sys
2013-08-11 23:11 . 2013-08-11 23:11    --------    d-----w-    c:\users\Randy\.ipython
2013-08-07 00:21 . 2013-08-14 02:39    --------    d-----w-    c:\windows\system32\MRT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-31 17:10 . 2013-03-26 19:52    867240    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-08-31 17:10 . 2013-03-26 19:52    789416    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-08-14 02:37 . 2011-01-10 01:29    78161360    ----a-w-    c:\windows\system32\MRT.exe
2013-07-21 03:02 . 2012-04-04 01:52    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-21 03:02 . 2011-05-14 17:48    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-09 04:45 . 2013-08-14 02:35    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2013-06-05 03:34 . 2013-07-25 02:03    3153920    ----a-w-    c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\win7\Games\Steam\steam.exe" [2013-08-28 1811880]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"IDMan"="d:\win7\Program Files (x86)\Internet Download Manager\IDMan.exe" [2013-08-06 3665488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Zboard"="d:\win7\games\Ideazon\ZEngine\Zboard.exe" [2011-02-22 182784]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" [2009-09-04 959488]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"LWS"="d:\win7\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2013-03-28 6365920]
"AcronisTibMounterMonitor"="c:\program files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe" [2013-01-10 1103424]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"Trend Micro RUBotted V2.0 Beta"="c:\program files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe" [2013-07-26 1102872]
.
c:\users\Randy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Randy\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
EvernoteClipper.lnk - d:\win7\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe [2013-7-23 1089888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
O&O Defrag Tray.lnk - c:\windows\Installer\{72C47E50-F95D-415C-8EA5-AE6899B151F3}\DefragIcon.exe [2013-7-12 292878]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;d:\win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;d:\win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x]
R3 BRDriver64;BRDriver64;c:\programdata\bitraider\BRDriver64.sys;c:\programdata\bitraider\BRDriver64.sys [x]
R3 BRSptSvc;BitRaider Mini-Support Service;c:\programdata\bitraider\BRSptSvc.exe;c:\programdata\bitraider\BRSptSvc.exe [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]
R3 FLASHSYS;FLASHSYS;c:\program files (x86)\MSI\Live Update 4\LU4\FLASHSYS64.sys;c:\program files (x86)\MSI\Live Update 4\LU4\FLASHSYS64.sys [x]
R3 JNPRNA;Juniper Network Agent Miniport;c:\windows\system32\DRIVERS\jnprna6.sys;c:\windows\SYSNATIVE\DRIVERS\jnprna6.sys [x]
R3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\DRIVERS\jnprva.sys;c:\windows\SYSNATIVE\DRIVERS\jnprva.sys [x]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\DRIVERS\jnprvamgr.sys;c:\windows\SYSNATIVE\DRIVERS\jnprvamgr.sys [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys;c:\windows\SYSNATIVE\DRIVERS\LVPr2M64.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 SaiH0763;SaiH0763;c:\windows\system32\DRIVERS\SaiH0763.sys;c:\windows\SYSNATIVE\DRIVERS\SaiH0763.sys [x]
R3 SaiH0BAC;SaiH0BAC;c:\windows\system32\DRIVERS\SaiH0BAC.sys;c:\windows\SYSNATIVE\DRIVERS\SaiH0BAC.sys [x]
R3 Samsung UPD Service2;Samsung UPD Service2;c:\windows\System32\SUPDSvc2.exe;c:\windows\SYSNATIVE\SUPDSvc2.exe [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;d:\win7\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP4\RpcAgentSrv.exe;d:\win7\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP4\RpcAgentSrv.exe [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys;c:\windows\SYSNATIVE\DRIVERS\fltsrv.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 tib;Acronis TIB Manager;c:\windows\system32\DRIVERS\tib.sys;c:\windows\SYSNATIVE\DRIVERS\tib.sys [x]
S0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\DRIVERS\tib_mounter.sys;c:\windows\SYSNATIVE\DRIVERS\tib_mounter.sys [x]
S0 vididr;Acronis Virtual Disk;c:\windows\system32\DRIVERS\vididr.sys;c:\windows\SYSNATIVE\DRIVERS\vididr.sys [x]
S0 vidsflt;Acronis Disk Storage Filter;c:\windows\system32\DRIVERS\vidsflt.sys;c:\windows\SYSNATIVE\DRIVERS\vidsflt.sys [x]
S2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys;c:\windows\SYSNATIVE\DRIVERS\idmwfp.sys [x]
S2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [x]
S2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [x]
S2 MBAMScheduler;MBAMScheduler;d:\win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;d:\win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [x]
S2 nlscc;Nalpeiron X64 Service;c:\windows\system32\nlsInterface.exe;c:\windows\SYSNATIVE\nlsInterface.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
S2 OODefragAgent;O&O Defrag;d:\win7\Program Files\OO Software\Defrag\oodag.exe;d:\win7\Program Files\OO Software\Defrag\oodag.exe [x]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 syncagentsrv;Acronis Sync Agent Service;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [x]
S2 TomTomHOMEService;TomTomHOMEService;d:\win7\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe;d:\win7\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [x]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys;c:\windows\SYSNATIVE\DRIVERS\afcdp.sys [x]
S3 CorsairCAHS1;CA-HS1 Interface;c:\windows\system32\drivers\CAHS164.sys;c:\windows\SYSNATIVE\drivers\CAHS164.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;QuickCam Orbit/Sphere AF(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 paeusbaudio;paeusbaudio;c:\windows\system32\DRIVERS\paeusbaudio_x64.sys;c:\windows\SYSNATIVE\DRIVERS\paeusbaudio_x64.sys [x]
S3 paeusbaudiodsp;paeusbaudiodsp;c:\windows\system32\DRIVERS\paeusbaudiodsp_x64.sys;c:\windows\SYSNATIVE\DRIVERS\paeusbaudiodsp_x64.sys [x]
S3 paeusbaudioks;paeusbaudioks;c:\windows\system32\DRIVERS\paeusbaudioks_x64.sys;c:\windows\SYSNATIVE\DRIVERS\paeusbaudioks_x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-31 22:33    1177552    ----a-w-    c:\program files (x86)\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-03 08:10]
.
2013-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-03 08:10]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncError]
@="{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}"
[HKEY_CLASSES_ROOT\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}]
2013-03-28 05:37    2818800    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncInProgress]
@="{00F848DC-B1D4-4892-9C25-CAADC86A215D}"
[HKEY_CLASSES_ROOT\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D}]
2013-03-28 05:37    2818800    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncOk]
@="{71573297-552E-46fc-BE3D-3DFAF88D47B7}"
[HKEY_CLASSES_ROOT\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7}]
2013-03-28 05:37    2818800    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    164016    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    164016    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    164016    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    164016    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-11-15 23:07    23496    ----a-w-    d:\win7\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2009-06-03 194560]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-03 11545192]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2009-06-03 357888]
"CAHS1Sound"="c:\windows\Syswow64\CAHS1.dll" [2011-07-08 8724480]
"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2013-02-15 516928]
"Nvtmru"="c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-05-16 1012000]
"OODefragTray"="d:\win7\Program Files\OO Software\Defrag\oodtray.exe" [2013-04-20 7074096]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Clip Image - d:\win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - d:\win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - d:\win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - d:\win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - d:\win7\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - d:\win7\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: New Note - d:\win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html

Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7515BF99-A920-4227-9700-342B3C1CB0DB}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\fhhfcl5a.default\

