Malwarebytes successfully blocked access to potentially malicious website

deehan · February 25, 2014

Here are the logs -

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16736
Run by sdeehan at 15:36:37 on 2014-02-25
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.3994.1746 [GMT -5:00]
.
AV: System Center Endpoint Protection *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: System Center Endpoint Protection *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\lsm.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\WLANExt.exe
C:\WINDOWS\System32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\1E\NomadBranch\NomadBranch.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k regsvc
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\Dwm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\WINDOWS\CCM\CcmExec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\CCM\RemCtrl\CmRcService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\CCM\SCNotification.exe
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\WINDOWS\SysWOW64\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\WINDOWS\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

mWinlogon: Userinit = userinit.exe,
BHO: Avery Toolbar: {41565256-3700-A76A-76A7-7A786E7484D7} -
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Avery Toolbar: {41565256-3700-A76A-76A7-7A786E7484D7} -
mRun: [ApnTBMon] "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"
dRunOnce: [Microsoft Security Client] C:\Program Files\Microsoft Security Client\msseces.exe /UpdateAndQuickScan /OpenWebPageOnClose
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoWindowsUpdate = dword:1
uPolicies-Explorer: NoSMMyPictures = dword:1
uPolicies-Explorer: NoStartMenuMyMusic = dword:1
uPolicies-Explorer: ForceStartMenuLogOff = dword:1
uPolicies-Explorer: NoSMConfigurePrograms = dword:1
uPolicies-Explorer: NoAutoUpdate = dword:1
uPolicies-Explorer: DisallowCpl = dword:1
uPolicies-Explorer: NoWelcomeScreen = dword:1
uPolicies-Windows\System: ExcludeProfileDirs = AppData\Roaming\Microsoft\Credentials;AppData\Roaming\Microsoft\Crypto;AppData\Roaming\Microsoft\Protect;AppData\Roaming\Microsoft\SystemCertificates;Application Data\Microsoft\Crypto;Application Data\Microsoft\Protect;Application Data\Microsoft\SystemCertificates
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-Explorer: NoPublishingWizard = dword:1
mPolicies-Explorer: NoWebServices = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableInstallerDetection = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableSecureUIAPaths = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: legalnoticecaption = Important Notice:
mPolicies-System: legalnoticetext = This system is for authorized use only. Users have no explicit or implicit expectation of privacy. Any and all uses may be monitored, recorded and disclosed at the discretion of authorized site personnel. Unauthorized or improper use may result in disciplinary action and civil and criminal penalties. By continuing to use this system you are consenting to these terms. DISCONNECT NOW if you are not authorized to use this system.
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: mswsock.dll
Trusted Zone: accuweather.com
Trusted Zone: barchart.com
Trusted Zone: corptax.com
Trusted Zone: iehs.com
Trusted Zone: iehs.com
Trusted Zone: inside
Trusted Zone: internet
Trusted Zone: k51corpdev
Trusted Zone: k52corpsys
Trusted Zone: loweslink.com
Trusted Zone: project
Trusted Zone: projectdev
Trusted Zone: rocktenn.com
Trusted Zone: ssccweb
Trusted Zone: vertabase.com
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: NameServer = 68.94.156.1 68.94.157.1 192.168.1.1
TCP: Interfaces\{9F8084A2-786A-4032-AE6D-81DE1AED1CB9} : DHCPNameServer = 68.94.156.1 68.94.157.1 192.168.1.1
TCP: Interfaces\{9F8084A2-786A-4032-AE6D-81DE1AED1CB9}\25130326F68734F6 : DHCPNameServer = 10.101.1.6 10.1.2.36 10.40.152.6
TCP: Interfaces\{9F8084A2-786A-4032-AE6D-81DE1AED1CB9}\341346F5343316374327 : DHCPNameServer = 162.34.5.106 162.34.100.106
