infected with trojan zeroaccess virus

[jjdonohue]

hi

i recently got the ransomware virus and i believed i had successfully removed. Computer seemed normal until i ran malwarebytes and saw and incidence of the trojan zeroaccess.   malware bytes cant remove this nor can symantec.   I see that rogue killer looks promising but i dont want to wreck my computer so i created a log and posted it here.  i am hoping you can tell me what i can delete or not.

I assume pretty much everything but wanted to get some more experienced eyes on it.

 

here is the log.  i think the first few entries that are run and service keys are safe to delete.  there are 12 registry entries some of which i dont recognize and htere is one symantec one that looks legit but im not sure.

 

thank you

 

RogueKiller V8.6.10 _x64_ [sep  9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : jjdonohue [Admin rights]
Mode : Scan -- Date : 09/10/2013 19:48:54
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files (x86)\Google\Desktop\Install\{606d6c62-145f-c615-8d5d-55efb7063390}\   \...\???ﯹ๛\{606d6c62-145f-c615-8d5d-55efb7063390}\GoogleUpdate.exe" < [x] -> STOPPED

¤¤¤ Registry Entries : 12 ¤¤¤
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{606d6c62-145f-c615-8d5d-55efb7063390}\   \...\???ﯹ๛\{606d6c62-145f-c615-8d5d-55efb7063390}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{606d6c62-145f-c615-8d5d-55efb7063390}\   \...\???ﯹ๛\{606d6c62-145f-c615-8d5d-55efb7063390}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS003\[...]\Services : ???etadpug ("C:\Program Files (x86)\Google\Desktop\Install\{606d6c62-145f-c615-8d5d-55efb7063390}\   \...\???ﯹ๛\{606d6c62-145f-c615-8d5d-55efb7063390}\GoogleUpdate.exe" < [x]) -> FOUND
[DNS] HKLM\[...]\CS001\[...]\{6390DA39-7966-4DDF-82B7-315DB3ED7155} : NameServer (216.146.35.240,216.146.36.240,192.168.0.1,205.171.3.25) -> FOUND
[HJ POL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS002\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS003\[...]\Services : . e () -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][sUSP PATH] Symantec Help (relaunch) : C:\Users\jjdonohue\AppData\Local\Temp\STSFX19E7\SymDiag.exe - -relaunch "C:\Users\jjdonohue\AppData\Local\Temp\HOMECOMPUTER__2013_09_10__00_10_42.SdDb" [x][-] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpCom.dll : C:\Program Files\Windows Defender\MsMpCom.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

[AdvancedSetup]

One or more of the identified infections is related to a nasty rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER.  You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.

Please read:

 

• When should I re-format? How should I reinstall?
• Help: I Got Hacked. Now What Do I Do?
• Where to draw the line? When to recommend a format and reinstall?

 

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

 

Message borrowed from quietman7 with minor wording and link changes
 

[jjdonohue]

i would like to try and disinfect the machine

[AdvancedSetup]

Okay then - please make sure you have your data backed up such as pictures, music, etc and follow the directions below.

 

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
• Please attach that log file to your next reply.
• If needed the file can be located here:  C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
  

 

[jjdonohue]

i told symantec to disable itself and it appeared off by the software indicators but when i ran combofix it kept saying it was still on and the antivirus file protect was on.  It gave me a message that if i continued it was at risk so i decided to stop it before it continued. I

wont be able to do this if this is going to happen , can I?  I guess there must be another way to disable symantec but i dont know what that is unless i have to disable in the start menu or something like that.

[AdvancedSetup]

Go ahead and run it as long as you've shut down Symantec via the interface

[jjdonohue]

ok it completed.  things seem ok for the moment - phew!

 

here is the log.