.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{a94e8dc9-07aa-45a7-8af2-a0375473a5cd} - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
WebBrowser-{A94E8DC9-07AA-45A7-8AF2-A0375473A5CD} - (no file)
HKLM-Run-ISW - (no file)
AddRemove-GoogleNexus7ToolKit46 - d:\google nexus 7 toolkit\Uninst.exe
AddRemove-GoogleNexus7ToolKit47 - d:\google nexus 7 toolkit\Uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10o\UserChoice]
@Denied: (2) (S-1-5-21-1412374026-2160322937-99312788-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10o"
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10p\UserChoice]
@Denied: (2) (S-1-5-21-1412374026-2160322937-99312788-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10p"
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10pf\UserChoice]
@Denied: (2) (S-1-5-21-1412374026-2160322937-99312788-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10pf"
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (S-1-5-21-1412374026-2160322937-99312788-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xmp"
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):f0,58,09,ca,78,2d,83,af,bf,b9,a1,cf,52,66,44,03,9c,bf,96,e7,ba,
   6c,5d,3a,ec,39,79,ab,ec,2b,22,84,f9,a7,01,15,0a,6b,69,96,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000_Classes\Wow6432Node\CLSID\{e7c67b08-18ab-41cd-8685-d18260e00136}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000085
"Therad"=dword:0000001f
"MData"=hex(0):a2,07,61,35,eb,cd,08,85,d4,7f,25,18,f2,27,6c,ba,a9,46,32,45,0d,
   57,3a,a1,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="B2A821FAF5B1EADAC6646AEC5E3538B5FE223CAD7DBF3F0CA11CA9B63B973797DCB3E37F9787FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A2D97226D213B555A6171C11EC38DE3DA9C6AECB7A5D1407F556129A86459511D42C2832C90DDE3FED35DCDDD879FAB99E910BCDCE9D7C7C6C4869F497ED589AA7C5995482832B916F5D085A29EFB7357AEC1D509E9CC39EB3823EDBF842C1B6A8161E88A3E5C3CE44585E6A85704BC25C0AF94D704B5C310CE3106E6E9A68C364196B4E4DF58503E4D9688F08C6F6BE49F0A1E4FD1E8A03A870F20FECB13620DAE8CAE9D0D91EBFBEB4C50F8420CF0C3FD2A6FEB2EBE667B1D190E69FAAEA3003C818E439989198B5E4A971FD103E102B02B1C533EFDF344351A3DEE408995AC41DC689BE2139279E09D8032D8D7E3471F37C26D24938C2EDE0FB27CF33280BFCEC5AE9D2453F874360AC56FDF0A26568C5D6D11C7C0574B4130033A67752B17D676BD79839A45A62D316C011F90E96DA35A4C0CB70AFAA102127B9E386A6C2895C2AEDE6173C452E6B15DABB4B7A3D09A55BACD470F64BEBE5FCB6367386B45D415607CADC2FEF4BD54281066A73D1A31D09925BAB6BC2A9E022E77F37A904A2AE44C2826BF787D5E2C5D62CC2DBD3D447CA36B8B6F37E1C374BD1D6AE9B307C615E868107E5BBD90C5D3F1F22E6C2B472D41CFA07C9718AB0C03A07993ABCFE3B22F96FDA1E425AE85EE283BA9E265412ED8FE4F8FA1132B85DAD0E1D39B1333F200929F31853CCB72DB032A2DD87B53E711FE9CB68D9C2DE93F91FC19D1A1797FC64BDC21FAB1C5A4359365556734F2FCF9BB4A4484ADFD766B31FF1C3061B91747F6E9DD38BA5573051D1B08D7B0EC40A1B2308A5E3A2FA6E302A01D988A39C5193B53DA938BCD816D278F65C36CF83B9F9C563DC2E1645D78D8FA0E2B98ACEF51C3DBFE6FAA4AA2BD9D34FEDBDE6108853E184A0343BD4E1A7CE6B36361D61D7D8E5A5299E99C0B8A83EC3442E1C37378CF221F502046E632321DBFC1C1BB07FCD4155DF754AB01E444AC1B32A29E61848A4CEB62EDB7A42E7EF54B60FBABC8AC31917CE53D633CE743C9CE4D73D3112F35989904C1B04FB9FDA1838B7A42CA9C7689A8C115628CE470C8AD55FFBCEA0BBA6B006F814BBA0BA334F254275C6A328DC6E078AD18F388E66A6D5EEFB99D31254066C518974546CFE07F85D3F79D07A5C89FB224790BBDE2BED0A3948904E2DE234ECF835A7CE2AFA2F843B06D51F95FDC480BBAAF319117044EBF2DED647888144879541705DAF139CE796C28F0E968B5EFBBF61292943FD6E48D535330BDF17A70B534F8EE07D6B079B29E201355E86F52999434154564F983F9F3090F6B73C2F1F5FF1E4CBD55B8B6A324826"
"OODEFRAG14.00.00.01PROFESSIONAL"="3F7775903E4684E0ED68CBD1764B101754DB1BEBDF50E84D19F9B80B8888E1B512DEE59F7452AB80F612F1FDD9073E9623CB72416037D02C5D067E84FE9AE8A0BAE388F1DD6372300DE3B78F4DD769F25F68E172CEBF162E84868F33292258F53AB083B190CDFD1ACE24E9385ABB31EB69B383D9C63673C8505BE930D558237F4F9FE1E12D591B7E1D49BD7D90A8DBD4E264521F67DB4404C396F46C526CDD1B7F4311D5D23EB7301F83CA3A8284CD98B3642E44546688FCA600F82B7600C2BB9460FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98089DB7CE019D40AA5CFEBC9E127BECC74C9DB7CE019D40AA5C39C60A3B39313D2B9B8D5059D05E064147ED01DEBB38EE6131CB9A53FC02BFF0E167DE78A95901A9360F2ACF731AD9FCB12B60DE420AF94863985855DEDA9ED9D6CBEDEEAFFE1AC814518EBB7D417B93380D672055BFB0178E5916B96D23D255CF6C748C23B56887599269F6013FCB028335D40960B9966906B582988C4EA03BE912313181288F990A60AAD0B49271F72497E87572EB700D8227CEF5C3E59094265BE7B1EB13F7668EA0470A72CC555B0C7E6BB43EDCC9829C7AB1D03F046A20E63DDED727C8CC893609385AB79323451084A4891C28EF7FD5D2E697CE5B41D0F5FB65E09CACFE5232A6F9E926A24DFEEC1B62AB04FBF4EC91252DAF662E654D80B4C67DD73A44C317D78DD685C7880CBF0875C3969D2E6995BB466E1D566EEF9454D9D18AFC92175ED27634BC654F9F0BE236F21762B8468F3479A230BE38C6A89DF4F80A962636651DBD87DA715DA3B51A7ACC6BB6EE088C00110C7F68E29514A8737E4E3D80426E93F0CA92F634B18A6CA3D59F98F5E982E45CDD8DE74FD11460B5E275B8658D9DE5A0EB3A92181DB56F118BE19DB1D7C67DADBF03E426A548029F1DBFE75C1F7E97E0CD4977146A4B8B285B84EACEF315B6DACD2D1C5170B5A0979411BA32337B804A45E06CF3D0C17F54A97FBCB9140ED24099F85D02C4C3248AA6F33776B9E74D7A9CBFCB493DF35981CCED6224C1B366BAA5FC0E2AE9BFC6672515F67DD579FB9013CD8268CF9E7FA30F8DBE86B96E5DACE9702400D75A96225344A65FDE4861B15915946CDDE5AA2D31C14A97EE09737FD2AD2F7FBF27F733EC7707F8E0D2A507954117B06F4E671A63120E580633BC1CC0B64C68821F20941CC66F6A1BF843BDE227B4D641C496E7D028AA8A58009CEF88AEB1BDB61F9A4683EF469680820C054E3BAB444395EB1890D3D3B3F268CD6FEF5D26C528E545CC38530BA5B917A19259974EA11B73F0AEB308501E9845DD91B4AE088CD419D4AF42764D85A0C47D9EFA7982DDA17583B7BCDB7BD63ED6AF4F0632C5E06F41CE792001B465C77C6AE51DC3C2"
"OODEFRAG16.00.00.01PROFESSIONAL"="18C0AE0AB239DD61E9A2AC40BC730EF30807E63997B447DD550E4675327DB7118F4AA719514DD9254FCF32065A5D4ED5101631BDA0AA3F4FCF2A02974BC9D64BAF2F95C0C193C87D3AA8FE98371CE3CCA4248ECD34FA3FE42E2382D63FE3689008DD46B30D9134655354C08743788AC0A6ACAF764B55D3942D679ADDB283EB054D5B4ED920232E50680A6D96561582139DBD0CF745410ECBAB7B618A2B31E240D7C084CBC97648FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407A2D97226D213B555BA7FD869164D6794A2D97226D213B5550EEFDE1FA15FE0545799799C0354BDDE41760823F2B27431A85FB12F1B936D6B1B6F5FC9990A3A85AE737EC0C0CF7E9131DE8DFBB10F251927DC7F553DAFECFD1164EB8C96BA3FF290E48FC35C51D5044E05198B6A25372BB9674F88FD187EF3140500162DD271B84E1F3D13A7006CE134B07024CA0897C2EA7D3C980CE7F07C3AAD2AD8289427F32B752BE1A868BB59F44E6D5637AA84423948729CC79EE9C80E5C8C8A84A788C7DEDD14281AFB942015EEFB7D4868138E168FB76CC39CE18F10B4E025F39695DC9676C1A1EB8F976D0D489FB347FC2A0E6741DEA5CA2AA609317C70E6DBD11EDBF0FE154B3FD93D7BCA32EBD8358B85AE0770D32959F0D7735A9F1C5255AC49F282DA0369EB77CE0A2EA98A13C519B6624452159C9DFD6A90E6ACD52D2EDE1056D2911484F9E96C5F8D5039C9600D1F9AE0C034697E4627A5A4D6A5816882413C5F4EE2662B94883F326AC8289FB7F7D3113A573B139E2B7D5674A59D39977C5E1764A11D6F41E878D7621F1FD3C84C0801DF390429C1676433000714898239FBDE4413FDEE9A2959AFC2B3620156FB38CD77A87A40CD20AB671A8B3B788841D88D07909E03B238B6DEBE95EA5D593CE909EB07158DC5EDAA11048B2CD5D732396FE706DABA7B58667FA8E5F4552F9226B94B4B93788FBDBAC2A57146A7FCFDEAC448725259D0A1C49DFB597F8799DB7759C57FF49E7552B705883D2AA86D693A42ABEC67D26B7CB1B9533ACE49BD48F0D63241FE50A63C85D1DD01BFC48010790FB81BC1D5EE2A914AF1E3EBA0265B25128B433B13B4680997F6E5AF9D6FDD0147BCBACBBC5EBB4AB6BBC9A2C8BD6DAEE2ED4C779C1712AB3BC9A5E88A5C152B7BA61C351DA198495EB7EF0333D72828149CB6C3DBA6C8D912F3101E13C94CD52F0BA2F1BB067AFC0F166F61812A0D34607D6F75F1A3F287E73288C3759EEBE35AA0C6B7943B725911A5F5560C4CEF757D187AA5302EC8297A688516A226B3BBE9C51681D4D561561BDB453D5EBDF7970F9DEC32224F57B87F1D14114190B3493CF7AE8F5FCEFE6FDBD1B1B5385D22C3305E713B04EE7EB39B7B51F8AA705279A7"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2013-09-02  17:06:46 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-03 00:06
.
Pre-Run: 74,250,141,696 bytes free
Post-Run: 73,639,415,808 bytes free
.
- - End Of File - - 14B9734B77D841A32F0CB937E06220D6
A36C5E4F47E84449FF07ED3517B43A31
 