TCP: Interfaces\{9F8084A2-786A-4032-AE6D-81DE1AED1CB9}\6516C6C65697024496E65627 : DHCPNameServer = 10.1.10.1
TCP: Interfaces\{E1B31E0B-3E78-4EFC-A561-00F7E68711B9} : DHCPNameServer = 172.18.1.3 162.34.5.106 162.34.100.106
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Avery Toolbar: {41565256-3700-A76A-76A7-7A786E7484D7} -
x64-TB: Avery Toolbar: {41565256-3700-A76A-76A7-7A786E7484D7} -
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
x64-Trusted Zone: accuweather.com
x64-Trusted Zone: barchart.com
x64-Trusted Zone: corptax.com
x64-Trusted Zone: iehs.com
x64-Trusted Zone: iehs.com
x64-Trusted Zone: inside
x64-Trusted Zone: internet
x64-Trusted Zone: k51corpdev
x64-Trusted Zone: k52corpsys
x64-Trusted Zone: loweslink.com
x64-Trusted Zone: project
x64-Trusted Zone: projectdev
x64-Trusted Zone: rocktenn.com
x64-Trusted Zone: ssccweb
x64-Trusted Zone: vertabase.com
x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\System32\drivers\MpFilter.sys [2013-6-18 247216]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\WINDOWS\System32\drivers\stdcfltn.sys [2012-8-23 21616]
R1 ctxusbm;Citrix USB Monitor Driver;C:\WINDOWS\System32\drivers\ctxusbm.sys [2011-4-25 87600]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-8-23 89600]
R2 APNMCP;Ask Update Service;C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [2014-2-13 166352]
R2 CmRcService;Configuration Manager Remote Control;C:\Windows\CCM\RemCtrl\CmRcService.exe [2012-11-21 633952]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-2-25 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-2-25 701512]
R2 NisDrv;Microsoft Network Inspection System;C:\WINDOWS\System32\drivers\NisDrvWFP.sys [2013-6-18 139616]
R2 NomadBranch;1E Nomad Branch;C:\Program Files\1E\NomadBranch\NomadBranch.exe [2013-3-7 2160952]
R2 vpnagent;Cisco AnyConnect VPN Agent;C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]
R3 Acceler;Accelerometer Service;C:\WINDOWS\System32\drivers\Accelern.sys [2011-9-16 27760]
R3 IntcDAud;Intel® Display Audio;C:\WINDOWS\System32\drivers\IntcDAud.sys [2011-9-16 317440]
R3 MBAMProtector;MBAMProtector;C:\WINDOWS\System32\drivers\mbam.sys [2014-2-25 25928]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2013-6-20 366600]
R3 O2MDRRDR;O2MDRRDR;C:\WINDOWS\System32\drivers\O2MDRw7x64.sys [2011-9-16 74984]
R3 O2SDJRDR;O2SDJRDR;C:\WINDOWS\System32\drivers\o2sdjw7x64.sys [2011-9-16 83560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 d554gps;Dell Wireless HSPA Mini-Card GPS Port;C:\WINDOWS\System32\drivers\d554gps64.sys [2011-9-16 101416]
S3 dmvsc;dmvsc;C:\WINDOWS\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 ecnssndis; Mobile Broadband Driver;C:\WINDOWS\System32\drivers\wwuss64.sys [2011-9-16 26664]
S3 ecnssndisfltr; Mobile Broadband Driver Filter;C:\WINDOWS\System32\drivers\wwussf64.sys [2011-9-16 30248]
S3 Impcd;Impcd;C:\WINDOWS\System32\drivers\Impcd.sys [2011-9-16 158976]
S3 lpasvc;Microsoft Policy Platform Local Authority;C:\Program Files\Microsoft Policy Platform\policyHost.exe [2012-8-2 50280]
S3 lppsvc;Microsoft Policy Platform Processor;C:\Program Files\Microsoft Policy Platform\policyHost.exe [2012-8-2 50280]
S3 Mbm3CBus;Dell Wireless 5530 HSPA Mini-Card Device (WDM);C:\WINDOWS\System32\drivers\Mbm3CBus.sys [2011-9-16 411208]
S3 Mbm3DevMt;Dell Wireless HSPA Mini-Card Device Management Driver (WDM);C:\WINDOWS\System32\drivers\Mbm3DevMt.sys [2011-9-16 419912]
S3 nwdelgobi3kfilter;Dell Wireless Gobi 3000 USB Composite Device Filter Driver;C:\WINDOWS\System32\drivers\nwdelgobi3kfilter.sys [2011-9-16 34304]
S3 nwdelserial;Dell Wireless Mobile Broadband Serial Driver;C:\WINDOWS\System32\drivers\nwdelserial.sys [2011-9-16 234112]
S3 O2MDFRDR;O2MDFRDR;C:\WINDOWS\System32\drivers\o2mdfw7x64.sys [2011-9-16 72808]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\WINDOWS\System32\drivers\rdpvideominiport.sys [2010-11-20 20992]
S3 StorSvc;Storage Service;C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\WINDOWS\System32\drivers\Synth3dVsc.sys [2010-11-21 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\WINDOWS\System32\drivers\terminpt.sys [2010-11-21 34816]