omboFix 13-09-10.03 - jjdonohue 09/10/2013  21:37:06.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.6007.4188 [GMT -6:00]
Running from: c:\users\jjdonohue\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files (x86)\Google\Desktop\Install
c:\program files (x86)\Google\Desktop\Install\{606d6c62-145f-c615-8d5d-55efb7063390}\9519~1\A535~1\E628~1\{606d6c62-145f-c615-8d5d-55efb7063390}\@
c:\program files (x86)\Google\Desktop\Install\{606d6c62-145f-c615-8d5d-55efb7063390}\9519~1\A535~1\E628~1\{606d6c62-145f-c615-8d5d-55efb7063390}\U\00000001.@
c:\program files (x86)\Google\Desktop\Install\{606d6c62-145f-c615-8d5d-55efb7063390}\9519~1\A535~1\E628~1\{606d6c62-145f-c615-8d5d-55efb7063390}\U\00000002.@
c:\programdata\0230F9D3B5.sys
c:\programdata\Printers
c:\programdata\PrintingModule
c:\users\jjdonohue\AppData\Local\assembly\tmp
c:\windows\PFRO.log
c:\windows\XSxS
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-11 to 2013-09-11  )))))))))))))))))))))))))))))))
.
.
2013-09-11 03:47 . 2013-09-11 03:47 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2013-09-11 03:47 . 2013-09-11 03:47 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2013-09-11 03:47 . 2013-09-11 03:47 51852 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2013-09-11 03:47 . 2013-09-11 03:47 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2013-09-11 03:47 . 2013-09-11 03:47 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2013-09-11 03:45 . 2013-09-11 03:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-09-10 06:02 . 2013-09-10 06:02 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2013-09-10 03:40 . 2013-09-10 03:40 -------- d-----w- c:\users\jjdonohue\AppData\Local\WinZip Courier
2013-09-10 03:39 . 2013-09-11 03:44 -------- d-----w- c:\users\jjdonohue\AppData\Local\assembly
2013-09-08 22:44 . 2013-09-08 22:44 1805736 ----a-w- C:\FixZeroAccess.exe
2013-09-08 20:39 . 2013-09-08 20:39 -------- d-----w- c:\programdata\Nikon
2013-09-08 20:05 . 2013-09-08 20:05 -------- d-----w- c:\programdata\ZoomBrowser
2013-09-08 20:04 . 2013-09-08 20:04 -------- d-----w- c:\programdata\Canon_Inc_IC
2013-09-07 23:25 . 2013-09-07 23:25 -------- d-----w- c:\users\jjdonohue\AppData\Roaming\Nikon
2013-09-07 23:25 . 2013-09-07 23:25 -------- d-----w- c:\users\jjdonohue\AppData\Local\Nikon
2013-09-07 23:24 . 2013-09-07 23:24 61440 ----a-r- c:\users\jjdonohue\AppData\Roaming\Microsoft\Installer\{11953C65-BB4E-4CA4-B0F0-2600A4B20040}\ARPPRODUCTICON.exe
2013-09-07 23:23 . 2013-09-07 23:23 -------- d-----w- c:\windows\Downloaded Installations
2013-09-07 23:23 . 2013-09-07 23:23 -------- d-----w- c:\program files (x86)\Common Files\Nikon
2013-09-07 23:23 . 2013-09-07 23:23 -------- d-----w- c:\programdata\Light Machine
2013-09-07 23:22 . 2013-09-07 23:24 -------- d-----w- c:\program files\Common Files\Nikon
2013-09-07 23:22 . 2013-09-07 23:24 -------- d-----w- c:\program files (x86)\Nikon
2013-09-07 23:22 . 2013-09-07 23:22 -------- d-----w- c:\program files\Nikon
2013-09-07 23:22 . 2013-09-07 23:22 -------- d-----w- c:\programdata\MIDI Drivers
2013-09-07 23:22 . 2013-09-07 23:22 -------- d-----w- c:\programdata\Keyboard Layouts
2013-09-07 23:21 . 2013-09-07 23:23 -------- d-----w- c:\programdata\Ultima_T15
2013-09-07 23:21 . 2013-09-07 23:23 -------- d-----w- c:\programdata\EnterNHelp
2013-09-07 23:21 . 2013-09-07 23:21 -------- d-----w- c:\programdata\Specifications
2013-09-06 04:42 . 2013-09-06 04:43 -------- d-----w- c:\programdata\WinZip
2013-09-06 04:42 . 2013-09-06 04:42 -------- d-----w- c:\program files\WinZip
2013-09-06 00:11 . 2013-09-06 00:11 -------- d-----w- c:\users\jjdonohue\AppData\Local\CouponXplorer_5z
2013-08-30 01:25 . 2013-08-30 01:25 262552 ----a-w- c:\program files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2013-08-30 01:25 . 2013-08-30 01:25 26520 ----a-w- c:\program files (x86)\Mozilla Firefox\plugin-hang-ui.exe
2013-08-30 00:59 . 2013-08-30 00:59 -------- d-----w- c:\windows\ERUNT
2013-08-29 23:42 . 2013-08-30 00:44 -------- d-----w- C:\AdwCleaner
2013-08-29 15:11 . 2013-08-29 15:11 -------- d-----w- c:\users\JoanneDonohue\AppData\Roaming\Malwarebytes
2013-08-29 15:10 . 2013-09-05 23:52 -------- d-----w- c:\users\JoanneDonohue\AppData\Local\Htc
2013-08-29 15:10 . 2013-08-29 15:10 -------- d-----w- c:\users\JoanneDonohue\AppData\Roaming\HTC
2013-08-29 14:57 . 2013-08-29 14:57 -------- d-----w- c:\programdata\unwvq
2013-08-29 11:44 . 2013-08-29 14:54 -------- d-----w- c:\programdata\asby
2013-08-29 00:05 . 2013-08-29 00:05 -------- d-----w- c:\users\jjdonohue\AppData\Roaming\Hopster
2013-08-15 09:07 . 2013-08-15 09:09 -------- d-----w- c:\windows\system32\MRT
2013-08-15 09:00 . 2013-07-25 03:54 17830400 ----a-w- c:\windows\system32\mshtml.dll
2013-08-15 09:00 . 2013-07-25 03:35 10926080 ----a-w- c:\windows\system32\ieframe.dll
2013-08-14 21:25 . 2013-07-09 05:46 1472512 ----a-w- c:\windows\system32\crypt32.dll
2013-08-14 21:25 . 2013-07-09 05:52 224256 ----a-w- c:\windows\system32\wintrust.dll
2013-08-14 21:25 . 2013-07-09 05:46 184320 ----a-w- c:\windows\system32\cryptsvc.dll
2013-08-14 21:25 . 2013-07-09 05:46 139776 ----a-w- c:\windows\system32\cryptnet.dll
2013-08-14 21:25 . 2013-07-09 04:52 175104 ----a-w- c:\windows\SysWow64\wintrust.dll
2013-08-14 21:25 . 2013-07-09 04:46 140288 ----a-w- c:\windows\SysWow64\cryptsvc.dll
