Jump to content

Recommended Posts

My user's PC shows adtext type links in both Chrome & IE, and Scorpion Saver in Programs and Features. Malware Bytes shows no problems. Symantec Endpoint shows no problems.

 

DDS results follow.

 

- Bob Ballard

 

------------------

dds.txt:

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 1.5.0_17
Run by chester at 9:53:51 on 2013-11-18
Microsoft Windows 8 Pro  6.2.9200.0.1252.1.1033.18.8066.5200 [GMT -5:00]
.
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\dwm.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\Program Files\ScorpionSaver Services\AdpeakProxy.exe
C:\Program Files (x86)\APC\PowerChute Personal Edition\mainserv.exe
C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe
C:\Windows\system32\dashost.exe
C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin64\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe
C:\Windows\system32\taskhostex.exe
C:\Windows\Explorer.EXE
C:\Program Files\Classic Shell\ClassicStartMenu.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Ebix Inc\Common Files\SOFileManager.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
C:\Program Files (x86)\Java\jre1.5.0_17\bin\jusched.exe
C:\Program Files (x86)\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe
C:\Program Files (x86)\APC\PowerChute Personal Edition\apcsystray.exe
C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\sysWow64\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit = userinit.exe,
BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL
BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\office15\GROOVEEX.DLL
BHO: ClassicIEBHO Class: {EA801577-E6AD-4BD5-8F71-4BE0154331A4} - C:\Program Files\Classic Shell\ClassicIEDLL_32.dll
TB: Adobe Acrobat Create PDF Toolbar: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll
uRun: [sOFileManager] "C:\Program Files (x86)\Ebix Inc\Common Files\SOFileManager.exe"
uRun: [smartOffice Desktop Integrations] \\cgco.local\User Shared\chester\Start Menu\Programs\Ebix Inc\SmartOffice Desktop Integrations 2.0 - Installer.appref-ms
uRun: [AdobeBridge] <no file>
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [Display] C:\Program Files (x86)\APC\PowerChute Personal Edition\DataCollectionLauncher.exe
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun: [Adobe Creative Cloud] "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.5.0_17\bin\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\APCUPS~1.LNK - C:\Program Files (x86)\APC\PowerChute Personal Edition\Display.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\POWERC~1.LNK - C:\Power Clock\PClock32.Exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: EnableVirtualization = dword:0
mPolicies-System: EnableInstallerDetection = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: EnableSecureUIAPaths = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:1
IE: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre1.5.0_17\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\office15\OCHelper.dll
IE: {56753E59-AF1D-4FBA-9E15-31557124ADA2} - C:\Program Files\Classic Shell\ClassicIE_32.exe
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll
Trusted Zone: ebix.com
Trusted Zone: ebixcrm.com
Trusted Zone: ez-data.com
Trusted Zone: ezdata.com
Trusted Zone: smartofficeonline.com
TCP: NameServer = 8.8.8.8,8.8.4.4
TCP: NameServer = 192.168.16.2 64.89.70.2 8.8.8.8
TCP: Interfaces\{97e1de57-d6fa-11e1-be62-806e6f6e6963} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{C02CAB3E-C922-4371-A1DD-E72CF76EF979} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{D5A9B0CC-97FB-40EF-8401-70091F5A562B} : NameServer = 192.168.16.2,4.2.2.2
TCP: Interfaces\{D5A9B0CC-97FB-40EF-8401-70091F5A562B} : DHCPNameServer = 192.168.16.2 64.89.70.2 8.8.8.8
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-BHO: ExplorerBHO Class: {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL
x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
x64-BHO: ClassicIEBHO Class: {EA801577-E6AD-4BD5-8F71-4BE0154331A4} - C:\Program Files\Classic Shell\ClassicIEDLL_64.dll
x64-TB: Classic Explorer Bar: {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll
x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-mPolicies-System: EnableVirtualization = dword:0
x64-mPolicies-System: EnableInstallerDetection = dword:0
x64-mPolicies-System: PromptOnSecureDesktop = dword:0
x64-mPolicies-System: EnableSecureUIAPaths = dword:0
x64-mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:1
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll
x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll
x64-IE: {56753E59-AF1D-4FBA-9E15-31557124ADA2} - C:\Program Files\Classic Shell\ClassicIE_32.exe
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\Windows\System32\Drivers\iaStorA.sys [2013-2-21 575448]
R0 SymDS;Symantec Data Store;C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\SymDS64.sys [2013-9-23 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\SymEFA64.sys [2013-9-23 1139800]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\BASHDefs\20131101.011\BHDrvx64.sys [2013-11-5 1524824]
R1 ccSettings_{E1A40A89-2B89-44FA-9E96-395B7D7F03AC};Symantec Endpoint Protection 12.1.3001.165.105 Settings Manager;C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\ccSetx64.sys [2013-9-23 169048]
R1 IDSVia64;IDSVia64;C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\IPSDefs\20131115.011\IDSviA64.sys [2013-11-15 521816]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\Ironx64.sys [2013-9-23 224416]
R1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\symnets.sys [2013-9-23 433752]
R2 AdpeakProxy;AdpeakProxy;C:\Program Files\ScorpionSaver Services\AdpeakProxy.exe [2013-10-16 3688448]
R2 AdpeakWFP;AdpeakWFP;C:\Windows\System32\Drivers\AdpeakWFP64.sys [2013-11-15 41624]
R2 APC Data Service;APC Data Service;C:\Program Files (x86)\APC\PowerChute Personal Edition\dataserv.exe [2012-1-24 21880]
R2 Level Quality Watcher;Level Quality Watcher;C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe run options=01110010000000000000000000000000 sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC --> C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe run options=01110010000000000000000000000000 sourceguid=422332B5-F3A6-47F6-93EF-792299EF24DC [?]
R2 OfficeSvc;Microsoft Office Service;C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-9-17 1907896]
R2 SepMasterService;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Bin\ccSvcHst.exe [2013-10-24 144368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-9-23 140376]
S0 SymELAM;Symantec ELAM Driver;C:\Windows\System32\Drivers\SEP\0C010BB9\00A5.105\x64\SymELAM.sys [2013-9-23 23448]
S3 ahcix64s;ahcix64s;C:\Windows\System32\Drivers\ahcix64s.sys [2013-2-21 298304]
S3 amd_sata;amd_sata;C:\Windows\System32\Drivers\amd_sata.sys [2012-8-20 79016]
S3 amd_xata;amd_xata;C:\Windows\System32\Drivers\amd_xata.sys [2012-8-20 26280]
S3 iaStorS;iaStorS;C:\Windows\System32\Drivers\iaStorS.sys [2013-2-21 651736]
S3 megasas2;megasas2;C:\Windows\System32\Drivers\megasas2.sys [2013-2-21 53552]
S3 vmbusr;Virtual Machine Bus Provider;C:\Windows\System32\Drivers\vmbusr.sys [2012-7-25 117248]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\Drivers\wdcsam64.sys [2008-5-6 14464]
S3 WUDFWpdMtp;WUDFWpdMtp;C:\Windows\System32\Drivers\WUDFRd.sys [2012-7-25 198656]
.
=============== Created Last 30 ================
.
2013-11-15 16:32:19 78296 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-11-15 16:32:19 694232 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-15 16:05:24 -------- d-----w- C:\Users\chester\AppData\Roaming\Malwarebytes
2013-11-15 16:05:15 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys
2013-11-15 16:05:15 -------- d-----w- C:\ProgramData\Malwarebytes
2013-11-15 16:05:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-11-15 15:18:20 41624 ----a-w- C:\Windows\System32\drivers\AdpeakWFP64.sys
2013-11-15 15:18:18 -------- d-----w- C:\Program Files\ScorpionSaver Services
2013-11-14 15:25:29 -------- d-----w- C:\Users\chester\AppData\Roaming\ClassicShell
2013-11-14 15:25:12 -------- d-----w- C:\Program Files\Classic Shell
2013-11-14 15:15:36 -------- d-----w- C:\Program Files\Level Quality Watcher
2013-11-14 15:14:53 -------- d-----w- C:\Program Files (x86)\sp
2013-11-13 21:27:47 300720 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10225.bin
2013-10-29 13:18:15 -------- d-----w- C:\Backup
