Host Process for Windows Service playing Ads!

spencmm · January 11, 2014

Greeting!

This is my first post here. I have random ads/videos(?) playing on my speakers, several overtop each other, and the volume mixer calls the program Host Process for WIndows Service. Disabling my internet connection ends the ads, but the program remains open. Force closing the process triggers a computer restart, reinfecting me.

I have tried various methods via googling this problem and have decided that I need to stop lurking and ask for help. I've tried Malwarebytes of course plus the anti-rootkit app, roguekiller but didn't delete anything, rkill, spybot search and destroy, TDSSkiller, and I have combofix but am too scared to use it.

My specs:

This is a Macbook Pro running windows exclusively (I know, both mac and pc users hate me)

Mid 2010 13" Macbook pro base model plus 8gb ram

Running 64 bit windows 7 Intel Core 2 Duo CPU @ 2.40 GHz

Nvidia GeForce 320M graphics card and DirectX 11

I hope this is all the info you need! Thanks in advance!

Voltron

Here are my dds results. As you can see, I'm a bit of a gamer.

DDS:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 8.0.7600.16671 BrowserJavaVersion: 10.45.2

Run by Voltron at 18:26:37 on 2014-01-10

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.7927.3987 [GMT -7:00]

.

AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Windows\system32\AppleOSSMgr.exe

C:\Windows\system32\AppleTimeSrv.exe

C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe

C:\Windows\system32\taskeng.exe

c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe

c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe

C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\loggingserver.exe

C:\Program Files\Boot Camp\Bootcamp.exe

C:\Program Files\SmartTechnology\Software\ProfilerU.exe

C:\Program Files\SmartTechnology\Software\SaiMfd.exe

C:\Program Files\Plantronics\GameCom780\GameCom780.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\WUDFHost.exe

C:\Program Files (x86)\AVG\AVG2014\avgui.exe

C:\Program Files (x86)\AVG Secure Search\vprot.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SndVol.exe

C:\Users\Voltron\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Windows\system32\SearchProtocolHost.exe

C:\Users\Voltron\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Steam\Steam.exe

C:\Users\Voltron\AppData\Local\Google\Chrome\Application\chrome.exe

C:\Users\Voltron\Downloads\Antivirus\RogueKiller.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Users\Voltron\Downloads\mbar-1.07.0.1008.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Voltron\Desktop\mbar\mbar.exe

C:\Windows\System32\cscript.exe

C:\Windows\system32\SearchFilterHost.exe

.

============== Pseudo HJT Report ===============

.

BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll

BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL

BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll

TB: <No Name>: {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - LocalServer32 - <no file>

TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll

uRun: [AlcoholAutomount] "C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" -automount

mRun: [Anti-phishing Domain Advisor] "C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe"

mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2014\avgui.exe" /TRAYONLY

mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-System: ConsentPromptBehaviorAdmin = dword:0

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableLUA = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: PromptOnSecureDesktop = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office15\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office15\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIE.dll

IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office15\ONBttnIELinkedNotes.dll

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

INFO: HKLM has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

TCP: NameServer = 24.116.0.53 24.116.2.50

TCP: Interfaces\{26D5655F-8306-4EA6-A661-FFFAC5064ECD} : DHCPNameServer = 24.116.0.53 24.116.2.50

TCP: Interfaces\{583428F2-D635-4720-A304-86B2B99E332C} : DHCPNameServer = 24.116.0.53 24.116.2.50

TCP: Interfaces\{583428F2-D635-4720-A304-86B2B99E332C}\25F62696E637F6E6 : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{583428F2-D635-4720-A304-86B2B99E332C}\44F6E60254 : DHCPNameServer = 24.116.0.53 24.116.2.50

TCP: Interfaces\{583428F2-D635-4720-A304-86B2B99E332C}\46C696E6B6 : DHCPNameServer = 192.168.0.1

TCP: Interfaces\{583428F2-D635-4720-A304-86B2B99E332C}\46C696E6B6F5D656469616 : DHCPNameServer = 192.168.0.1

TCP: Interfaces\{583428F2-D635-4720-A304-86B2B99E332C}\D4F445F425F4C414D26354933463 : DHCPNameServer = 192.168.0.1

TCP: Interfaces\{583428F2-D635-4720-A304-86B2B99E332C}\F607479687 : DHCPNameServer = 8.8.8.8 8.8.4.4

Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL

Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files (x86)\Microsoft Office\Office15\MSOSB.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.3.0\ViProtocol.dll

SSODL: WebCheck - <orphaned>

SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\SysWOW64\CbFsMntNtf3.dll

x64-BHO: Lync Browser Helper: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll

x64-BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL

x64-BHO: Microsoft SkyDrive Pro Browser Helper: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL

x64-BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll

x64-Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\Bootcamp.exe

x64-Run: [ProfilerU] C:\Program Files\SmartTechnology\Software\ProfilerU.exe

x64-Run: [saiMfd] C:\Program Files\SmartTechnology\Software\SaiMfd.exe

x64-Run: [GamecomSound] C:\Program Files\Plantronics\GameCom780\GameCom780.exe

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll

x64-IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll

.