2013-08-14 21:25 . 2013-07-09 04:46 1166848 ----a-w- c:\windows\SysWow64\crypt32.dll
2013-08-14 21:25 . 2013-07-09 04:46 103936 ----a-w- c:\windows\SysWow64\cryptnet.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-10 19:33 . 2012-09-07 18:41 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-09-10 19:33 . 2011-06-01 20:07 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-10 19:33 . 2013-06-11 21:34 9430408 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2013-09-06 01:13 . 2010-12-10 03:53 172592 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2013-09-03 00:35 . 2010-12-08 05:21 3766 --sha-w- c:\programdata\KGyGaAvL.sys
2013-08-05 22:14 . 2011-01-21 01:25 78161360 ----a-w- c:\windows\system32\MRT.exe
2013-07-09 04:45 . 2013-08-14 21:24 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2013-07-01 19:28 . 2012-09-22 17:48 325920 ----a-w- c:\windows\SysWow64\Sendori.dll
2013-06-29 21:34 . 2013-06-29 21:35 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-29 21:34 . 2012-09-07 19:20 867240 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2013-06-29 21:34 . 2011-05-30 21:52 789416 ----a-w- c:\windows\SysWow64\deployJava1.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\jjdonohue\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\jjdonohue\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\jjdonohue\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Vid"="c:\program files (x86)\Logitech\Vid HD\Vid.exe" [2011-01-13 6129496]
"AirVideoServer"="c:\program files (x86)\AirVideoServer\AirVideoServer.exe" [2010-09-22 4923784]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-01-26 39408]
"iFunBoxConnector"="c:\program files (x86)\i-Funbox DevTeam\ifb_conn.exe" [2012-11-20 812544]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"HP Remote Solution"="c:\program files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-04-26 593920]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2011-10-30 571392]
.
c:\users\jjdonohue\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\jjdonohue\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\Hp\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
Snapfish PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe -det [2010-6-17 1040952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 CouponXplorer_5zService;CouponXplorerService;c:\progra~2\COUPON~4\bar\1.bin\5zbarsvc.exe;c:\progra~2\COUPON~4\bar\1.bin\5zbarsvc.exe [x]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 sndappv2;sndappv2;c:\program files (x86)\Sendori\sndappv2.exe;c:\program files (x86)\Sendori\sndappv2.exe [x]
R2 sprtlisten;SupportSoft Listener Service;c:\program files (x86)\Common Files\supportsoft\bin\sprtlisten.exe;c:\program files (x86)\Common Files\supportsoft\bin\sprtlisten.exe [x]
R2 TeamViewer6;TeamViewer 6;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [x]
R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandbus64.sys [x]
R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag64.sys;c:\windows\SYSNATIVE\DRIVERS\lganddiag64.sys [x]
R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandgps64.sys [x]
R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandmodem64.sys [x]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\lgandadb.sys;c:\windows\SYSNATIVE\Drivers\lgandadb.sys [x]
R3 CXPLRCAP;EVC2010;c:\windows\system32\drivers\elvidcap.sys;c:\windows\SYSNATIVE\drivers\elvidcap.sys [x]
R3 DxkgFilter;Filtering Dxkg;c:\program files (x86)\iDisplay\idisplay.sys;c:\program files (x86)\iDisplay\idisplay.sys [x]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys;c:\windows\SYSNATIVE\Drivers\ANDROIDUSB.sys [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys;c:\windows\SYSNATIVE\DRIVERS\htcnprot.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S2 Application Sendori;Application Sendori;c:\program files (x86)\Sendori\SendoriSvc.exe;c:\program files (x86)\Sendori\SendoriSvc.exe [x]
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe;c:\program files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe [x]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [x]
S2 Service Sendori;Service Sendori;c:\program files (x86)\Sendori\Sendori.Service.exe;c:\program files (x86)\Sendori\Sendori.Service.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 CompFilter64;UVCCompositeFilter;c:\windows\system32\DRIVERS\lvbflt64.sys;c:\windows\SYSNATIVE\DRIVERS\lvbflt64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys;c:\windows\SYSNATIVE\drivers\HCW85BDA.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys;c:\windows\SYSNATIVE\DRIVERS\LVPr2M64.sys [x]
S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
S3 LVUVC64;Logitech HD Webcam C510(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-07 19:33]
.
2013-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-26 05:17]
.
2013-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-01-26 05:17]
.
2013-09-08 c:\windows\Tasks\HPCeeScheduleForjjdonohue.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\jjdonohue\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\jjdonohue\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\jjdonohue\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 164016 ----a-w- c:\users\jjdonohue\AppData\Roaming\Dropbox\bin\DropboxExt64.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-18 568888]
.
------- Supplementary Scan -------
.

uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

FF - ProfilePath - c:\users\jjdonohue\AppData\Roaming\Mozilla\Firefox\Profiles\sez1qwa1.default\
FF - prefs.js: browser.search.selectedEngine - My Web Search


FF - ExtSQL: !HIDDEN! 2010-12-12 19:25; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{65c72339-fb1d-4155-84e1-9afacee02d6f} - c:\program files (x86)\CouponXplorer_5z\bar\1.bin\5zbar.dll
SafeBoot-Symantec Antvirus
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
WebBrowser-{88C7F2AA-F93F-432C-8F0E-B7D85967A527} - (no file)
AddRemove-Coupon Printer for Windows5.0.0.2 - c:\program files (x86)\Coupons\uninstall.exe
AddRemove-Search Toolbar - c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-Splashtop Software Updater - c:\program files (x86)\Splashtop\Splashtop Software Updater\uninst.exe
AddRemove-_{707EB912-C597-49D8-9460-46CC9AB03EBE} - c:\program files (x86)\Corel\Corel Painter Photo Essentials 4\MSILauncher {707EB912-C597-49D8-9460-46CC9AB03EBE}
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=hex:51,66,7a,6c,4c,1d,38,12,5c,be,8a,
   eb,c9,8f,bc,54,f6,39,43,d0,22,43,0b,9c
"{9D425283-D487-4337-BAB6-AB8354A81457}"=hex:51,66,7a,6c,4c,1d,38,12,ed,51,51,
   99,b5,9a,59,06,c5,a0,e8,c3,51,f6,50,43
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
   27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
   06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{0347C33E-8762-4905-BF09-768834316C61}"=hex:51,66,7a,6c,4c,1d,38,12,50,c0,54,
   07,50,c9,6b,0c,c0,1f,35,c8,31,6f,28,75
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
   1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
   76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
   ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
   aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
   f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}"=hex:51,66,7a,6c,4c,1d,38,12,91,fc,ec,
   fb,7c,81,45,0a,c2,d4,4d,32,e4,48,ec,42
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
   2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
"{555D4D79-4BD2-4094-A395-CFC534424A05}"=hex:51,66,7a,6c,4c,1d,38,12,17,4e,4e,
   51,e0,05,fa,05,dc,83,8c,85,31,1c,0e,11
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
   fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:c3,a0,16,93,ee,48,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,e0,10,5a,61,51,13,4d,92,8a,7d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1d,e0,10,5a,61,51,13,4d,92,8a,7d,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1b,d0,4d,2e,97,ba,7f,4a,99,5b,da,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_168.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_168.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\iDisplay\iDisplay.exe
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Logishrd\LVMVFM\LVPrS64H.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
c:\program files (x86)\Sendori\SendoriUp.exe
c:\program files (x86)\Google\Update\1.3.21.153\GoogleCrashHandler.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2013-09-10  21:53:57 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-11 03:53
.
Pre-Run: 497,924,571,136 bytes free
Post-Run: 499,104,542,720 bytes free
.
- - End Of File - - E3514DF632486B9946BCEBEB156337B3
 

[jjdonohue]

just for the heck of it i also ran another scan with rogue killer.  the zero access entries seemed to be gone from the combo fix run.

Theres some other entries (6 in the registry) in there but i dont know what htey are or if they matter.  Do they?

 

RogueKiller V8.6.10 _x64_ [sep  9 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : jjdonohue [Admin rights]
Mode : Scan -- Date : 09/10/2013 22:11:01
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[DNS] HKLM\[...]\CS001\[...]\{6390DA39-7966-4DDF-82B7-315DB3ED7155} : NameServer (216.146.35.240,216.146.36.240,192.168.0.1,205.171.3.25) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][sUSP PATH] Symantec Help (relaunch) : C:\Users\jjdonohue\AppData\Local\Temp\STSFX19E7\SymDiag.exe - -relaunch "C:\Users\jjdonohue\AppData\Local\Temp\HOMECOMPUTER__2013_09_10__00_10_42.SdDb" [x][x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS721075CLA332 +++++
--- User ---
[MBR] 5b8a824b7f35c776990992ef606356a4
[bSP] cf3cd43742a158bea9654d093c7db3fa : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 702357 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1438633984 | Size: 12945 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Hitachi HDS721075CLA332 +++++
--- User ---
[MBR] 3c97f74b632c03f3aafc0a9fb8750bce
[bSP] 8e9a6e344c69a32be8d87b148b0ae0f2 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: Hitachi HDS721075CLA332 +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[0]_S_09102013_221101.txt >>

 

 

[jjdonohue]

i also ran a check with malware bytes and it doesnt see that zero access trojan anymore.  in fact it doesnt see anything bad at all.