Link to post
Share on other sites

  • Staff

Hello rhammond17

That file is a legit file and it gets replaced because the makers put it in a temp file and expect it to get removed

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

CFScriptB-4.gif

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
Link to post
Share on other sites

Hey Gringo,

    I logged in this evening to do a few things before running your script.  After about 20min I had the following in my MBAW pro logs:

 

2013/09/03 18:11:33 -0700    SHAIHULUD    (null)    MESSAGE    Starting protection
2013/09/03 18:11:33 -0700    SHAIHULUD    (null)    MESSAGE    Protection started successfully
2013/09/03 18:11:33 -0700    SHAIHULUD    (null)    MESSAGE    Starting IP protection
2013/09/03 18:11:35 -0700    SHAIHULUD    Randy    MESSAGE    IP Protection started successfully
2013/09/03 19:29:01 -0700    SHAIHULUD    Randy    IP-BLOCK    46.19.138.110 (Type: incoming, Port: 51859, Process: svchost.exe)
2013/09/03 19:29:01 -0700    SHAIHULUD    Randy    IP-BLOCK    46.19.138.110 (Type: outgoing, Port: 51859, Process: svchost.exe)
2013/09/03 19:29:01 -0700    SHAIHULUD    Randy    IP-BLOCK    46.19.138.110 (Type: incoming, Port: 51859, Process: svchost.exe)
2013/09/03 19:29:01 -0700    SHAIHULUD    Randy    IP-BLOCK    46.19.138.110 (Type: incoming, Port: 51859, Process: svchost.exe)
2013/09/03 19:29:09 -0700    SHAIHULUD    Randy    IP-BLOCK    46.19.138.110 (Type: outgoing, Port: 51859, Process: svchost.exe)
2013/09/03 19:29:09 -0700    SHAIHULUD    Randy    IP-BLOCK    46.19.138.110 (Type: outgoing, Port: 51859, Process: svchost.exe)
2013/09/03 19:29:09 -0700    SHAIHULUD    Randy    IP-BLOCK    46.19.138.110 (Type: incoming, Port: 51859, Process: svchost.exe)
2013/09/03 19:29:09 -0700    SHAIHULUD    Randy    IP-BLOCK    46.19.138.110 (Type: incoming, Port: 51859, Process: svchost.exe)
2013/09/03 19:29:09 -0700    SHAIHULUD    Randy    IP-BLOCK    46.19.138.110 (Type: outgoing, Port: 51859, Process: svchost.exe)
2013/09/03 19:35:33 -0700    SHAIHULUD    Randy    IP-BLOCK    58.241.40.74 (Type: incoming, Port: 51859, Process: svchost.exe)
2013/09/03 19:35:33 -0700    SHAIHULUD    Randy    IP-BLOCK    58.241.40.74 (Type: incoming, Port: 51859, Process: svchost.exe)
2013/09/03 19:35:41 -0700    SHAIHULUD    Randy    IP-BLOCK    58.241.40.74 (Type: incoming, Port: 51859, Process: svchost.exe)
2013/09/03 19:35:41 -0700    SHAIHULUD    Randy    IP-BLOCK    58.241.40.74 (Type: incoming, Port: 51859, Process: svchost.exe)
...

 

The 58.241.40.74 (incoming) was repeated about 250 times and continuing until I rebooted my computer.  The blocks did not return after the reboot.

 

I disconnected from the internet, shutdown ZA and MBAW and ran your script with ComboFix.  I'll attach the log.

 

Randy

 

 

########################

ComboFix

########################

 