INFO: x64-HKLM has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

x64-Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL

x64-Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL

x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>

x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

x64-SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll

x64-STS: Virtual Storage Mount Notification - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\System32\CbFsMntNtf3.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AppleHFS;AppleHFS;C:\Windows\System32\drivers\AppleHFS.sys [2011-6-29 72024]

R0 AppleMNT;AppleMNT;C:\Windows\System32\drivers\AppleMNT.sys [2011-6-29 16216]

R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-10-24 194872]

R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-10-31 294712]

R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-10-1 123704]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-9-10 31544]

R1 Avgdiska;AVG Disk Driver;C:\Windows\System32\drivers\avgdiska.sys [2013-11-5 150808]

R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-11-4 240920]

R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-10-31 212280]

R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-8-1 251192]

R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-9-23 46368]

R2 KeyAgent;KeyAgent;C:\Windows\System32\drivers\KeyAgent.sys [2011-6-29 17752]

R2 MacHALDriver;Mac HAL;C:\Windows\System32\drivers\MacHALDriver.sys [2011-6-29 22872]

R3 acpials;ALS Sensor Filter;C:\Windows\System32\drivers\acpials.sys [2009-7-14 9728]

R3 AppleBtBc;Apple Broadcom Built-in Bluetooth;C:\Windows\System32\drivers\AppleBtBc.sys [2012-9-18 18944]

R3 applemtm;Apple Multitouch Mouse;C:\Windows\System32\drivers\applemtm.sys [2012-9-18 12288]

R3 applemtp;Apple Multitouch;C:\Windows\System32\drivers\applemtp.sys [2012-9-18 38912]

R3 cbfs3;EldoS Callback File System driver v3;C:\Windows\System32\drivers\cbfs3.sys [2012-10-7 352144]

R3 CirrusFilter;CS420xLowerFilter;C:\Windows\System32\drivers\CS420x64.sys [2012-9-18 18432]

R3 IRRemoteFlt;IR Receiver Filter Driver;C:\Windows\System32\drivers\IRFilter.sys [2012-9-18 18432]

R3 KeyMagic;USB Keyboard HID Filter;C:\Windows\System32\drivers\KeyMagic.sys [2012-9-18 32256]

S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-10-28 107288]

S3 libusb0;libusb-win32 - Kernel Driver 04/16/2013 0.0.0.0;C:\Windows\System32\drivers\libusb0.sys [2013-1-28 52320]

S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2013-3-16 121416]

S3 PlantronicsGC;PLTGC Interface;C:\Windows\System32\drivers\PLTGC.sys [2012-10-26 1327104]

S3 pneteth;PdaNet Broadband;C:\Windows\System32\drivers\pneteth.sys [2012-9-19 15360]

S3 SaiK1708;SaiK1708;C:\Windows\System32\drivers\SaiK1708.sys [2012-9-20 180544]

.

=============== Created Last 30 ================

.

2014-01-11 01:23:03 117464 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys.bak

2014-01-11 01:23:02 89304 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys.bak

2014-01-11 01:16:21 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-01-11 01:15:40 89304 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys

2014-01-10 21:53:03 -------- d-----w- C:\Program Files (x86)\ESET

2014-01-10 03:07:04 -------- d-sh--w- C:\$RECYCLE.BIN

2014-01-10 01:52:35 98816 ----a-w- C:\Windows\sed.exe

2014-01-10 01:52:35 256000 ----a-w- C:\Windows\PEV.exe

2014-01-10 01:52:35 208896 ----a-w- C:\Windows\MBR.exe

2014-01-10 01:52:30 -------- d-----w- C:\ComboFix

2014-01-10 00:56:06 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2014-01-10 00:56:06 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2014-01-10 00:28:59 9728 ----a-w- C:\Windows\System32\drivers\umpass.sys.bak

2014-01-10 00:27:59 167488 ----a-w- C:\Windows\System32\drivers\nvstor.sys.bak

2014-01-10 00:26:59 751616 ----a-w- C:\Windows\System32\drivers\http.sys.bak

2014-01-10 00:25:59 72024 ----a-w- C:\Windows\System32\drivers\AppleHFS.sys.bak

2014-01-09 22:47:10 -------- d-----w- C:\Users\Voltron\AppData\Roaming\Malwarebytes

2014-01-09 22:46:41 -------- d-----w- C:\ProgramData\Malwarebytes

2014-01-09 22:46:38 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys

2014-01-09 22:46:38 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2014-01-08 04:22:50 -------- d-----w- C:\Users\Voltron\AppData\Local\Valdis Story AC

2014-01-06 03:12:43 -------- d-----w- C:\Users\Voltron\Valdis Story. Abyssal City

2014-01-04 05:46:59 72200 ----a-w- C:\Windows\System32\XAPOFX1_1.dll

2014-01-02 04:52:45 -------- d-----w- C:\Users\Voltron\AppData\Roaming\freac

2014-01-02 04:52:10 -------- d-----w- C:\Program Files (x86)\freac

2013-12-15 07:24:49 -------- d-----w- C:\Users\Voltron\AppData\Roaming\RecoolTec

2013-12-15 07:01:57 -------- d-----w- C:\Users\Voltron\AppData\Roaming\SourceTec

2013-12-15 07:00:54 -------- d-----w- C:\Program Files (x86)\AviSynth 2.5

2013-12-15 06:58:37 -------- d-----w- C:\Users\Voltron\AppData\Roaming\GetRightToGo

.