[AdvancedSetup]

Please go ahead and run through the following steps and post back the logs when ready.

STEP 03
Please download Malwarebytes Anti-Rootkit from here

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
  

STEP 04
Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus
  

STEP 05
Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  

STEP 06


Please go here to run the online antivirus scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
    

  [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.
  

STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
  

 

[jjdonohue]

i ran the malwarebytes antiroot kit and it was totally clean found nothing.  Something that did happen will it was running though was that symantecs proactive threat protection got shut down.   I cant get it restarted.  I tried repairing symantec and downloading new updates through live update and restarted the computer to no avail.  The proactive threat will not load.  The other functions are working however,  antivirus/antispyware protection and network threat proteaction are on.  I dont want to go any further til we fix this. maybe something got damaged during the combo run, i dont know.

[jjdonohue]

nevermind - i ran an uninstall on that feature and reinstalled it and its ok now.   its late here so i need to look at this tomorrow and start in on step 4, although i am kind of wondering if i need it since the antiroot kit was totally clean.

[AdvancedSetup]

I can pretty much promise you those other tools are going to find more items to remove.

 

I'll check back on you sometime tomorrow.

 

Thanks

[jjdonohue]

ok heres the mbar logs you asked for. i will run JRT in the meantime next

 

warebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.09.11.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
jjdonohue :: HOMECOMPUTER [administrator]

9/10/2013 10:51:43 PM
mbar-log-2013-09-10 (22-51-43).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 304132
Time elapsed: 14 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

system log

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 9.0.8112.16421

Java version: 1.6.0_35

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 3.325000 GHz
Memory total: 6298877952, free: 4160012288

Downloaded database version: v2013.09.11.01
Downloaded database version: v2013.08.06.01
=======================================
Initializing...
------------ Kernel report ------------
     09/10/2013 22:51:40
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\vmbus.sys
\SystemRoot\system32\drivers\winhv.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\SRTSP64.SYS
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130910.016\EX64.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
\??\C:\PROGRA~3\Symantec\DEFINI~1\VIRUSD~1\20130910.016\ENG64.SYS
\SystemRoot\System32\Drivers\SRTSPX64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\??\C:\Windows\system32\drivers\wpsdrvnt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\system32\DRIVERS\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\drivers\1394ohci.sys
\SystemRoot\system32\drivers\HCW85BDA.sys
\SystemRoot\system32\drivers\BdaSup.SYS
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\athrx.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\SysWOW64\drivers\Afc.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\teefer2.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\DRIVERS\circlass.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\drivers\hcw85cir3.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\nvhda64v.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\DRIVERS\hidir.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\usbscan.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\dot4usb.sys
\SystemRoot\system32\DRIVERS\Dot4.sys
\SystemRoot\system32\DRIVERS\Dot4Prt.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\lvbflt64.sys
\SystemRoot\system32\drivers\usbaudio.sys
\SystemRoot\system32\DRIVERS\lvrs64.sys
\SystemRoot\system32\DRIVERS\lvuvc64.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\HTTP.sys
\??\C:\Windows\system32\drivers\WpsHelper.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\LVPr2M64.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\??\C:\Windows\system32\Drivers\PROCEXP113.SYS
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\nsi.dll
\Windows\System32\kernel32.dll
\Windows\System32\user32.dll
\Windows\System32\urlmon.dll
\Windows\System32\clbcatq.dll
\Windows\System32\psapi.dll
\Windows\System32\wininet.dll
\Windows\System32\comdlg32.dll
\Windows\System32\shell32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\usp10.dll
\Windows\System32\ole32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\sechost.dll
\Windows\System32\lpk.dll
\Windows\System32\difxapi.dll
\Windows\System32\normaliz.dll
\Windows\System32\msctf.dll
\Windows\System32\gdi32.dll
\Windows\System32\setupapi.dll
\Windows\System32\imm32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\iertutil.dll
\Windows\System32\ws2_32.dll
\Windows\System32\advapi32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\shlwapi.dll
\Windows\System32\imagehlp.dll
\Windows\System32\wintrust.dll
\Windows\System32\comctl32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\devobj.dll
\Windows\System32\crypt32.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk6\DR6
Upper Device Object: 0xfffffa800992f790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a3\
Lower Device Object: 0xfffffa800963db60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk5\DR5
Upper Device Object: 0xfffffa800992c790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a2\
Lower Device Object: 0xfffffa8009636b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk4\DR4
Upper Device Object: 0xfffffa8009929790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a1\
Lower Device Object: 0xfffffa800960fb60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk3\DR3
Upper Device Object: 0xfffffa8009926790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\000000a0\
Lower Device Object: 0xfffffa800961bb60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xfffffa8009817790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000009e\
Lower Device Object: 0xfffffa80095ecb60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8009795790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000093\
Lower Device Object: 0xfffffa80095c7b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa8006313060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa8005fc8050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa8006313060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8006313b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8006313060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005fc8050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 8454D051