S3 TsUsbFlt;TsUsbFlt;C:\WINDOWS\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\WINDOWS\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 tsusbhub;Remote Deskotop USB Hub;C:\WINDOWS\System32\drivers\tsusbhub.sys [2010-11-21 117248]
.
=============== Created Last 30 ================
.
2014-02-25 11:14:40 25928 ----a-w- C:\WINDOWS\System32\drivers\mbam.sys
2014-02-25 11:14:39 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-24 14:46:56 10536864 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0BD0F735-390E-4F3F-86D3-7848ABB5EA53}\mpengine.dll
2014-02-21 22:02:33 10536864 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-02-20 18:10:13 1031560 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6DFE6773-7C38-4ECA-98C0-3C0C4AD54A58}\gapaengine.dll
2014-02-19 20:49:36 965000 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-02-13 14:35:55 -------- d-----w- C:\Users\sdeehan\AppData\Roaming\Malwarebytes
2014-02-13 14:35:21 -------- d-----w- C:\ProgramData\Malwarebytes
2014-02-13 14:33:34 -------- d-----w- C:\Users\sdeehan\AppData\Local\Programs
2014-02-13 03:09:48 -------- d-----w- C:\WINDOWS\pss
2014-02-11 02:32:40 -------- d-----w- C:\WINDOWS\ms
2014-02-10 12:33:30 -------- d-----w- C:\a0efeec8-29bc-4ba1-9e6b-b2362f37e45c_Cache
2014-02-09 16:36:21 -------- d-----w- C:\Users\sdeehan\AppData\Local\ASVworks
2014-01-27 20:36:50 -------- d-----w- C:\ProgramData\1E
2014-01-27 20:36:50 -------- d-----w- C:\Program Files\1E
2014-01-27 19:29:40 -------- d-----w- C:\WINDOWS\System32\{3DA228BE-34DA-49f4-A081-66465B077429}
2014-01-27 17:54:52 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2014-01-27 17:54:49 -------- d-----w- C:\Program Files\Microsoft Security Client
2014-01-27 17:50:06 -------- d-----w- C:\Program Files\Windows Firewall Configuration Provider
2014-01-27 17:40:33 -------- d-----w- C:\WINDOWS\ccmcache
2014-01-27 17:40:33 -------- d-----w- C:\WINDOWS\CCM
2014-01-27 17:38:59 -------- d-----w- C:\Program Files\Microsoft Policy Platform
.
==================== Find3M ====================
.
2014-01-26 05:07:01 270496 ------w- C:\WINDOWS\System32\MpSigStub.exe
.
============= FINISH: 15:37:04.33 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 8/23/2012 4:10:37 PM
System Uptime: 2/25/2014 8:04:50 AM (7 hours ago)
.
Motherboard: Dell Inc. | | 0H5TG2
Processor: Intel® Core i3-2330M CPU @ 2.20GHz | CPU 1 | 2090/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 465 GiB total, 417.328 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: Symantec Endpoint Protection Firewall
Device ID: ROOT\LEGACY_TEEFER3\0000
Manufacturer:
Name: Symantec Endpoint Protection Firewall
PNP Device ID: ROOT\LEGACY_TEEFER3\0000
Service: Teefer3
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Canon MX700 ser Network
Device ID: ROOT\CANON_IJ_NETWORK\0000
Manufacturer: Canon
Name: Canon MX700 ser Network
PNP Device ID: ROOT\CANON_IJ_NETWORK\0000
Service: StillCam
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
PNP Device ID: ROOT\NET\0000
Service: vpnva
.
==== System Restore Points ===================
.
RP129: 2/3/2014 8:11:52 AM - Windows Update
RP130: 2/6/2014 9:36:40 AM - Windows Update
RP131: 2/10/2014 7:47:41 AM - Windows Update
RP132: 2/13/2014 12:11:57 PM - Windows Update
RP133: 2/19/2014 7:39:58 AM - Windows Update
RP134: 2/19/2014 8:31:30 AM - Windows Update
RP135: 2/20/2014 2:31:33 PM - Windows Update
RP136: 2/21/2014 5:37:00 PM - Windows Update
RP137: 2/24/2014 10:21:11 AM - Windows Update
RP138: 2/24/2014 2:40:07 PM - Windows Update
RP139: 2/25/2014 2:59:00 PM - Windows Update
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
1E NomadBranch x64
2007 Microsoft Office Suite Service Pack 2 (SP2)
64 Bit HP CIO Components Installer
7Zip64_9.20_R01
Adobe Flash Player 11 ActiveX
Adobe Reader XI (11.0.04) MUI
Avery Toolbar
BlueZone
CalPrintingAssistOutlook2007SP2_12.04518_R01
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 1.0
Canon MX700 series
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Cisco AnyConnect VPN Client
Cisco WebEx Meetings
Citrix online plug-in
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (PNA)