==================== Find3M ====================

.

2013-12-11 17:12:33 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-12-11 17:12:33 692616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-11-11 01:38:33 46368 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys

2013-11-06 04:55:48 150808 ----a-w- C:\Windows\System32\drivers\avgdiska.sys

2013-11-05 04:52:42 240920 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys

2013-11-01 06:00:18 212280 ----a-w- C:\Windows\System32\drivers\avgldx64.sys

2013-11-01 05:49:46 294712 ----a-w- C:\Windows\System32\drivers\avgloga.sys

2013-10-28 08:12:12 204568 ----a-w- C:\Windows\System32\drivers\ssudmdm.sys

2013-10-28 08:12:10 107288 ----a-w- C:\Windows\System32\drivers\ssudbus.sys

2013-10-25 05:25:58 194872 ----a-w- C:\Windows\System32\drivers\avgidsha.sys

.

============= FINISH: 18:28:30.50 ===============

Attach:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 9/18/2012 12:49:42 PM

System Uptime: 1/10/2014 5:46:46 PM (1 hours ago)

.

Motherboard: Apple Inc. | | Mac-F222BEC8

Processor: Intel® Core2 Duo CPU P8600 @ 2.40GHz | U2E1 | 2394/266mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 466 GiB total, 108.264 GiB free.

D: is CDROM ()

E: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: Bluetooth Peripheral Device

Device ID: BTHENUM\{0000110B-0000-1000-8000-00805F9B34FB}_LOCALMFG&000F\8&5A1AA3B&0&00186B2D70F6_C00000000

Manufacturer:

Name: Bluetooth Peripheral Device

PNP Device ID: BTHENUM\{0000110B-0000-1000-8000-00805F9B34FB}_LOCALMFG&000F\8&5A1AA3B&0&00186B2D70F6_C00000000

Service:

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Broadcom 802.11n Network Adapter

Device ID: PCI\VEN_14E4&DEV_432B&SUBSYS_008D106B&REV_01\F7085EFFFF96D8A200

Manufacturer: Broadcom

Name: Broadcom 802.11n Network Adapter

PNP Device ID: PCI\VEN_14E4&DEV_432B&SUBSYS_008D106B&REV_01\F7085EFFFF96D8A200

Service: BCM43XX

.

Class GUID:

Description: Bluetooth Peripheral Device

Device ID: BTHENUM\{0000110E-0000-1000-8000-00805F9B34FB}_LOCALMFG&000F\8&5A1AA3B&0&00186B2D70F6_C00000000

Manufacturer:

Name: Bluetooth Peripheral Device

PNP Device ID: BTHENUM\{0000110E-0000-1000-8000-00805F9B34FB}_LOCALMFG&000F\8&5A1AA3B&0&00186B2D70F6_C00000000

Service:

.

Class GUID:

Description: Bluetooth Peripheral Device

Device ID: BTHENUM\{0000111E-0000-1000-8000-00805F9B34FB}_LOCALMFG&000F\8&5A1AA3B&0&00186B2D70F6_C00000000

Manufacturer:

Name: Bluetooth Peripheral Device

PNP Device ID: BTHENUM\{0000111E-0000-1000-8000-00805F9B34FB}_LOCALMFG&000F\8&5A1AA3B&0&00186B2D70F6_C00000000

Service:

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64

PNP Device ID: ROOT\NET\0000

Service: vpnva

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

µTorrent

64 Bit HP BiDi Channel Components Installer

7-Zip 9.20 (x64 edition)

Adobe Flash Player 11 ActiveX

Adobe Reader XI (11.0.05)

AI War: Fleet Command

Android SDK Tools

Anti-phishing Domain Advisor

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AVG 2014

AVG Security Toolbar

AVSEQ

Awesomenauts

Bastion

Blackwell Deception

Bonjour

Boot Camp Services

Borderlands 2

Bullzip PDF Printer 4.0.0.463

Capsized

Cisco AnyConnect VPN Client

Closure

Diablo III

Dropbox

Dust: An Elysian Tail

Endless Space

Evoland

Fallout: New Vegas

Far Cry 2

Faster Than Light

FINAL FANTASY VII

Frozen Synapse

FTL: Faster Than Light

Giants - Citizen Kabuto

Gish

Google Chrome

Google Drive

Google Talk Plugin

Google Update Helper

Guns of Icarus Online

Half-Life 2

Insanely Twisted Shadow Planet

Java 7 Update 45

Java 7 Update 9 (64-bit)