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 1438427136

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1438633984  Numsec = 26511360

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 750156374016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-1465129168-1465149168)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8009795790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80095b9b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8009795790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80095c7b60, DeviceName: \Device\00000093\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 2544D32F

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 625137282

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xfffffa8009817790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8009619b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8009817790, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80095ecb60, DeviceName: \Device\0000009e\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xfffffa8009926790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80099262c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8009926790, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800961bb60, DeviceName: \Device\000000a0\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xfffffa8009929790, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80099292c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8009929790, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800960fb60, DeviceName: \Device\000000a1\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 5, DevicePointer: 0xfffffa800992c790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800992c2c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800992c790, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8009636b60, DeviceName: \Device\000000a2\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 6, DevicePointer: 0xfffffa800992f790, DeviceName: \Device\Harddisk6\DR6\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800992f2c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800992f790, DeviceName: \Device\Harddisk6\DR6\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800963db60, DeviceName: \Device\000000a3\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_2048_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_1_r.mbam...
Removal finished

[jjdonohue]

here is the jrt log

 

OS: Windows 7 Professional x64
Ran by jjdonohue on Wed 09/11/2013 at 20:37:18.01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\HPSF_Tasks_RASMANCS

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\starapp"
Successfully deleted: [Folder] "C:\Users\jjdonohue\appdata\local\couponxplorer_5z"