Citrix online plug-in (SSON)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Configuration Manager Client
Dell Touchpad
DreamFactory Player for Internet Explorer
ITDFonts_2.0_R01
JavaJRE32_6.0.20_R01
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Endpoint Protection Management Components
Microsoft Forefront Endpoint Protection 2010 Server Management
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (French) 2007
Microsoft Office Access MUI (Spanish) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel 2007 Help Actualización (KB963678)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office InfoPath MUI (French) 2007
Microsoft Office InfoPath MUI (Spanish) 2007
Microsoft Office Language Pack 2007 Service Pack 2 (SP2)
Microsoft Office Office 64-bit Components 2007
Microsoft Office Outlook 2007 Help Actualización (KB963677)
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (French) 2007
Microsoft Office Outlook MUI (Spanish) 2007
Microsoft Office Powerpoint 2007 Help Actualización (KB963669)
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (French) 2007
Microsoft Office Publisher MUI (Spanish) 2007
Microsoft Office Shared 64-bit MUI (English) 2007
Microsoft Office Shared 64-bit MUI (French) 2007
Microsoft Office Shared 64-bit MUI (Spanish) 2007
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Viewer 2007
Microsoft Office Word 2007 Help Actualización (KB963665)
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Policy Platform
Microsoft Security Client
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual Studio 2010 Tools for Office Runtime (x64)
Mise à jour Microsoft Office Excel 2007 Help (KB963678)
Mise à jour Microsoft Office Outlook 2007 Help (KB963677)
Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669)
Mise à jour Microsoft Office Word 2007 Help (KB963665)
Office2003To2007TransTool_1.0_R01
OfficeTemplates_2.5_R01
Presto! PageManager 7.15.16
Salesforce for Outlook
SCCMShortCutsWin764_1.0_R01
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
SQLServerNativeClient2008W764_10.0.1600.22_R01
System Center Endpoint Protection
UniPrint Client 5.0
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2836939)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2522999)
USMT 4.0
WebExMeetingCtr_8.5.17_R01
Windows Firewall Configuration Provider
.
==== Event Viewer Messages From Past Week ========
.
2/25/2014 8:07:59 AM, Error: Microsoft-Windows-TerminalServices-RemoteConnectionManager [1067] - The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. .
2/25/2014 8:06:40 AM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
2/25/2014 8:05:48 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {135D7881-D666-4046-A1DF-7EC7B5785A67} and APPID {AD65A69D-3831-40D7-9629-9B0B50A93843} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
2/25/2014 8:05:32 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Teefer3
2/25/2014 7:29:34 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Plug and Play service, but this action failed with the following error: A system shutdown has already been scheduled.
2/25/2014 7:29:34 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error: A system shutdown has already been scheduled.
2/25/2014 7:29:26 AM, Error: Service Control Manager [7031] - The Power service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
2/25/2014 7:29:26 AM, Error: Service Control Manager [7031] - The Plug and Play service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
2/25/2014 7:29:26 AM, Error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
2/25/2014 6:39:38 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version:   Previous Signature Version: 1.167.491.0 Update Source: Internal Definition Update Server Update Stage: Search Source Path: HTTP://NT1101022.ROCKTENN.COM:8530 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version:   Previous Engine Version: 1.1.10302.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/25/2014 2:59:52 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070216: Security Update for Windows 7 for x64-based Systems (KB2862330).