Java Auto Updater

Kerbal Space Program Demo

League of Legends

Legend of Grimrock

Lego Star Wars Saga

Magic: The Gathering - Duels of the Planeswalkers 2013

Malwarebytes Anti-Malware version 1.75.0.1300

Mass Effect 2

Mass Effect™ 3

Microsoft .NET Framework 1.1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Access MUI (English) 2013

Microsoft Access Setup Metadata MUI (English) 2013

Microsoft DCF MUI (English) 2013

Microsoft Excel MUI (English) 2013

Microsoft Groove MUI (English) 2013

Microsoft InfoPath MUI (English) 2013

Microsoft Lync MUI (English) 2013

Microsoft Mouse and Keyboard Center

Microsoft Office 32-bit Components 2013

Microsoft Office OSM MUI (English) 2013

Microsoft Office OSM UX MUI (English) 2013

Microsoft Office Professional Plus 2013

Microsoft Office Proofing (English) 2013

Microsoft Office Proofing Tools 2013 - English

Microsoft Office Proofing Tools 2013 - Español

Microsoft Office Shared 32-bit MUI (English) 2013

Microsoft Office Shared MUI (English) 2013

Microsoft Office Shared Setup Metadata MUI (English) 2013

Microsoft OneNote MUI (English) 2013

Microsoft Outlook MUI (English) 2013

Microsoft PowerPoint MUI (English) 2013

Microsoft Publisher MUI (English) 2013

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Word MUI (English) 2013

Microsoft XNA Framework Redistributable 3.1

Microsoft XNA Framework Redistributable 4.0 Refresh

Mumble 1.2.3

My Game Long Name

NightSky

NVIDIA 3D Vision Driver 314.22

NVIDIA Control Panel 314.22

NVIDIA Display Control Panel

NVIDIA Drivers

NVIDIA Graphics Driver 314.22

NVIDIA HD Audio Driver 1.3.23.1

NVIDIA Install Application

NVIDIA PhysX

NVIDIA PhysX System Software 9.12.1031

NVIDIA Stereoscopic 3D Driver

NVIDIA Update 1.12.12

NVIDIA Update Components

Oil Rush

Orcs Must Die! 2

Origin

Outils de vérification linguistique 2013 de Microsoft Office - Français

Penny Arcade's On the Rain-Slick Precipice of Darkness 3

Penny Arcade's On the Rain-Slick Precipice of Darkness 4

Plantronics® GameCom 780 Software for Dolby® Headphone

Portal 2

PowerISO

Psychonauts

PuTTY version 0.62

Python 2.7.5 (64-bit)

QuickTime

Realtek High Definition Audio Driver

Reprisal version 1.3.1

Scribblenauts Unlimited

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2736428)

Security Update for Microsoft .NET Framework 4 Extended (KB2742595)

Shank 2

Shoot Many Robots

SimCity™

SixaxisPairTool 0.2.3

Skype™ 6.11

Smart Technology Programming Software 7.0.22.0

Snapshot

SOL: Exodus

Spybot - Search & Destroy

StarCraft II

StarForge Alpha

Steam

Strike Suit Zero

Superbrothers: Sword & Sworcery EP

TeamSpeak 3 Client

Terraria

The Basement Collection

The Binding of Isaac

The Elder Scrolls V: Skyrim

The Secret of Monkey Island: Special Edition

The Stanley Parable Demo

To the Moon

Towns

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Valdis Story. Abyssal City 1.0

Ventrilo Client for Windows x64

Visual Studio 2010 x64 Redistributables

Visual Studio 2012 x64 Redistributables

Visual Studio 2012 x86 Redistributables

VLC media player 2.0.8

Warhammer 40,000 Space Marine

Windows Driver Package - Apple Inc. (AppleUSBEthernet) Net (02/01/2008 3.10.3.10)

Windows Driver Package - Apple Inc. Apple Bluetooth (03/01/2010 3.0.0.5)

Windows Driver Package - Apple Inc. Apple Bluetooth Enabler (06/27/2007 2.0.0.1)

Windows Driver Package - Apple Inc. Apple Broadcom Bluetooth (10/05/2010 3.2.0.1)

Windows Driver Package - Apple Inc. Apple Built-in iSight (10/25/2007 2.0.1.0)

Windows Driver Package - Apple Inc. Apple Display (01/23/2009 3.0.0.0)

Windows Driver Package - Apple Inc. Apple IR Receiver (02/21/2008 2.0.4.0)

Windows Driver Package - Apple Inc. Apple Keyboard (05/05/2011 4.0.0.1)

Windows Driver Package - Apple Inc. Apple Multitouch (05/05/2011 4.0.0.1)

Windows Driver Package - Apple Inc. Apple Multitouch Mouse (05/05/2011 4.0.0.1)