 

~~~ FireFox

Successfully deleted: [File] C:\Users\jjdonohue\AppData\Roaming\mozilla\firefox\profiles\sez1qwa1.default\searchplugins\my-web-search.xml
Successfully deleted the following from C:\Users\jjdonohue\AppData\Roaming\mozilla\firefox\profiles\sez1qwa1.default\prefs.js

user_pref("browser.search.defaultenginename", "My Web Search");
user_pref("browser.search.selectedEngine", "My Web Search");

user_pref("extensions.mywebsearch.prevDefaultEngine", "Google");
user_pref("extensions.mywebsearch.prevKwdEnabled", true);

user_pref("extensions.mywebsearch.prevSelectedEngine", "Google");

user_pref("extensions.toolbar.mindspark._5zMembers_.hp.enabled", true);
user_pref("extensions.toolbar.mindspark._5zMembers_.initialized", true);
user_pref("extensions.toolbar.mindspark._5zMembers_.installation.contextKey", "");
user_pref("extensions.toolbar.mindspark._5zMembers_.installation.installDate", "2013090518");
user_pref("extensions.toolbar.mindspark._5zMembers_.installation.partnerId", "^AFA^xdm123^YY^us");
user_pref("extensions.toolbar.mindspark._5zMembers_.installation.partnerSubId", "");
user_pref("extensions.toolbar.mindspark._5zMembers_.installation.success", true);
user_pref("extensions.toolbar.mindspark._5zMembers_.installation.toolbarId", "A762911C-D0BF-45B5-B7F7-C109E14CB2DF");
user_pref("extensions.toolbar.mindspark._5zMembers_.lastActivePing", "1378863978549");
user_pref("extensions.toolbar.mindspark._5zMembers_.options.defaultSearch", true);
user_pref("extensions.toolbar.mindspark._5zMembers_.options.homePageEnabled", true);
user_pref("extensions.toolbar.mindspark._5zMembers_.options.keywordEnabled", true);
user_pref("extensions.toolbar.mindspark._5zMembers_.options.tabEnabled", true);
user_pref("extensions.toolbar.mindspark._5zMembers_.weather.location", "80201");
user_pref("extensions.toolbar.mindspark.hp.enabled", true);
user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "couponxplorer@mindspark.com");
user_pref("extensions.toolbar.mindspark.lastInstalled", "couponxplorer@mindspark.com");

Emptied folder: C:\Users\jjdonohue\AppData\Roaming\mozilla\firefox\profiles\sez1qwa1.default\minidumps [5 files]

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 09/11/2013 at 20:40:53.74
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[jjdonohue]

here is the ADW Cleaner log

 

# AdwCleaner v3.003 - Report created 11/09/2013 at 20:46:36
# Updated 07/09/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : jjdonohue - HOMECOMPUTER
# Running from : C:\Users\jjdonohue\Desktop\Johns Technology folder\JRT AND ADWS\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Users\jjdonohue\AppData\Roaming\Mozilla\Firefox\Profiles\sez1qwa1.default\searchplugins\my-web-search.xml
Folder Found C:\Program Files (x86)\Common Files\DVDVideoSoft\TB
Folder Found C:\Program Files\PC Optimizer Pro
Folder Found C:\Users\jjdonohue\AppData\Local\CouponXplorer_5z
Folder Found C:\Users\JoanneDonohue\AppData\LocalLow\FreeOnlineRadioPlayerRecorder

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\FreeOnlineRadioPlayerRecorder
Key Found : HKCU\Software\Splashtop Inc.
Key Found : [x64] HKCU\Software\Splashtop Inc.
Key Found : HKLM\Software\FreeOnlineRadioPlayerRecorder
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater
Key Found : HKLM\Software\Splashtop Inc.

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16502

-\\ Mozilla Firefox v17.0.1 (en-US)

[ File : C:\Users\jjdonohue\AppData\Roaming\Mozilla\Firefox\Profiles\sez1qwa1.default\prefs.js ]

Line Found : user_pref("browser.search.defaultenginename", "My Web Search");
Line Found : user_pref("browser.search.selectedEngine", "My Web Search");

Line Found : user_pref("extensions.mywebsearch.prevDefaultEngine", "Google");
Line Found : user_pref("extensions.mywebsearch.prevKwdEnabled", true);

Line Found : user_pref("extensions.mywebsearch.prevSelectedEngine", "Google");

Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.hp.enabled", true);
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.initialized", true);
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.installation.contextKey", "");
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.installation.installDate", "2013091120");
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.installation.partnerId", "^AFA^xdm123^YY^us");
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.installation.partnerSubId", "");
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.installation.success", true);
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.installation.toolbarId", "A762911C-D0BF-45B5-B7F7-C109E14CB2DF");
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.lastActivePing", "1378953797253");
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.options.defaultSearch", true);
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.options.homePageEnabled", true);
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.options.keywordEnabled", true);
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.options.tabEnabled", true);
Line Found : user_pref("extensions.toolbar.mindspark._5zMembers_.weather.location", "80201");
Line Found : user_pref("extensions.toolbar.mindspark.hp.enabled", true);
Line Found : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "couponxplorer@mindspark.com");
Line Found : user_pref("extensions.toolbar.mindspark.lastInstalled", "couponxplorer@mindspark.com");

-\\ Google Chrome v

[ File : C:\Users\jjdonohue\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [46901 octets] - [29/08/2013 17:42:35]
AdwCleaner[R1].txt - [4461 octets] - [11/09/2013 20:46:36]
AdwCleaner[s0].txt - [28645 octets] - [29/08/2013 18:44:35]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [4582 octets] ##########

[jjdonohue]

I am running eset now. Seems to be taking a long time.

[AdvancedSetup]

Once ESET finishes you need to run AdwCleaner again and choose to Delete, Clean the found items.

Double click on AdwCleaner.exe to run the tool again.

• Click on the Scan button.
• AdwCleaner will begin to scan your computer like it did before.
• After the scan has finished...
• This time click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.

[jjdonohue]

Ok, shouldn't I also post the eset logs? It's just scanning, not set to clean.

[AdvancedSetup]

Yes, once it is finished please do post the ESET log.  The AdwCleaner will be different items to remove.

[jjdonohue]

here is eset

C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pauxstb.dll.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrmon.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll.vir a variant of Win32/Toolbar.MyWebSearch.A application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pieovr.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pimpipe.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pPlugin.dll.vir probably a variant of Win32/Toolbar.MyWebSearch application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2preghk.dll.vir a variant of Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll.vir a variant of Win32/Toolbar.MyWebSearch.P application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskplay.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pSrchMn.exe.vir a variant of Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\CREXT.DLL.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\CrExtP2p.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll.vir Win32/Toolbar.MyWebSearch.T application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\T8HTML.DLL.vir probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\T8TICKER.DLL.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zauxstb.dll.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zbar.dll.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zbrmon.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zdatact.dll.vir a variant of Win32/Toolbar.MyWebSearch.A application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zhtmlmu.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zieovr.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zimpipe.