ComboFix 13-09-02.02 - Randy 09/03/2013  20:27:08.3.8 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.16384.13445 [GMT -7:00]
Running from: c:\users\Randy\Desktop\ComboFix.exe
Command switches used :: c:\users\Randy\Desktop\CFScript.txt
FW: ZoneAlarm Extreme Security Firewall *Disabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Extreme Security Anti-Spyware *Disabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Randy\AppData\Local\Temp\acc98a83-4789-42d6-8c8f-ba0c09eb1879\CliSecureRT.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-04 to 2013-09-04  )))))))))))))))))))))))))))))))
.
.
2013-09-04 03:36 . 2013-09-04 03:36    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-09-03 00:07 . 2013-09-04 03:37    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2013-09-02 18:26 . 2013-09-02 18:26    --------    d-----w-    c:\windows\ERUNT
2013-09-02 18:15 . 2013-09-02 18:18    --------    d-----w-    C:\AdwCleaner
2013-08-31 17:26 . 2013-08-31 17:26    41984    ----a-w-    c:\windows\system32\drivers\winusb.sys.bak
2013-08-31 17:26 . 2013-08-31 17:26    109696    ----a-w-    c:\windows\system32\drivers\USBAUDIO.sys.bak
2013-08-31 17:26 . 2013-08-31 17:26    80464    ----a-w-    c:\windows\system32\drivers\sisraid4.sys.bak
2013-08-31 17:26 . 2013-08-31 17:26    114752    ----a-w-    c:\windows\system32\drivers\lsi_fc.sys.bak
2013-08-31 17:26 . 2013-08-31 17:26    78848    ----a-w-    c:\windows\system32\drivers\IPMIDrv.sys.bak
2013-08-31 17:25 . 2013-08-31 17:25    85384    ----a-w-    c:\windows\system32\drivers\ftser2k.sys.bak
2013-08-31 17:25 . 2013-08-31 17:25    108832    ----a-w-    c:\windows\system32\drivers\fltsrv.sys.bak
2013-08-31 17:25 . 2013-08-31 17:25    45568    ----a-w-    c:\windows\system32\drivers\circlass.sys.bak
2013-08-31 17:25 . 2013-08-31 17:25    87632    ----a-w-    c:\windows\system32\drivers\arc.sys.bak
2013-08-31 17:25 . 2013-08-31 17:25    60928    ----a-w-    c:\windows\system32\drivers\amdppm.sys.bak
2013-08-31 17:11 . 2013-08-31 17:11    --------    d-----w-    c:\program files (x86)\Common Files\Java
2013-08-31 17:10 . 2013-08-31 17:10    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-08-29 02:33 . 2013-08-06 08:58    9515512    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{3AB90D83-37D8-4ED8-8C25-50BBD6EACF52}\mpengine.dll
2013-08-28 02:15 . 2009-08-20 07:50    24416    ----a-r-    c:\windows\system32\AdobePDFUI.dll
2013-08-25 07:41 . 2013-08-25 07:41    0    ----a-w-    c:\windows\SysWow64\winlogon.exe
2013-08-25 07:41 . 2013-08-25 07:41    0    ----a-w-    c:\windows\SysWow64\smss.exe
2013-08-25 07:41 . 2013-08-25 07:41    0    ----a-w-    c:\windows\SysWow64\services.exe
2013-08-25 07:41 . 2013-08-25 07:41    0    ----a-w-    c:\windows\SysWow64\lsass.exe
2013-08-24 16:44 . 2013-08-24 16:44    --------    d-----w-    c:\programdata\Sophos
2013-08-24 16:43 . 2013-08-24 16:43    73728    ----a-r-    c:\users\Randy\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-24 16:43 . 2013-08-24 16:43    73728    ----a-r-    c:\users\Randy\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-08-24 16:43 . 2013-08-24 16:43    73728    ----a-r-    c:\users\Randy\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2013-08-17 08:49 . 2013-06-27 09:57    172920    ----a-w-    c:\windows\system32\drivers\idmwfp.sys
2013-08-15 02:54 . 2013-08-15 02:54    --------    d-----w-    c:\programdata\Trend Micro
2013-08-15 02:52 . 2013-08-15 02:52    --------    d-----w-    c:\program files (x86)\Trend Micro
2013-08-14 02:34 . 2013-06-15 04:32    39936    ----a-w-    c:\windows\system32\drivers\tssecsrv.sys
2013-08-14 02:34 . 2013-07-09 05:51    1217024    ----a-w-    c:\windows\system32\rpcrt4.dll
2013-08-14 02:34 . 2013-07-09 04:52    663552    ----a-w-    c:\windows\SysWow64\rpcrt4.dll
2013-08-14 02:34 . 2013-07-25 09:25    1888768    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2013-08-14 02:34 . 2013-07-25 08:57    1620992    ----a-w-    c:\windows\SysWow64\WMVDECOD.DLL
2013-08-14 02:34 . 2013-07-09 05:52    224256    ----a-w-    c:\windows\system32\wintrust.dll
2013-08-14 02:34 . 2013-07-09 05:46    184320    ----a-w-    c:\windows\system32\cryptsvc.dll
2013-08-14 02:34 . 2013-07-09 05:46    1472512    ----a-w-    c:\windows\system32\crypt32.dll
2013-08-14 02:34 . 2013-07-09 05:46    139776    ----a-w-    c:\windows\system32\cryptnet.dll
2013-08-14 02:34 . 2013-07-09 04:52    175104    ----a-w-    c:\windows\SysWow64\wintrust.dll
2013-08-14 02:34 . 2013-07-09 04:46    140288    ----a-w-    c:\windows\SysWow64\cryptsvc.dll
2013-08-14 02:34 . 2013-07-09 04:46    1166848    ----a-w-    c:\windows\SysWow64\crypt32.dll
2013-08-14 02:34 . 2013-07-09 04:46    103936    ----a-w-    c:\windows\SysWow64\cryptnet.dll
2013-08-14 02:33 . 2013-07-06 06:03    1910208    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-08-13 04:54 . 2013-08-13 04:54    --------    dc-h--w-    c:\programdata\{6C01D0A2-AD25-4414-A44B-50D3159D1D9F}
2013-08-13 04:51 . 2013-08-13 04:51    --------    dc-h--w-    c:\programdata\{8D8448B4-DB2F-40BD-A53E-EA29A2EADDC4}
2013-08-13 04:50 . 2013-08-13 04:50    --------    dc-h--w-    c:\programdata\{03B61650-6A02-427E-8669-446D635453DD}
2013-08-13 04:49 . 2013-08-13 04:49    --------    dc-h--w-    c:\programdata\{74DB3B90-1497-4A6E-90BA-B176EFE13649}
2013-08-13 04:49 . 2013-08-13 04:49    --------    dc-h--w-    c:\programdata\{21E31F3C-3F9E-42A7-8D5C-6B93D935F5CE}
2013-08-13 04:48 . 2013-08-13 04:48    --------    dc-h--w-    c:\programdata\{2E6321BB-FAC3-49D4-A09B-950445E829D2}
2013-08-13 04:47 . 2013-08-13 04:47    --------    dc-h--w-    c:\programdata\{3B9A3AE3-5BE1-4645-A31C-753724255564}
2013-08-13 04:47 . 2013-08-13 04:47    --------    dc-h--w-    c:\programdata\{6773A69F-BAAF-4138-BA38-16B1C896C9B8}
2013-08-13 04:46 . 2013-08-13 04:46    --------    dc-h--w-    c:\programdata\{68662BBC-37F9-4D7A-AF98-3BB4D33BC0F1}
2013-08-13 04:43 . 2013-08-13 04:43    --------    dc-h--w-    c:\programdata\{E051D9C8-9503-489B-8E90-21CEB1DF11C1}
2013-08-13 04:40 . 2013-08-13 04:40    --------    dc-h--w-    c:\programdata\{B2B57FBA-DA61-4D1B-A585-4D382AFF525E}
2013-08-13 04:35 . 2013-08-13 04:35    --------    dc-h--w-    c:\programdata\{C5CAF473-C900-4049-BCE5-A93E0EBA7EF2}
2013-08-13 04:29 . 2013-08-13 04:29    --------    dc-h--w-    c:\programdata\{F92C204F-6C39-4D56-B100-EC929C871966}
2013-08-13 04:18 . 2013-08-13 04:18    --------    dc-h--w-    c:\programdata\{7E15FB3A-A743-4BAD-9286-E6F67959668B}
2013-08-13 04:07 . 2013-08-13 04:07    --------    dc-h--w-    c:\programdata\{7BE4FC83-B14E-4B45-8B6E-796413BA5083}
2013-08-13 03:51 . 2012-10-31 16:51    33240    ----a-w-    c:\windows\system32\drivers\GEARAspiWDM.sys
2013-08-11 23:11 . 2013-08-11 23:11    --------    d-----w-    c:\users\Randy\.ipython
2013-08-07 00:21 . 2013-08-14 02:39    --------    d-----w-    c:\windows\system32\MRT
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-31 17:10 . 2013-03-26 19:52    867240    ----a-w-    c:\windows\SysWow64\npDeployJava1.dll
2013-08-31 17:10 . 2013-03-26 19:52    789416    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2013-08-14 02:37 . 2011-01-10 01:29    78161360    ----a-w-    c:\windows\system32\MRT.exe
2013-07-21 03:02 . 2012-04-04 01:52    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-21 03:02 . 2011-05-14 17:48    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-09 04:45 . 2013-08-14 02:35    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    64792    ----a-w-    c:\program files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    130736    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="d:\win7\Games\Steam\steam.exe" [2013-08-28 1811880]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"IDMan"="d:\win7\Program Files (x86)\Internet Download Manager\IDMan.exe" [2013-08-06 3665488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Zboard"="d:\win7\games\Ideazon\ZEngine\Zboard.exe" [2011-02-22 182784]