Windows Driver Package - Apple Inc. Apple ODD (05/17/2010 3.1.0.0)

Windows Driver Package - Apple Inc. Apple System Device (04/05/2011 3.2.0.8)

Windows Driver Package - Apple Inc. Apple Trackpad (07/13/2009 3.0.0.1)

Windows Driver Package - Apple Inc. Apple Trackpad Enabler (07/13/2009 3.0.0.1)

Windows Driver Package - Apple Inc. Apple Wireless Mouse (06/01/2011 4.0.0.1)

Windows Driver Package - Apple Inc. Apple Wireless Trackpad (01/17/2011 3.2.0.0)

Windows Driver Package - Atheros Communications Inc. (athr) Net (11/13/2010 9.2.0.113)

Windows Driver Package - Broadcom (b57nd60a) Net (12/02/2010 14.4.2.2)

Windows Driver Package - Broadcom (BCM43XX) Net (04/06/2011 5.100.198.22)

Windows Driver Package - Broadcom Corporation (bScsiSDa) SDHost (01/18/2011 1.0.0.220)

Windows Driver Package - Cirrus Logic, Inc. (CirrusFilter) MEDIA (12/03/2010 6.6001.1.30)

Windows Driver Package - Intel (e1express) Net (03/26/2010 9.13.41.0)

Windows Driver Package - Intel (e1kexpress) Net (04/12/2010 11.6.92.0)

Windows Driver Package - Intel (e1qexpress) Net (12/04/2009 11.4.7.0)

Windows Driver Package - Intel (e1rexpress) Net (01/07/2010 11.4.16.0)

Windows Driver Package - Intel (e1yexpress) Net (04/07/2010 10.1.9.0)

Windows Driver Package - Intel System (07/20/2007 1.2.76.0)

Windows Driver Package - Marvell (yukonx64) Net (12/06/2007 10.51.1.3)

Ys Origin Demo

.

==== Event Viewer Messages From Past Week ========

.

1/9/2014 8:04:40 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

1/9/2014 7:40:43 PM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.

1/9/2014 7:37:52 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error: A system shutdown has already been scheduled.

1/9/2014 7:37:52 PM, Error: Service Control Manager [7031] - The Plug and Play service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

1/9/2014 7:37:52 PM, Error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

1/9/2014 7:06:31 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

1/9/2014 5:09:51 PM, Error: Microsoft-Windows-WMPNSS-Service [14332] - Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.

1/9/2014 5:07:40 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Software Protection service to connect.

1/9/2014 5:07:40 PM, Error: Service Control Manager [7000] - The Software Protection service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

1/9/2014 5:06:34 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Power service, but this action failed with the following error: A system shutdown has already been scheduled.

1/9/2014 5:06:34 PM, Error: Service Control Manager [7031] - The Power service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

1/9/2014 4:31:42 PM, Error: VDS Basic Provider [1] - Unexpected failure. Error code: 490@01010004

1/9/2014 4:20:23 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000003, 0xfffffa80088344b0, 0xfffff80004a464d8, 0xfffffa800a2ac010). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 010914-36176-01.

1/9/2014 3:54:23 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Plug and Play service, but this action failed with the following error: A system shutdown has already been scheduled.

1/9/2014 11:32:32 PM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.

1/8/2014 8:23:08 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Audio service, but this action failed with the following error: An instance of the service is already running.

1/8/2014 8:22:08 PM, Error: Service Control Manager [7031] - The Windows Event Log service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

1/8/2014 8:22:08 PM, Error: Service Control Manager [7031] - The Windows Audio service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

1/8/2014 8:22:08 PM, Error: Service Control Manager [7031] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.

1/8/2014 8:22:08 PM, Error: Service Control Manager [7031] - The Security Center service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

1/8/2014 8:22:08 PM, Error: Service Control Manager [7031] - The HomeGroup Provider service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

1/8/2014 8:22:08 PM, Error: Service Control Manager [7031] - The DHCP Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

1/8/2014 8:05:33 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0000000000000088, 0x0000000000000002, 0x0000000000000001, 0xfffff80003250fae). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 010814-44663-01.

1/7/2014 10:32:53 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.

1/5/2014 7:00:21 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer PRINCESS that believes that it is the master browser for the domain on transport NetBT_Tcpip_{583428F2-D635-4720-A304-86B2B99E332C}. The master browser is stopping or an election is being forced.

1/5/2014 5:39:43 PM, Error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.0.102 with the system having network hardware address D8-9D-67-36-EB-60. Network operations on this system may be disrupted as a result.

1/10/2014 5:49:46 PM, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

1/10/2014 5:49:46 PM, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.

1/10/2014 5:47:26 PM, Error: Service Control Manager [7023] - The Power service terminated with the following error: The WMI request could not be completed and should be retried.

.