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zPlugin.dll.vir probably a variant of Win32/Toolbar.MyWebSearch application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zreghk.dll.vir a variant of Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zskin.dll.vir a variant of Win32/Toolbar.MyWebSearch.P application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zskplay.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zSrchMn.exe.vir a variant of Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\CREXT.DLL.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\CrExtP5z.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\NP5zStub.dll.vir Win32/Toolbar.MyWebSearch.T application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\T8HTML.DLL.vir probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\T8TICKER.DLL.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\39EIPlug.dll.vir Win32/Toolbar.MyWebSearch application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\39EZSETP.dll.vir a variant of Win32/Toolbar.MyWebSearch.Q application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\NP39EISb.dll.vir Win32/Toolbar.MyWebSearch application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbarUpdater.exe.vir Win32/Toolbar.Zugo application
C:\AdwCleaner\Quarantine\C\Users\jjdonohue\AppData\LocalLow\MapsGalaxy_39EI\Installr\Cache\0B72751B.exe.vir a variant of Win32/Toolbar.MyWebSearch.O application
 

[jjdonohue]

here is the eset log. i thought i posted this before but it didnt copy for some reason

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pauxstb.dll.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbar.dll.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pbrmon.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pdatact.dll.vir a variant of Win32/Toolbar.MyWebSearch.A application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2phtmlmu.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pieovr.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pimpipe.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pPlugin.dll.vir probably a variant of Win32/Toolbar.MyWebSearch application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2preghk.dll.vir a variant of Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskin.dll.vir a variant of Win32/Toolbar.MyWebSearch.P application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pskplay.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\2pSrchMn.exe.vir a variant of Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\CREXT.DLL.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\CrExtP2p.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\NP2pStub.dll.vir Win32/Toolbar.MyWebSearch.T application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\T8HTML.DLL.vir probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponAlert_2p\bar\1.bin\T8TICKER.DLL.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zauxstb.dll.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zbar.dll.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zbrmon.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zdatact.dll.vir a variant of Win32/Toolbar.MyWebSearch.A application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zhtmlmu.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zieovr.dll.vir probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zimpipe.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zPlugin.dll.vir probably a variant of Win32/Toolbar.MyWebSearch application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zreghk.dll.vir a variant of Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zskin.dll.vir a variant of Win32/Toolbar.MyWebSearch.P application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zskplay.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\5zSrchMn.exe.vir a variant of Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\CREXT.DLL.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\CrExtP5z.exe.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\NP5zStub.dll.vir Win32/Toolbar.MyWebSearch.T application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\T8HTML.DLL.vir probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CouponXplorer_5z\bar\1.bin\T8TICKER.DLL.vir Win32/Toolbar.MyWebSearch.W application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\39EIPlug.dll.vir Win32/Toolbar.MyWebSearch application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\39EZSETP.dll.vir a variant of Win32/Toolbar.MyWebSearch.Q application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\MapsGalaxy_39EI\Installr\1.bin\NP39EISb.dll.vir Win32/Toolbar.MyWebSearch application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbarUpdater.exe.vir Win32/Toolbar.Zugo application
C:\AdwCleaner\Quarantine\C\Users\jjdonohue\AppData\LocalLow\MapsGalaxy_39EI\Installr\Cache\0B72751B.exe.vir a variant of Win32/Toolbar.MyWebSearch.O application
C:\Users\jjdonohue\Desktop\Johns Technology folder\m4a-to-mp3-converter.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\jjdonohue\Desktop\Johns Technology folder\GingersnapRootUtilityForWindows\Gingersnap\gingersnap Android/Exploit.Lotoor.DJ trojan
C:\Users\jjdonohue\Downloads\7zip_installer_d162812.exe a variant of Win32/InstallIQ.A application
C:\Users\jjdonohue\Downloads\cbsidlm-tr1_13-DiskAid-ORG-197766.exe Win32/DownloadAdmin.G application
C:\Users\jjdonohue\Downloads\google earth setup.exe a variant of Win32/Soft32Downloader.D application
 

[AdvancedSetup]

Please delete the following items from the ESET scan.

 

C:\Users\jjdonohue\Desktop\Johns Technology folder\m4a-to-mp3-converter.exe
C:\Users\jjdonohue\Desktop\Johns Technology folder\GingersnapRootUtilityForWindows\Gingersnap\gingersnap
C:\Users\jjdonohue\Downloads\7zip_installer_d162812.exe
C:\Users\jjdonohue\Downloads\cbsidlm-tr1_13-DiskAid-ORG-197766.exe
C:\Users\jjdonohue\Downloads\google earth setup.exe

 

Then run the following.

 

Please Run TFC by OldTimer to clear temporary files:

• Download TFC from here and save it to your desktop.
• http://oldtimer.geekstogo.com/TFC.exe
• Close any open programs and Internet browsers.
• Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
• Please be patient as clearing out temp files may take a while.
• Once it completes you may be prompted to restart your computer, please do so.
• Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.
  

 

Then after it runs reboot the computer and run this.

 

Please download Security Check from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

 

[jjdonohue]

all the things you have marked for deletion are legitament programs so i dont want to delete those. i know what they are

 

also all this cleaning is destroying good files.  i had an issue with symantec and fixed that.  i also lost corel instantviewer and i dont know how to get that back.  that was a legit program as well.   what will tfc do? 

[AdvancedSetup]

If these installers were from the original author perhaps but a couple are dubious in nature such as the m4a converter.

Their installers are bundled with junk and partially the reason you're here in the first place as they put advertising and tracking software on your system and sooner or later place you in contact with one or more sites that are determined to try and infect your computer.

 

The fact that we can even attempt to try and save the computer itself is a testament to the hard work of a group of people constantly working on and improving tools to both remove and fix the damage done by this rootkit.  Had this been a year ago you'd be formatting the drive almost guaranteed, even now if you re-read my original post to you its still recommend to format the drive and reinstall Windows so trying to save "features" of programs is the least of your concerns.

 

Rootkit Warning

 

The complexity of finding, preventing, and cleanup from malware

 

TFC is a temporary file cleaner as explained in the message for that step.

 

If  you do not wish to continue please let me know and I'll go ahead and close your topic as we have many others looking for help as well.

 

Thank you.