2013-10-24 00:15:48 58880 ----a-w- C:\Windows\RemComSvc80.exe
2013-10-23 14:04:36 -------- d-----w- C:\Program Files (x86)\HP
2013-10-20 22:47:24 329216 ----a-w- C:\Windows\System32\StartMenuHelper64.dll
2013-10-20 22:46:56 268288 ----a-w- C:\Windows\SysWow64\StartMenuHelper32.dll
.
==================== Find3M  ====================
.
2013-10-24 23:27:09 177312 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2013-10-24 23:26:02 576400 ----a-w- C:\Windows\System32\SymVPN.dll
2013-10-24 23:26:02 44448 ----a-w- C:\Windows\System32\drivers\WGX64.SYS
2013-10-24 23:26:02 420240 ----a-w- C:\Windows\SysWow64\SymVPN.dll
2013-10-24 23:26:02 157584 ----a-w- C:\Windows\System32\FwsVpn.dll
2013-10-24 23:26:02 136592 ----a-w- C:\Windows\SysWow64\FwsVpn.dll
2013-10-12 08:45:20 2241536 ----a-w- C:\Windows\System32\wininet.dll
2013-10-12 08:43:37 3959808 ----a-w- C:\Windows\System32\jscript9.dll
2013-10-12 07:03:50 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-10-12 07:02:33 2877952 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-10-10 11:53:35 96600 ----a-w- C:\Windows\System32\drivers\wfplwfs.sys
2013-10-10 09:21:20 1160192 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-10 09:20:43 723968 ----a-w- C:\Windows\System32\BFE.DLL
2013-10-02 23:25:41 1300992 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-01 23:37:57 1569280 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-10-01 23:37:53 2035712 ----a-w- C:\Windows\SysWow64\authui.dll
2013-10-01 23:26:49 1890816 ----a-w- C:\Windows\System32\crypt32.dll
2013-10-01 23:26:45 2304512 ----a-w- C:\Windows\System32\authui.dll
2013-10-01 22:22:19 1022976 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-09-24 00:08:12 56720 ----a-w- C:\Windows\System32\snacnp.dll
2013-09-24 00:08:12 50576 ----a-w- C:\Windows\SysWow64\snacnp.dll
2013-09-24 00:02:14 796760 ----a-w- C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\srtsp64.sys
2013-09-24 00:02:14 493656 ----a-w- C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\SymDS64.sys
2013-09-24 00:02:14 433752 ----a-w- C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\symnets.sys
2013-09-24 00:02:14 36952 ----a-w- C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\srtspx64.sys
2013-09-24 00:02:14 23448 ----a-w- C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\SymELAM.sys
2013-09-24 00:02:14 224416 ----a-w- C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\Ironx64.sys
2013-09-24 00:02:14 169048 ----a-w- C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\ccSetx64.sys
2013-09-24 00:02:14 1139800 ----a-w- C:\Windows\System32\drivers\SEP\0C010BB9\00A5.105\x64\SymEFA64.sys
2013-09-23 22:30:14 419328 ----a-w- C:\Windows\System32\schannel.dll
2013-09-23 22:30:03 323072 ----a-w- C:\Windows\SysWow64\schannel.dll
2013-09-13 22:36:37 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2013-09-13 22:36:23 84992 ----a-w- C:\Windows\SysWow64\wudriver.dll
2013-09-13 22:36:23 126976 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2013-09-13 22:36:14 247296 ----a-w- C:\Windows\SysWow64\ubpm.dll
2013-09-13 22:34:14 40448 ----a-w- C:\Windows\System32\wuapp.exe
2013-09-13 22:33:55 252928 ----a-w- C:\Windows\System32\WUSettingsProvider.dll
2013-09-13 22:33:55 142848 ----a-w- C:\Windows\System32\wuwebv.dll
2013-09-13 22:33:54 99328 ----a-w- C:\Windows\System32\wudriver.dll
2013-09-13 22:33:54 1622016 ----a-w- C:\Windows\System32\wucltux.dll
2013-09-13 22:33:42 328192 ----a-w- C:\Windows\System32\ubpm.dll
2013-09-13 22:33:39 175104 ----a-w- C:\Windows\System32\storewuauth.dll
2013-09-04 03:11:23 576512 ----a-w- C:\Windows\System32\drivers\afd.sys
2013-08-30 05:43:40 61784 ----a-w- C:\Windows\System32\drivers\crashdmp.sys
2013-08-30 05:20:13 1173504 ----a-w- C:\Windows\System32\UIAutomationCore.dll
2013-08-29 23:48:12 914432 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll
2013-08-23 07:22:24 2062848 ----a-w- C:\Windows\System32\d3d11.dll
2013-08-23 05:11:57 4040192 ----a-w- C:\Windows\System32\win32k.sys
2013-08-23 01:44:40 1711616 ----a-w- C:\Windows\SysWow64\d3d11.dll
2013-08-21 06:39:29 465240 ----a-w- C:\Windows\System32\drivers\fvevol.sys
.
============= FINISH:  9:54:46.38 ===============
 