2/25/2014 2:59:44 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070216: Security Update for Windows 7 for x64-based Systems (KB2913602).
2/25/2014 12:11:08 PM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain NA due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.   ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
2/25/2014 12:07:21 PM, Error: Service Control Manager [7000] - The Microsoft Policy Platform Local Authority service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.
2/25/2014 12:07:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1083" attempting to start the service lpasvc with arguments "" in order to run the server: {12F246F3-DF68-4252-AE6B-07B9CF73B99A}
2/24/2014 9:34:52 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SSDPSRV service.
2/24/2014 9:34:22 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the FDResPub service.
2/24/2014 9:33:11 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version:   Previous Signature Version: 1.167.338.0 Update Source: Internal Definition Update Server Update Stage: Search Source Path: HTTP://NT1101022.ROCKTENN.COM:8530 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version:   Previous Engine Version: 1.1.10302.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/24/2014 9:32:50 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wcncsvc service.
2/24/2014 7:32:27 PM, Error: Schannel [36888] - The following fatal alert was generated: 40. The internal error state is 107.
2/24/2014 7:32:27 PM, Error: Schannel [36874] - An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
2/24/2014 6:01:36 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
2/24/2014 11:50:11 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version:   Previous Signature Version: 1.167.491.0 Update Source: Internal Definition Update Server Update Stage: Search Source Path: HTTP://NT1101022.ROCKTENN.COM:8530 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version:   Previous Engine Version: 1.1.10302.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/21/2014 9:35:54 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version:   Previous Signature Version: 1.167.247.0 Update Source: Internal Definition Update Server Update Stage: Search Source Path: HTTP://NT1101022.ROCKTENN.COM:8530 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version:   Previous Engine Version: 1.1.10302.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/21/2014 3:15:36 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version:   Previous Signature Version: 1.167.247.0 Update Source: Internal Definition Update Server Update Stage: Search Source Path: HTTP://NT1101022.ROCKTENN.COM:8530 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version:   Previous Engine Version: 1.1.10302.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/21/2014 2:49:22 PM, Error: Microsoft-Windows-GroupPolicy [1110] - The processing of Group Policy failed. Windows could not determine if the user and computer accounts are in the same forest. Ensure the user domain name matches the name of a trusted domain that resides in the same forest as the computer account.
2/21/2014 2:48:38 PM, Error: Microsoft-Windows-GroupPolicy [1054] - The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
2/19/2014 7:44:29 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version:   Previous Signature Version: 1.165.4071.0 Update Source: Internal Definition Update Server Update Stage: Search Source Path: HTTP://NT1101022.ROCKTENN.COM:8530 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version:   Previous Engine Version: 1.1.10201.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
2/19/2014 3:37:48 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version:   Previous Signature Version: 1.165.4071.0 Update Source: Internal Definition Update Server Update Stage: Search Source Path: HTTP://NT1101022.ROCKTENN.COM:8530 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version:   Previous Engine Version: 1.1.10201.0 Error code: 0x8024001f Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
.
==== End Of File ===========================