"THX Audio Control Panel"="c:\program files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" [2009-09-04 959488]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"LWS"="d:\win7\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2011-03-02 190808]
"TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2013-03-28 6365920]
"AcronisTibMounterMonitor"="c:\program files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe" [2013-01-10 1103424]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"Trend Micro RUBotted V2.0 Beta"="c:\program files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe" [2013-07-26 1102872]
.
c:\users\Randy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Randy\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
EvernoteClipper.lnk - d:\win7\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe [2013-7-23 1089888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
O&O Defrag Tray.lnk - c:\windows\Installer\{72C47E50-F95D-415C-8EA5-AE6899B151F3}\DefragIcon.exe [2013-7-12 292878]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;d:\win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;d:\win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x]
R3 BRDriver64;BRDriver64;c:\programdata\bitraider\BRDriver64.sys;c:\programdata\bitraider\BRDriver64.sys [x]
R3 BRSptSvc;BitRaider Mini-Support Service;c:\programdata\bitraider\BRSptSvc.exe;c:\programdata\bitraider\BRSptSvc.exe [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]
R3 FLASHSYS;FLASHSYS;c:\program files (x86)\MSI\Live Update 4\LU4\FLASHSYS64.sys;c:\program files (x86)\MSI\Live Update 4\LU4\FLASHSYS64.sys [x]
R3 JNPRNA;Juniper Network Agent Miniport;c:\windows\system32\DRIVERS\jnprna6.sys;c:\windows\SYSNATIVE\DRIVERS\jnprna6.sys [x]
R3 jnprva;Juniper Networks Virtual Adapter Service;c:\windows\system32\DRIVERS\jnprva.sys;c:\windows\SYSNATIVE\DRIVERS\jnprva.sys [x]
R3 JnprVaMgr;Juniper Networks Virtual Adapter Manager Service;c:\windows\system32\DRIVERS\jnprvamgr.sys;c:\windows\SYSNATIVE\DRIVERS\jnprvamgr.sys [x]
R3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys;c:\windows\SYSNATIVE\DRIVERS\LVPr2M64.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 SaiH0763;SaiH0763;c:\windows\system32\DRIVERS\SaiH0763.sys;c:\windows\SYSNATIVE\DRIVERS\SaiH0763.sys [x]
R3 SaiH0BAC;SaiH0BAC;c:\windows\system32\DRIVERS\SaiH0BAC.sys;c:\windows\SYSNATIVE\DRIVERS\SaiH0BAC.sys [x]
R3 Samsung UPD Service2;Samsung UPD Service2;c:\windows\System32\SUPDSvc2.exe;c:\windows\SYSNATIVE\SUPDSvc2.exe [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;d:\win7\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP4\RpcAgentSrv.exe;d:\win7\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP4\RpcAgentSrv.exe [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys;c:\windows\SYSNATIVE\DRIVERS\fltsrv.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 tib;Acronis TIB Manager;c:\windows\system32\DRIVERS\tib.sys;c:\windows\SYSNATIVE\DRIVERS\tib.sys [x]
S0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\DRIVERS\tib_mounter.sys;c:\windows\SYSNATIVE\DRIVERS\tib_mounter.sys [x]
S0 vididr;Acronis Virtual Disk;c:\windows\system32\DRIVERS\vididr.sys;c:\windows\SYSNATIVE\DRIVERS\vididr.sys [x]
S0 vidsflt;Acronis Disk Storage Filter;c:\windows\system32\DRIVERS\vidsflt.sys;c:\windows\SYSNATIVE\DRIVERS\vidsflt.sys [x]
S2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys;c:\windows\SYSNATIVE\DRIVERS\idmwfp.sys [x]
S2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [x]
S2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [x]
S2 MBAMScheduler;MBAMScheduler;d:\win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;d:\win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [x]
S2 nlscc;Nalpeiron X64 Service;c:\windows\system32\nlsInterface.exe;c:\windows\SYSNATIVE\nlsInterface.exe [x]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys;c:\windows\SYSNATIVE\drivers\npf.sys [x]
S2 OODefragAgent;O&O Defrag;d:\win7\Program Files\OO Software\Defrag\oodag.exe;d:\win7\Program Files\OO Software\Defrag\oodag.exe [x]
S2 RUBotSrv;Trend Micro RUBotted Service;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe;c:\program files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 syncagentsrv;Acronis Sync Agent Service;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [x]
S2 TomTomHOMEService;TomTomHOMEService;d:\win7\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe;d:\win7\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [x]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
S3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys;c:\windows\SYSNATIVE\DRIVERS\afcdp.sys [x]
S3 CorsairCAHS1;CA-HS1 Interface;c:\windows\system32\drivers\CAHS164.sys;c:\windows\SYSNATIVE\drivers\CAHS164.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;QuickCam Orbit/Sphere AF(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys;c:\windows\SYSNATIVE\drivers\MBfilt64.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S3 paeusbaudio;paeusbaudio;c:\windows\system32\DRIVERS\paeusbaudio_x64.sys;c:\windows\SYSNATIVE\DRIVERS\paeusbaudio_x64.sys [x]
S3 paeusbaudiodsp;paeusbaudiodsp;c:\windows\system32\DRIVERS\paeusbaudiodsp_x64.sys;c:\windows\SYSNATIVE\DRIVERS\paeusbaudiodsp_x64.sys [x]
S3 paeusbaudioks;paeusbaudioks;c:\windows\system32\DRIVERS\paeusbaudioks_x64.sys;c:\windows\SYSNATIVE\DRIVERS\paeusbaudioks_x64.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys;c:\windows\SYSNATIVE\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-08-31 22:33    1177552    ----a-w-    c:\program files (x86)\Google\Chrome\Application\29.0.1547.62\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-03 08:10]
.
2013-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-03 08:10]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 17:20    75544    ----a-w-    c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncError]
@="{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}"
[HKEY_CLASSES_ROOT\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}]
2013-03-28 05:37    2818800    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncInProgress]
@="{00F848DC-B1D4-4892-9C25-CAADC86A215D}"
[HKEY_CLASSES_ROOT\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D}]
2013-03-28 05:37    2818800    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncOk]
@="{71573297-552E-46fc-BE3D-3DFAF88D47B7}"
[HKEY_CLASSES_ROOT\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7}]
2013-03-28 05:37    2818800    ----a-w-    c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    164016    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    164016    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    164016    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36    164016    ----a-w-    c:\users\Randy\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-11-15 23:07    23496    ----a-w-    d:\win7\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SaiMfd"="c:\program files\Saitek\SD6\Software\SaiMfd.exe" [2009-06-03 194560]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-03 11545192]
"ProfilerU"="c:\program files\Saitek\SD6\Software\ProfilerU.exe" [2009-06-03 357888]
"CAHS1Sound"="c:\windows\Syswow64\CAHS1.dll" [2011-07-08 8724480]
"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2013-02-15 516928]
"Nvtmru"="c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [2013-05-16 1012000]
"ISW"="" [bU]
"OODefragTray"="d:\win7\Program Files\OO Software\Defrag\oodtray.exe" [2013-04-20 7074096]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Clip Image - d:\win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4
IE: Clip selection - d:\win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
IE: Clip this page - d:\win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
IE: Clip URL - d:\win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - d:\win7\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - d:\win7\Program Files (x86)\Internet Download Manager\IEExt.htm
IE: New Note - d:\win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html

Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{7515BF99-A920-4227-9700-342B3C1CB0DB}: NameServer = 8.8.8.8,8.8.4.4
FF - ProfilePath - c:\users\Randy\AppData\Roaming\Mozilla\Firefox\Profiles\fhhfcl5a.default\

.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
AddRemove-GoogleNexus7ToolKit46 - d:\google nexus 7 toolkit\Uninst.exe
AddRemove-GoogleNexus7ToolKit47 - d:\google nexus 7 toolkit\Uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10o\UserChoice]
@Denied: (2) (S-1-5-21-1412374026-2160322937-99312788-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10o"
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10p\UserChoice]
@Denied: (2) (S-1-5-21-1412374026-2160322937-99312788-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10p"
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v10pf\UserChoice]
@Denied: (2) (S-1-5-21-1412374026-2160322937-99312788-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.v10pf"
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (S-1-5-21-1412374026-2160322937-99312788-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 10.0.xmp"
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):f0,58,09,ca,78,2d,83,af,bf,b9,a1,cf,52,66,44,03,9c,bf,96,e7,ba,
   6c,5d,3a,ec,39,79,ab,ec,2b,22,84,f9,a7,01,15,0a,6b,69,96,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-1412374026-2160322937-99312788-1000_Classes\Wow6432Node\CLSID\{e7c67b08-18ab-41cd-8685-d18260e00136}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000085
"Therad"=dword:0000001f
"MData"=hex(0):a2,07,61,35,eb,cd,08,85,d4,7f,25,18,f2,27,6c,ba,a9,46,32,45,0d,
   57,3a,a1,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG11.00.00.01WORKSTATION"="B2A821FAF5B1EADAC6646AEC5E3538B5FE223CAD7DBF3F0CA11CA9B63B973797DCB3E37F9787FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A2D97226D213B555A6171C11EC38DE3DA9C6AECB7A5D1407F556129A86459511D42C2832C90DDE3FED35DCDDD879FAB99E910BCDCE9D7C7C6C4869F497ED589AA7C5995482832B916F5D085A29EFB7357AEC1D509E9CC39EB3823EDBF842C1B6A8161E88A3E5C3CE44585E6A85704BC25C0AF94D704B5C310CE3106E6E9A68C364196B4E4DF58503E4D9688F08C6F6BE49F0A1E4FD1E8A03A870F20FECB13620DAE8CAE9D0D91EBFBEB4C50F8420CF0C3FD2A6FEB2EBE667B1D190E69FAAEA3003C818E439989198B5E4A971FD103E102B02B1C533EFDF344351A3DEE408995AC41DC689BE2139279E09D8032D8D7E3471F37C26D24938C2EDE0FB27CF33280BFCEC5AE9D2453F874360AC56FDF0A26568C5D6D11C7C0574B4130033A67752B17D676BD79839A45A62D316C011F90E96DA35A4C0CB70AFAA102127B9E386A6C2895C2AEDE6173C452E6B15DABB4B7A3D09A55BACD470F64BEBE5FCB6367386B45D415607CADC2FEF4BD54281066A73D1A31D09925BAB6BC2A9E022E77F37A904A2AE44C2826BF787D5E2C5D62CC2DBD3D447CA36B8B6F37E1C374BD1D6AE9B307C615E868107E5BBD90C5D3F1F22E6C2B472D41CFA07C9718AB0C03A07993ABCFE3B22F96FDA1E425AE85EE283BA9E265412ED8FE4F8FA1132B85DAD0E1D39B1333F200929F31853CCB72DB032A2DD87B53E711FE9CB68D9C2DE93F91FC19D1A1797FC64BDC21FAB1C5A4359365556734F2FCF9BB4A4484ADFD766B31FF1C3061B91747F6E9DD38BA5573051D1B08D7B0EC40A1B2308A5E3A2FA6E302A01D988A39C5193B53DA938BCD816D278F65C36CF83B9F9C563DC2E1645D78D8FA0E2B98ACEF51C3DBFE6FAA4AA2BD9D34FEDBDE6108853E184A0343BD4E1A7CE6B36361D61D7D8E5A5299E99C0B8A83EC3442E1C37378CF221F502046E632321DBFC1C1BB07FCD4155DF754AB01E444AC1B32A29E61848A4CEB62EDB7A42E7EF54B60FBABC8AC31917CE53D633CE743C9CE4D73D3112F35989904C1B04FB9FDA1838B7A42CA9C7689A8C115628CE470C8AD55FFBCEA0BBA6B006F814BBA0BA334F254275C6A328DC6E078AD18F388E66A6D5EEFB99D31254066C518974546CFE07F85D3F79D07A5C89FB224790BBDE2BED0A3948904E2DE234ECF835A7CE2AFA2F843B06D51F95FDC480BBAAF319117044EBF2DED647888144879541705DAF139CE796C28F0E968B5EFBBF61292943FD6E48D535330BDF17A70B534F8EE07D6B079B29E201355E86F52999434154564F983F9F3090F6B73C2F1F5FF1E4CBD55B8B6A324826"
"OODEFRAG14.00.00.01PROFESSIONAL"="3F7775903E4684E0ED68CBD1764B101754DB1BEBDF50E84D19F9B80B8888E1B512DEE59F7452AB80F612F1FDD9073E9623CB72416037D02C5D067E84FE9AE8A0BAE388F1DD6372300DE3B78F4DD769F25F68E172CEBF162E84868F33292258F53AB083B190CDFD1ACE24E9385ABB31EB69B383D9C63673C8505BE930D558237F4F9FE1E12D591B7E1D49BD7D90A8DBD4E264521F67DB4404C396F46C526CDD1B7F4311D5D23EB7301F83CA3A8284CD98B3642E44546688FCA600F82B7600C2BB9460FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98089DB7CE019D40AA5CFEBC9E127BECC74C9DB7CE019D40AA5C39C60A3B39313D2B9B8D5059D05E064147ED01DEBB38EE6131CB9A53FC02BFF0E167DE78A95901A9360F2ACF731AD9FCB12B60DE420AF94863985855DEDA9ED9D6CBEDEEAFFE1AC814518EBB7D417B93380D672055BFB0178E5916B96D23D255CF6C748C23B56887599269F6013FCB028335D40960B9966906B582988C4EA03BE912313181288F990A60AAD0B49271F72497E87572EB700D8227CEF5C3E59094265BE7B1EB13F7668EA0470A72CC555B0C7E6BB43EDCC9829C7AB1D03F046A20E63DDED727C8CC893609385AB79323451084A4891C28EF7FD5D2E697CE5B41D0F5FB65E09CACFE5232A6F9E926A24DFEEC1B62AB04FBF4EC91252DAF662E654D80B4C67DD73A44C317D78DD685C7880CBF0875C3969D2E6995BB466E1D566EEF9454D9D18AFC92175ED27634BC654F9F0BE236F21762B8468F3479A230BE38C6A89DF4F80A962636651DBD87DA715DA3B51A7ACC6BB6EE088C00110C7F68E29514A8737E4E3D80426E93F0CA92F634B18A6CA3D59F98F5E982E45CDD8DE74FD11460B5E275B8658D9DE5A0EB3A92181DB56F118BE19DB1D7C67DADBF03E426A548029F1DBFE75C1F7E97E0CD4977146A4B8B285B84EACEF315B6DACD2D1C5170B5A0979411BA32337B804A45E06CF3D0C17F54A97FBCB9140ED24099F85D02C4C3248AA6F33776B9E74D7A9CBFCB493DF35981CCED6224C1B366BAA5FC0E2AE9BFC6672515F67DD579FB9013CD8268CF9E7FA30F8DBE86B96E5DACE9702400D75A96225344A65FDE4861B15915946CDDE5AA2D31C14A97EE09737FD2AD2F7FBF27F733EC7707F8E0D2A507954117B06F4E671A63120E580633BC1CC0B64C68821F20941CC66F6A1BF843BDE227B4D641C496E7D028AA8A58009CEF88AEB1BDB61F9A4683EF469680820C054E3BAB444395EB1890D3D3B3F268CD6FEF5D26C528E545CC38530BA5B917A19259974EA11B73F0AEB308501E9845DD91B4AE088CD419D4AF42764D85A0C47D9EFA7982DDA17583B7BCDB7BD63ED6AF4F0632C5E06F41CE792001B465C77C6AE51DC3C2"
"OODEFRAG16.00.00.01PROFESSIONAL"="18C0AE0AB239DD61E9A2AC40BC730EF30807E63997B447DD550E4675327DB7118F4AA719514DD9254FCF32065A5D4ED5101631BDA0AA3F4FCF2A02974BC9D64BAF2F95C0C193C87D3AA8FE98371CE3CCA4248ECD34FA3FE42E2382D63FE3689008DD46B30D9134655354C08743788AC0A6ACAF764B55D3942D679ADDB283EB054D5B4ED920232E50680A6D96561582139DBD0CF745410ECBAB7B618A2B31E240D7C084CBC97648FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407A2D97226D213B555BA7FD869164D6794A2D97226D213B5550EEFDE1FA15FE0545799799C0354BDDE41760823F2B27431A85FB12F1B936D6B1B6F5FC9990A3A85AE737EC0C0CF7E9131DE8DFBB10F251927DC7F553DAFECFD1164EB8C96BA3FF290E48FC35C51D5044E05198B6A25372BB9674F88FD187EF3140500162DD271B84E1F3D13A7006CE134B07024CA0897C2EA7D3C980CE7F07C3AAD2AD8289427F32B752BE1A868BB59F44E6D5637AA84423948729CC79EE9C80E5C8C8A84A788C7DEDD14281AFB942015EEFB7D4868138E168FB76CC39CE18F10B4E025F39695DC9676C1A1EB8F976D0D489FB347FC2A0E6741DEA5CA2AA609317C70E6DBD11EDBF0FE154B3FD93D7BCA32EBD8358B85AE0770D32959F0D7735A9F1C5255AC49F282DA0369EB77CE0A2EA98A13C519B6624452159C9DFD6A90E6ACD52D2EDE1056D2911484F9E96C5F8D5039C9600D1F9AE0C034697E4627A5A4D6A5816882413C5F4EE2662B94883F326AC8289FB7F7D3113A573B139E2B7D5674A59D39977C5E1764A11D6F41E878D7621F1FD3C84C0801DF390429C1676433000714898239FBDE4413FDEE9A2959AFC2B3620156FB38CD77A87A40CD20AB671A8B3B788841D88D07909E03B238B6DEBE95EA5D593CE909EB07158DC5EDAA11048B2CD5D732396FE706DABA7B58667FA8E5F4552F9226B94B4B93788FBDBAC2A57146A7FCFDEAC448725259D0A1C49DFB597F8799DB7759C57FF49E7552B705883D2AA86D693A42ABEC67D26B7CB1B9533ACE49BD48F0D63241FE50A63C85D1DD01BFC48010790FB81BC1D5EE2A914AF1E3EBA0265B25128B433B13B4680997F6E5AF9D6FDD0147BCBACBBC5EBB4AB6BBC9A2C8BD6DAEE2ED4C779C1712AB3BC9A5E88A5C152B7BA61C351DA198495EB7EF0333D72828149CB6C3DBA6C8D912F3101E13C94CD52F0BA2F1BB067AFC0F166F61812A0D34607D6F75F1A3F287E73288C3759EEBE35AA0C6B7943B725911A5F5560C4CEF757D187AA5302EC8297A688516A226B3BBE9C51681D4D561561BDB453D5EBDF7970F9DEC32224F57B87F1D14114190B3493CF7AE8F5FCEFE6FDBD1B1B5385D22C3305E713B04EE7EB39B7B51F8AA705279A7"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2013-09-03  20:48:23 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-04 03:48
ComboFix2.txt  2013-09-03 00:06
.
Pre-Run: 78,912,688,128 bytes free
Post-Run: 78,259,511,296 bytes free
.
- - End Of File - - 5D1B3F594C1EE18AC3D207506AE830ED
A36C5E4F47E84449FF07ED3517B43A31
 