==== End Of File ===========================

MrCharlie · January 11, 2014

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running, please create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

spencmm · January 11, 2014

Here are the results of roguekiller:

RogueKiller V8.8.0 [Dec 27 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Voltron [Admin rights]

Mode : Scan [Aborted] -- Date : 01/10/2014 19:07:24

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 1 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : Anti-phishing Domain Advisor ("C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [7]) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

Finished : << RKreport[0]_S_01102014_190724.txt >>

RKreport[0]_S_01102014_180550.txt;RKreport[0]_S_01102014_182448.txt;RKreport[0]_S_01102014_190658.txt

MrCharlie · January 11, 2014

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

spencmm · January 11, 2014

Sorry that was the wrong scan log. I had the internet disabled and the ads were not running nor was the Host Process. Here are the updated results (i aborted the posted scan):

RogueKiller V8.8.0 [Dec 27 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Voltron [Admin rights]

Mode : Scan -- Date : 01/10/2014 19:13:46

| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤

[Microsoft][HIDDEN] dllhost.exe -- \Device\HarddiskVolume1\Windows\System32\dllhost.exe [x] -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤

[RUN][sUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : Anti-phishing Domain Advisor ("C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [7]) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND

[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST95005620AS ATA Device +++++

--- User ---

[MBR] 3635d1f6b3d66fef05d899b7a99c37c2

[bSP] e9d0cfa02b88658c905c529bde86e0a4 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2 | Size: 476940 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[0]_S_01102014_191346.txt >>

MrCharlie · January 11, 2014

OK, run ComboFix now.....MrC

spencmm · January 11, 2014

Combofix log:

ComboFix 14-01-08.03 - Voltron 01/10/2014 19:17:59.3.2 - x64

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.7927.5573 [GMT -7:00]

Running from: c:\users\Voltron\Desktop\ComboFix.exe

AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2013-12-11 to 2014-01-11 )))))))))))))))))))))))))))))))

.

2014-01-11 02:26 . 2014-01-11 02:26 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2014-01-11 02:26 . 2014-01-11 02:26 -------- d-----w- c:\users\hedev\AppData\Local\temp

2014-01-11 02:26 . 2014-01-11 02:26 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-01-11 01:23 . 2014-01-11 01:23 117464 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys.bak

2014-01-11 01:16 . 2014-01-11 01:49 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)

2014-01-11 01:15 . 2014-01-11 01:15 89304 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-01-10 21:53 . 2014-01-10 21:53 -------- d-----w- c:\program files (x86)\ESET

2014-01-10 00:56 . 2014-01-10 01:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2014-01-10 00:56 . 2014-01-10 00:57 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy

2014-01-10 00:28 . 2014-01-11 02:13 9728 ----a-w- c:\windows\system32\drivers\umpass.sys.bak

2014-01-10 00:27 . 2014-01-11 02:12 167488 ----a-w- c:\windows\system32\drivers\nvstor.sys.bak

2014-01-10 00:26 . 2014-01-11 02:11 751616 ----a-w- c:\windows\system32\drivers\http.sys.bak

2014-01-10 00:25 . 2014-01-11 02:10 72024 ----a-w- c:\windows\system32\drivers\AppleHFS.sys.bak

2014-01-09 22:47 . 2014-01-09 22:47 -------- d-----w- c:\users\Voltron\AppData\Roaming\Malwarebytes

2014-01-09 22:46 . 2014-01-09 22:46 -------- d-----w- c:\programdata\Malwarebytes

2014-01-09 22:46 . 2014-01-09 23:36 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2014-01-09 22:46 . 2013-04-04 21:50 25928 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-01-08 04:22 . 2014-01-08 05:02 -------- d-----w- c:\users\Voltron\AppData\Local\Valdis Story AC

2014-01-06 03:12 . 2014-01-09 23:27 -------- d-----w- c:\users\Voltron\Valdis Story. Abyssal City

2014-01-04 05:46 . 2008-07-31 17:41 238088 ----a-w- c:\windows\SysWow64\xactengine3_2.dll

2014-01-02 04:52 . 2014-01-02 04:54 -------- d-----w- c:\users\Voltron\AppData\Roaming\freac

2014-01-02 04:52 . 2014-01-02 07:07 -------- d-----w- c:\program files (x86)\freac

2013-12-15 07:24 . 2013-12-15 07:24 -------- d-----w- c:\users\Voltron\AppData\Roaming\RecoolTec

2013-12-15 07:01 . 2013-12-15 07:01 -------- d-----w- c:\users\Voltron\AppData\Roaming\SourceTec

2013-12-15 07:00 . 2013-12-16 01:52 -------- d-----w- c:\program files (x86)\AviSynth 2.5

2013-12-15 06:58 . 2013-12-15 06:59 -------- d-----w- c:\users\Voltron\AppData\Roaming\GetRightToGo

2013-12-15 02:48 . 2013-12-15 07:20 -------- d-----w- c:\users\Voltron\AppData\Roaming\Audacity