attach.txt:
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 8 Pro
Boot Device: \Device\HarddiskVolume1
Install Date: 9/11/2013 11:44:05 AM
System Uptime: 11/15/2013 11:30:25 AM (70 hours ago)
.
Motherboard: Hewlett-Packard |  | 3397
Processor: Intel® Core i5-3470 CPU @ 3.20GHz | Intel® Core i5-3470 CPU @ 3.20GHz | 3201/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 465 GiB total, 415.759 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&27CD646&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&27CD646&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP9: 10/31/2013 3:13:07 AM - Scheduled Checkpoint
RP10: 11/7/2013 3:12:25 AM - Scheduled Checkpoint
RP11: 11/14/2013 3:00:15 AM - Windows Update
.
==== Installed Programs ======================
.
7-Zip 9.22beta
Adobe Acrobat XI Standard
Adobe AIR
Adobe Creative Cloud
Adobe Help Manager
Adobe Illustrator CS6
Adobe Reader XI (11.0.04)
Citrix Online Launcher
Classic Shell
DocRecord Advanced Viewers
DocRecord Desktop Client
DocRecord Office Extension
Dot4
Google Chrome
Google Update Helper
Intel® Processor Graphics
J2SE Runtime Environment 5.0 Update 17
KeePass Password Safe 2.23
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Office 365 ProPlus - en-us
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Office 15 Click-to-Run Extensibility Component
Office 15 Click-to-Run Licensing Component
Office 15 Click-to-Run Localization Component
Paint.NET v3.5.11
PDF Settings CS6
Power Clock 7.65
PowerChute Personal Edition 3.0.2
ScorpionSaver Services
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
SmartAnalyzer for SmartOffice
SmartAnalyzer for SmartOffice - Installer - 1 
SmartOffice Desktop Integrations 2.0
SmartOffice Desktop Integrations 2.0 - Installer - 1 
Symantec Endpoint Protection
.
==== Event Viewer Messages From Past Week ========
.
11/18/2013 9:08:38 AM, Error: Application Management Group Policy [103]  - The removal of the assignment of application Classic Menu for Office 2007 from policy Copy of Default Domain Policy failed.  The error was : %%2
11/15/2013 12:35:22 PM, Error: NETLOGON [5719]  - This computer was not able to set up a secure session with a domain controller in domain CGCO due to the following:  There are currently no logon servers available to service the logon request.  This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.   ADDITIONAL INFO  If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
11/15/2013 11:32:35 AM, Error: Microsoft-Windows-GroupPolicy [1130]  - Startup script failed.   GPO Name : LPI Group Policy GPO File System Path : \\cgco.local\SysVol\cgco.local\Policies\{148797D9-6AF5-4AB2-BA0A-EEFEA370EEE4}\Machine Script Name: C:\LPI_Startup_Script.vbs
11/15/2013 11:32:34 AM, Error: Application Management Group Policy [108]  - Failed to apply changes to software installation settings.  Software changes could not be applied.  A previous log entry with details should exist.  The error was : %%1612
11/15/2013 11:32:34 AM, Error: Application Management Group Policy [102]  - The install of application Classic Menu for Office 2007 from policy Copy of Default Domain Policy failed.  The error was : %%1612
11/15/2013 11:31:27 AM, Error: Service Control Manager [7000]  - The UAC File Virtualization service failed to start due to the following error:  This driver has been blocked from loading
.
==== End Of File ===========================
 