 

Link to post
Share on other sites

  • Staff

Hello rhammond17

I would like you to try and run these next.

TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

  • more than one report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". The one that I need is the larger one. Please copy and paste the contents of that file here.

    Note** this report can be very long - so if the website gives you an error saying it is to long you may attache it

    If the forum still complains about it being to long send me everything that is at the end of the report after where it says

    ==================

    Scan finished

    ==================

and I will see if I want to see the whole report

--RogueKiller--

Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit

  • Quit all programs that you may have started.
  • Please disconnect any external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • the scan will make two reports the one I would like to see is called RKreport[2].txt on your Desktop
  • Exit/Close RogueKiller+
send me the reports made from TDSSKiller and Roguekiller and also let me know how the computer is doing at this time.

Gringo

Link to post
Share on other sites

Hey Gringo,

    I ran TDSSkiller and Roguekiller and will attach the reports.  The Roguekiller reports have different filenames now, RKreport[2].txt doesn't exist. There is a scan mode report and and a remove mode report named RKreport[0]_S_<date>_<time>.txt and RKReport_D_<date>_<time>.txt respectively.  I'll include both.  Checking the MBAW logs, I don't see any intrusions yet tonight.  We'll see though.

 

Edit: The TDSSkiller report was too long.  I am physically attaching it.

 

Randy

 

###############################

TDSSKiller

###############################

 

Physically attached.

 

###############################

Roguekiller - Scan mode

###############################

 

RogueKiller V8.6.9 _x64_ [sep  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Randy [Admin rights]
Mode : Scan -- Date : 09/06/2013 19:52:06
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST31000528AS ATA Device +++++
--- User ---
[MBR] 0bf92b143fd2a2b4b8aedc42606a2515
[bSP] 01038f030bb8e666a0e90986ded60ede : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 199899 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600000 | Size: 753868 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST31000528AS ATA Device +++++
--- User ---
[MBR] 9d5a03709eb1b9ee65dad700c26a4613
[bSP] 8cd7ebb293344cebc582671bb35a1203 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 200000 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409602048 | Size: 500000 Mo
2 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 1433608470 | Size: 253863 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: ST31000528AS ATA Device +++++
--- User ---
[MBR] a6b72c819c84e800efc87a119b2022b1
[bSP] a837919dfa9d38943515e8354c407b75 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476940 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: ST31000528AS ATA Device +++++
--- User ---
[MBR] 01f2f79384a2d23bc579e43d08b398ac
[bSP] 79fb9123c83fffacb743600e2c8dcc5a : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_09062013_195206.txt >>


 

###############################

Roguekiller - Remove mode

###############################

 

RogueKiller V8.6.9 _x64_ [sep  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Randy [Admin rights]
Mode : Remove -- Date : 09/06/2013 19:52:22
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST31000528AS ATA Device +++++
--- User ---
[MBR] 0bf92b143fd2a2b4b8aedc42606a2515
[bSP] 01038f030bb8e666a0e90986ded60ede : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 199899 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600000 | Size: 753868 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST31000528AS ATA Device +++++
--- User ---
[MBR] 9d5a03709eb1b9ee65dad700c26a4613
[bSP] 8cd7ebb293344cebc582671bb35a1203 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 200000 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409602048 | Size: 500000 Mo
2 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 1433608470 | Size: 253863 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: ST31000528AS ATA Device +++++
--- User ---
[MBR] a6b72c819c84e800efc87a119b2022b1
[bSP] a837919dfa9d38943515e8354c407b75 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476940 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: ST31000528AS ATA Device +++++
--- User ---
[MBR] 01f2f79384a2d23bc579e43d08b398ac
[bSP] 79fb9123c83fffacb743600e2c8dcc5a : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_09062013_195222.txt >>
RKreport[0]_S_09062013_195206.txt


 

TDSSKiller.2.9.2.0_06.09.2013_19.42.35_log.txt

Link to post
Share on other sites

  • Staff

Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner

    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. default settings are fine
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :

I see that you have MBAM installed - That is great!! and at this time I would like you to update it and run me a quick scan

  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
Link to post
Share on other sites

Hey Gringo,

    I've run CCCleaner, MBAW, and HijackThis.  I'll attach the logs.  When I logged in to run the latest batch of tools, there was an immediate IP block by MBAW:

 