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-12-11 17:12 . 2013-06-21 20:59 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-12-11 17:12 . 2013-06-21 20:59 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-11-11 01:38 . 2012-09-24 03:04 46368 ----a-w- c:\windows\system32\drivers\avgtpx64.sys

2013-11-06 04:55 . 2013-11-06 04:55 150808 ----a-w- c:\windows\system32\drivers\avgdiska.sys

2013-11-05 04:52 . 2013-11-05 04:52 240920 ----a-w- c:\windows\system32\drivers\avgidsdrivera.sys

2013-11-01 06:00 . 2013-11-01 06:00 212280 ----a-w- c:\windows\system32\drivers\avgldx64.sys

2013-11-01 05:49 . 2013-11-01 05:49 294712 ----a-w- c:\windows\system32\drivers\avgloga.sys

2013-10-28 08:12 . 2013-10-28 08:12 204568 ----a-w- c:\windows\system32\drivers\ssudmdm.sys

2013-10-28 08:12 . 2013-10-28 08:12 107288 ----a-w- c:\windows\system32\drivers\ssudbus.sys

2013-10-25 05:25 . 2013-10-25 05:25 194872 ----a-w- c:\windows\system32\drivers\avgidsha.sys

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2009-07-14 . 7266972E86890E2B30C0C322E906B027 . 509440 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll

[-] 2009-07-14 . F88DC375027839E7E7A7DB859C085FC5 . 510464 . . [6.1.7600.16385] .. c:\windows\system32\rpcss.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]

2014-01-09 05:07 3349528 ----a-w- c:\program files (x86)\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]

"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll" [2014-01-09 3349528]

.

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]

[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]

@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"

[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]

2012-10-02 02:38 1720976 ----a-w- c:\progra~2\MICROS~3\Office15\GROOVEEX.DLL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]

@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"

[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]

2012-10-02 02:38 1720976 ----a-w- c:\progra~2\MICROS~3\Office15\GROOVEEX.DLL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]

@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"

[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]

2012-10-02 02:38 1720976 ----a-w- c:\progra~2\MICROS~3\Office15\GROOVEEX.DLL

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Voltron\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Voltron\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Voltron\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Voltron\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]

@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"

[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]

2012-04-09 20:27 158224 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AlcoholAutomount"="c:\program files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe" [2012-01-05 75624]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Anti-phishing Domain Advisor"="c:\programdata\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [2012-05-03 217256]

"AVG_UI"="c:\program files (x86)\AVG\AVG2014\avgui.exe" [2013-11-08 4956176]

"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2014-01-09 2486296]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe;c:\program files (x86)\AVG\AVG2014\avgidsagent.exe [x]

R2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe;c:\program files (x86)\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]

R3 libusb0;libusb-win32 - Kernel Driver 04/16/2013 0.0.0.0;c:\windows\system32\DRIVERS\libusb0.sys;c:\windows\SYSNATIVE\DRIVERS\libusb0.sys [x]

R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys;c:\windows\SYSNATIVE\DRIVERS\MijXfilt.sys [x]

R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]

R3 PlantronicsGC;PLTGC Interface;c:\windows\system32\drivers\PLTGC.sys;c:\windows\SYSNATIVE\drivers\PLTGC.sys [x]

R3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys;c:\windows\SYSNATIVE\DRIVERS\pneteth.sys [x]

R3 SaiK1708;SaiK1708;c:\windows\system32\DRIVERS\SaiK1708.sys;c:\windows\SYSNATIVE\DRIVERS\SaiK1708.sys [x]

R3 SaiU1708;SaiU1708;c:\windows\system32\DRIVERS\SaiU1708.sys;c:\windows\SYSNATIVE\DRIVERS\SaiU1708.sys [x]

R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

S0 AppleHFS;AppleHFS; [x]

S0 AppleMNT;AppleMNT; [x]

S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsha.sys [x]

S0 Avgloga;AVG Logging Driver;c:\windows\system32\DRIVERS\avgloga.sys;c:\windows\SYSNATIVE\DRIVERS\avgloga.sys [x]

S0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgmfx64.sys [x]

S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgrkx64.sys [x]

S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]

S1 Avgdiska;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiska.sys;c:\windows\SYSNATIVE\DRIVERS\avgdiska.sys [x]

S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys;c:\windows\SYSNATIVE\DRIVERS\avgidsdrivera.sys [x]

S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys;c:\windows\SYSNATIVE\DRIVERS\avgldx64.sys [x]

S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys;c:\windows\SYSNATIVE\DRIVERS\avgtdia.sys [x]

S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys;c:\windows\SYSNATIVE\drivers\avgtpx64.sys [x]

S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe;c:\windows\SYSNATIVE\AppleOSSMgr.exe [x]

S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe;c:\windows\SYSNATIVE\AppleTimeSrv.exe [x]

S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2014\avgwdsvc.exe;c:\program files (x86)\AVG\AVG2014\avgwdsvc.exe [x]

S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys;c:\windows\SYSNATIVE\drivers\KeyAgent.sys [x]