 

Link to post
Share on other sites

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

RogueKiller report:

 

RogueKiller V8.7.8 _x64_ [Nov 14 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : chester [Admin rights]
Mode : Scan -- Date : 11/18/2013 14:18:04
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST500DM002-1BD142 +++++
--- User ---
[MBR] 652c2b26cc037757d0456a87f0179d4d
[bSP] f6989cdfa35de403b9471a2ccf8a2011 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 350 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 718848 | Size: 476588 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_11182013_141803.txt >>

 

 

Link to post
Share on other sites

Can you uninstall ScorpionSaver Services from your add/remove programs.

Then please create a new system restore point before continuing.

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look like this, not "sponsored ad links":

bleep-crop.jpg

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Whew! Here's what happened...

 

- I couldn't download from bleepingcomputer. I kept getting a message that SmartScreen Filter didn't like the file, even though I had SSF turned off.

- I downloaded from cnet, but had to uncheck all the bloatware it wanted me to install also.

- Got it downloaded, ran as administrator, but it tried to save the logfiles to a network share drive and failed, so no log files - before or after - from AdwCleaner.

- It showed several registry entries, which I cleaned.

- When AdwCleaner ran it did not create c:\AdwCleaner or c:\AdwCleaner\Quarantine, so no log files or quarantine files there.

- MalwareBytes found 3 items and removed them. Log files attached.

- I corrected some settings in Active Directory, restarted the PC, and reran AdwCleaner. This time it created a c:\AdwCleaner folder instead of trying to use the network drive. The log file from this run is attached. I showed the user that she has Chrome set to reopen last visited pages and that this is an invitation to reinfection. She changed Chrome settings to fixed urls.

 

No more ad links in web pages now and the PC seems to be running much faster now!

 

Thanks so much for your help!!!

 

(BTW, we like your dogs. I've attached a photo of my wife with our dogs, and a photo of my user Claire's dog, Winston.)

 

Bob

mbam-log-2013-11-19 (12-59-46) - AFTER REMOVAL.txt

MBAM-log-2013-11-19 (13-05-56) - BEFORE REMOVAL.txt

AdwCleanerR2.txt

post-148425-0-16651000-1384886112_thumb.

post-148425-0-45275800-1384886551_thumb.

Link to post
Share on other sites

Good.....

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.77 
   x64 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Windows Defender              
Symantec Endpoint Protection  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Reader XI 
 Google Chrome 31.0.1650.48 
 Google Chrome 31.0.1650.57 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 

Link to post
Share on other sites

Internet Explorer 10 Out of date! <----you may want to update at some point.

-----------------------------------

A little clean up to do....

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)
http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (also HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.