2013/09/07 16:52:42 -0700    SHAIHULUD    (null)    MESSAGE    Starting protection
2013/09/07 16:52:42 -0700    SHAIHULUD    (null)    MESSAGE    Protection started successfully
2013/09/07 16:52:42 -0700    SHAIHULUD    (null)    MESSAGE    Starting IP protection
2013/09/07 16:52:43 -0700    SHAIHULUD    (null)    MESSAGE    IP Protection started successfully
2013/09/07 16:53:54 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: outgoing, Port: 56984, Process: svchost.exe)
2013/09/07 16:53:54 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: incoming, Port: 56984, Process: svchost.exe)
2013/09/07 16:53:54 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: incoming, Port: 56984, Process: svchost.exe)
2013/09/07 16:53:54 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: incoming, Port: 56984, Process: svchost.exe)
2013/09/07 16:54:02 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: incoming, Port: 56984, Process: svchost.exe)
2013/09/07 16:54:02 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: incoming, Port: 56984, Process: svchost.exe)
2013/09/07 16:54:02 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: outgoing, Port: 56984, Process: svchost.exe)
2013/09/07 16:54:02 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: outgoing, Port: 56984, Process: svchost.exe)
2013/09/07 16:54:02 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: outgoing, Port: 56984, Process: svchost.exe)
2013/09/07 16:54:10 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: incoming, Port: 56984, Process: svchost.exe)
2013/09/07 16:54:10 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: incoming, Port: 56984, Process: svchost.exe)
2013/09/07 16:54:10 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: outgoing, Port: 56984, Process: svchost.exe)
2013/09/07 16:54:10 -0700    SHAIHULUD    (null)    IP-BLOCK    58.241.162.110 (Type: outgoing, Port: 56984, Process: svchost.exe)
 

The (null) comes from the time before I actually logged into my account in Windows, after I log in (null) is replaced by my username.  There were about 80 of these entries and continuing when I rebooted the machine.  They did not seem to continue after the reboot.  Is MBAW actually blocking these IP requests/responses?  There seems to be a conversation going on with incoming and outgoing requests/responses.

 

Randy

 

 

 

######################################

MBAW

######################################

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.07.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Randy :: SHAIHULUD [administrator]

Protection: Enabled

9/7/2013 5:15:15 PM
mbam-log-2013-09-07 (17-15-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 253747
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

######################################

HijackThis

######################################

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 5:25:24 PM, on 9/7/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16502)

FIREFOX: 17.0.1 (en-US)
Boot mode: Normal

Running processes:
D:\Win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe
D:\Win7\Games\Steam\Steam.exe
D:\Win7\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files\Corsair USB Headset\customapp\program\CAHS.EXE
C:\Program Files\Corsair USB Headset\customapp\program\CAHS.EXE
D:\Win7\Games\Ideazon\ZEngine\Zboard.exe
C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
D:\Win7\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
D:\Win7\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
C:\Users\Randy\AppData\Roaming\Dropbox\bin\Dropbox.exe
D:\Win7\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\Win7\Program Files (x86)\Internet Download Manager\IEMonitor.exe
D:\Win7\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Win7\Program Files (x86)\Mozilla Firefox\plugin-container.exe
D:\Win7\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Randy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Win7\Program Files (x86)\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Evernote extension - {92EF2EAD-A7CE-4424-B0DB-499CF856608E} - D:\Win7\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [Zboard] D:\win7\games\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
O4 - HKLM\..\Run: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [LWS] D:\Win7\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [AcronisTibMounterMonitor] C:\Program Files (x86)\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKLM\..\Run: [ZoneAlarm] C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe
O4 - HKCU\..\Run: [steam] "D:\Win7\Games\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [iDMan] D:\Win7\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-21-1412374026-2160322937-99312788-1007\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1412374026-2160322937-99312788-1007\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Startup: Dropbox.lnk = Randy\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: EvernoteClipper.lnk = D:\Win7\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe
O4 - Global Startup: O&O Defrag Tray.lnk = ?


O8 - Extra context menu item: Clip Image - D:\Win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=4
O8 - Extra context menu item: Clip selection - D:\Win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=3
O8 - Extra context menu item: Clip this page - D:\Win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=1
O8 - Extra context menu item: Clip URL - D:\Win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\Clip.html?clipAction=0


O8 - Extra context menu item: Download all links with IDM - D:\Win7\Program Files (x86)\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Win7\Program Files (x86)\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: New Note - D:\Win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\NewNote.html

O9 - Extra button: @D:\Win7\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\Win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
O9 - Extra 'Tools' menuitem: @D:\Win7\Program Files (x86)\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\Win7\Program Files (x86)\Evernote\Evernote\\EvernoteIERes\AddNote.html
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O17 - HKLM\System\CCS\Services\Tcpip\..\{7515BF99-A920-4227-9700-342B3C1CB0DB}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup Service (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BitRaider Mini-Support Service (BRSptSvc) - BitRaider, LLC - C:\programdata\bitraider\BRSptSvc.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - D:\Win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - D:\Win7\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe
O23 - Service: NIHardwareService - Native Instruments GmbH - C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
O23 - Service: Nalpeiron X64 Service (nlscc) - Unknown owner - C:\Windows\system32\nlsInterface.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: O&O Defrag (OODefragAgent) - O&O Software GmbH - D:\Win7\Program Files\OO Software\Defrag\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Riverbed Technology, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe
O23 - Service: Samsung UPD Service2 - Unknown owner - C:\Windows\System32\SUPDSvc2.exe (file missing)
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - D:\Win7\Program Files\SiSoftware\SiSoftware Sandra Lite 2013.SP4\RpcAgentSrv.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: Acronis Sync Agent Service (syncagentsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
O23 - Service: TomTomHOMEService - TomTom - D:\Win7\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 15083 bytes
 

Link to post
Share on other sites

  • Staff

HitmanPro

  • Please download HitmanPro.
  • Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).
  • Click on the next button. You must agree with the terms of EULA.
  • Check the box beside "No, I only want to perform a one-time scan to check this computer".
  • Click on the next button.
  • The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
  • When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
  • Click on the next button.
  • Click on the "Export scan results to XML file".
  • Save that file to your desktop and zip and attach it in your next reply.
Link to post
Share on other sites

Hey Gringo,

   I ran HitmanPro and will physically attach the XML file.  The Working.exe it mentions was a file I compiled myself from a Lynda.com C++ class.  Yesterday after running the three tools (CCCleaner, MBAW, and HijackThis). I played a game for a few hours.  When I finished, my MBAW log was full of:

 

2013/09/07 20:40:19 -0700    SHAIHULUD    Randy    IP-BLOCK    222.186.101.77 (Type: incoming, Port: 63373, Process: svchost.exe)
2013/09/07 20:40:19 -0700    SHAIHULUD    Randy    IP-BLOCK    222.186.101.77 (Type: outgoing, Port: 63373, Process: svchost.exe)
2013/09/07 20:40:27 -0700    SHAIHULUD    Randy    IP-BLOCK    222.186.101.77 (Type: outgoing, Port: 63373, Process: svchost.exe)
2013/09/07 20:40:27 -0700    SHAIHULUD    Randy    IP-BLOCK    222.186.101.77 (Type: outgoing, Port: 63373, Process: svchost.exe)
2013/09/07 20:40:27 -0700    SHAIHULUD    Randy    IP-BLOCK    222.186.101.77 (Type: incoming, Port: 63373, Process: svchost.exe)
2013/09/07 20:40:27 -0700    SHAIHULUD    Randy    IP-BLOCK    222.186.101.77 (Type: incoming, Port: 63373, Process: svchost.exe)
2013/09/07 20:40:35 -0700    SHAIHULUD    Randy    IP-BLOCK    222.186.101.77 (Type: incoming, Port: 63373, Process: svchost.exe)
2013/09/07 20:40:35 -0700    SHAIHULUD    Randy    IP-BLOCK    222.186.101.77 (Type: outgoing, Port: 63373, Process: svchost.exe)
...

 

About 3800 entries lasting about 2 hours.

 

Today I've been logged in for about 5 hours and there is nothing in the logs so far.

 

Randy

 

 

HitmanPro_20130908_1743.zip

Link to post
Share on other sites

Hey Gringo,

    I've been trying to monitor my computer without steam.  I've had it running on a few occasions for a few hours without steam.  The only log entries I've found was a dozen incoming attempts one day.  I'm going to continue monitoring then try to start steam one day and see what happens.  I hope there is not a problem with steam since most of my games are there.

 

Randy

 

Link to post
Share on other sites

Yes, still here.  I started steam on saturday and let it run all day.  No log entries.  Things seemed to be looking good.  I hadn't had any log entries in quite a while.  Then Sunday, after a few hours about 6 outgoing entries to 92.something (Romania) popped up in the log.  It seemd to happen just a little bit after I started firefox.  However, this may have been coincidence since I've been running firefox all week with no problems.

 

Randy

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.