S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys;c:\windows\SYSNATIVE\drivers\MacHALDriver.sys [x]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]

S2 vToolbarUpdater17.3.0;vToolbarUpdater17.3.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [x]

S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys;c:\windows\SYSNATIVE\DRIVERS\acpials.sys [x]

S3 AppleBtBc;Apple Broadcom Built-in Bluetooth;c:\windows\system32\DRIVERS\AppleBtBc.sys;c:\windows\SYSNATIVE\DRIVERS\AppleBtBc.sys [x]

S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys;c:\windows\SYSNATIVE\DRIVERS\applemtm.sys [x]

S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys;c:\windows\SYSNATIVE\DRIVERS\applemtp.sys [x]

S3 cbfs3;EldoS Callback File System driver v3;c:\windows\system32\DRIVERS\cbfs3.sys;c:\windows\SYSNATIVE\DRIVERS\cbfs3.sys [x]

S3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x64.sys;c:\windows\SYSNATIVE\DRIVERS\CS420x64.sys [x]

S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]

S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys;c:\windows\SYSNATIVE\DRIVERS\IRFilter.sys [x]

S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys;c:\windows\SYSNATIVE\DRIVERS\KeyMagic.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]

S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]

.

Contents of the 'Scheduled Tasks' folder

.

2014-01-11 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-21 17:12]

.

2014-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-17 21:23]

.

2014-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-11-17 21:23]

.

2014-01-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2326492378-2209896221-3638460597-1000Core.job

- c:\users\Voltron\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-18 21:13]

.

2014-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2326492378-2209896221-3638460597-1000UA.job

- c:\users\Voltron\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-18 21:13]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]

@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"

[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]

2012-10-02 02:37 2322576 ----a-w- c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]

@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"

[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]

2012-10-02 02:37 2322576 ----a-w- c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]

@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"

[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]

2012-10-02 02:37 2322576 ----a-w- c:\progra~1\MICROS~2\Office15\GROOVEEX.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Voltron\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Voltron\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Voltron\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\Voltron\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]

@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"

[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]

2012-04-09 20:27 190480 ----a-w- c:\windows\System32\CbFsMntNtf3.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]

2013-12-06 22:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]

2013-12-06 22:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]

2013-12-06 22:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]

2013-12-06 22:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]

2013-12-06 22:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]

@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"

[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]

2013-12-06 22:47 778704 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2011-06-29 741760]

"ProfilerU"="c:\program files\SmartTechnology\Software\ProfilerU.exe" [2012-10-03 454144]

"SaiMfd"="c:\program files\SmartTechnology\Software\SaiMfd.exe" [2012-10-03 158208]

"GamecomSound"="c:\program files\Plantronics\GameCom780\GameCom780.exe" [2011-12-01 777448]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office15\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office15\ONBttnIE.dll/105

TCP: DhcpNameServer = 24.116.0.53 24.116.2.50

TCP: Interfaces\{26D5655F-8306-4EA6-A661-FFFAC5064ECD}: DhcpNameServer = 24.116.0.53 24.116.2.50

Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files (x86)\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\17.3.0\ViProtocol.dll

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2014-01-10 19:29:53

ComboFix-quarantined-files.txt 2014-01-11 02:29

ComboFix2.txt 2014-01-10 03:06

.

Pre-Run: 115,584,610,304 bytes free

Post-Run: 115,516,280,832 bytes free

.

- - End Of File - - CBB16744F78ABB520079F181586ED06C

A36C5E4F47E84449FF07ED3517B43A31

MrCharlie · January 11, 2014

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt, place it next to ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

Next...........

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look similar to this, not "sponsored ad links":

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
When it's done you'll see: Pending: Please uncheck elements you don't want removed.
Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
Look over the log especially under Files/Folders for any program you want to save.
If there's a program you may want to save, just uncheck it from AdwCleaner.
If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
If you're ready to clean it all up.....click the Clean button.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
To restore an item that has been deleted:
Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Last..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a FULL Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

spencmm · January 11, 2014

Combofix report:

ComboFix 14-01-08.03 - Voltron 01/10/2014 20:06:18.5.2 - x64

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.7927.5797 [GMT -7:00]

Running from: c:\users\Voltron\Desktop\ComboFix.exe

Command switches used :: c:\users\Voltron\Desktop\CFScript.txt

AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

--------------- FCopy ---------------

.

c:\windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll --> c:\windows\system32\rpcss.dll

.

((((((((((((((((((((((((( Files Created from 2013-12-11 to 2014-01-11 )))))))))))))))))))))))))))))))

.

2014-01-11 03:13 . 2014-01-11 03:13 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp

2014-01-11 03:13 . 2014-01-11 03:13 -------- d-----w- c:\users\hedev\AppData\Local\temp

2014-01-11 03:13 . 2014-01-11 03:13 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-01-11 03:06 . 2009-07-14 01:41 509440 ----a-w- c:\windows\SysWow64\rpcss.dll