kevinf80 · February 25, 2014

Hello and

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Run Malwarebytes, Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick scan

Make sure that everything is checked, and click Remove Selected on any found items.

Post the produced log

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Kevin

deehan · February 25, 2014

Thanks for your help with this. Here are the logs you need -

Thanks for your help with this. The scan did not detect anything. Here is the log -

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.25.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16736
sdeehan :: LHK1TBT1 [administrator]

Protection: Enabled

2/25/2014 4:10:23 PM
mbam-log-2014-02-25 (16-10-23).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-02-2014
Ran by sdeehan (administrator) on LHK1TBT1 on 25-02-2014 18:39:40
Running from C:\Users\sdeehan\Desktop
Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\STacSV64.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
(Microsoft Corporation) C:\WINDOWS\system32\WLANExt.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
(1E) C:\Program Files\1E\NomadBranch\NomadBranch.exe
(O2Micro International) C:\WINDOWS\system32\DRIVERS\o2flash.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\HidFind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apntex.exe
(Microsoft Corporation) C:\WINDOWS\CCM\CcmExec.exe
(Microsoft Corporation) C:\WINDOWS\CCM\RemCtrl\CmRcService.exe
(Microsoft Corporation) C:\WINDOWS\CCM\SCNotification.exe
(APN LLC.) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe
(APN) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnui.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Microsoft Corporation) C:\WINDOWS\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(Microsoft Corporation) C:\WINDOWS\system32\msiexec.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe
(Microsoft Corporation) C:\WINDOWS\SysWOW64\svchost.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [608112 2011-07-07] (Alps Electric Co., Ltd.)
HKLM-x32\...\Run: [ApnTBMon] - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1758160 2014-02-13] (APN)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKLM\...\Policies\Explorer: [NoPublishingWizard] 1
HKLM\...\Policies\Explorer: [NoWebServices] 1
HKU\.DEFAULT\...\RunOnce: [Microsoft Security Client] - C:\Program Files\Microsoft Security Client\msseces.exe [1356240 2013-06-20] (Microsoft Corporation)
HKU\S-1-5-19\...\Run: [sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Run: [Google Update*] - [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoWindowsUpdate] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoSMMyPictures] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoStartMenuMyMusic] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [ForceStartMenuLogOff] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoAutoUpdate] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoSharedDocuments] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [DisallowCpl] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume2\Users\sdeehan\AppData\Local\Temp\sdwbprv\sfuuovv\wow.dll ATTENTION! ====> ZeroAccess?

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.rocktenn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.rocktenn.com
SearchScopes: HKCU - {B821BB6D-0EDE-4AFF-ABCD-4514A6C859C7} URL = http://www.search.ask.com/web?tpid=AVRV7&o=APN11068&pf=V7&p2=%5EB5N%5EYYYYYY%5EYY%5EUS&gct=&itbv=12.7.0.2446&apn_uid=C1DE8697-D53D-41C2-A719-5493F29D902F&apn_ptnrs=%5EB5N&apn_dtid=%5EYYYYYY%5EYY%5EUS&apn_dbr=iexplore.exe_6_10.0.9200.16660&doi=2013-12-17&trgb=IE&q={searchTerms}&psv=
BHO: Avery Toolbar - {41565256-3700-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\AVRV7\Passport_x64.dll (APN LLC.)
BHO-x32: Avery Toolbar - {41565256-3700-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\AVRV7\Passport.dll (APN LLC.)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Avery Toolbar - {41565256-3700-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\AVRV7\Passport_x64.dll (APN LLC.)
Toolbar: HKLM-x32 - Avery Toolbar - {41565256-3700-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\AVRV7\Passport.dll (APN LLC.)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
Winsock: Catalog9-x64 03 mswsock.dll File Not found ()
Winsock: Catalog9-x64 04 mswsock.dll File Not found ()
Winsock: Catalog9-x64 05 mswsock.dll File Not found ()
Winsock: Catalog9-x64 06 mswsock.dll File Not found ()
Winsock: Catalog9-x64 07 mswsock.dll File Not found ()
Winsock: Catalog9-x64 08 mswsock.dll File Not found ()
Winsock: Catalog9-x64 09 mswsock.dll File Not found ()
Winsock: Catalog9-x64 10 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 68.94.156.1 68.94.157.1 192.168.1.1

==================== Services (Whitelisted) =================

R2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [166352 2014-02-13] (APN LLC.)
R2 CcmExec; C:\WINDOWS\CCM\CcmExec.exe [1842352 2013-08-31] (Microsoft Corporation)
R2 CmRcService; C:\WINDOWS\CCM\RemCtrl\CmRcService.exe [633952 2012-11-21] (Microsoft Corporation)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-06-20] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-06-20] (Microsoft Corporation)
R2 NomadBranch; C:\Program Files\1E\NomadBranch\NomadBranch.exe [2160952 2013-03-07] (1E)
S3 smstsmgr; C:\WINDOWS\CCM\TSManager.exe [401584 2013-08-31] (Microsoft Corporation)
U4 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{6df8e0a8-8c80-f05b-aa32-b589c7192ba8}\ \...\???\{6df8e0a8-8c80-f05b-aa32-b589c7192ba8}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S3 d554gps; C:\Windows\system32\drivers\d554gps64.sys [101416 2011-07-07] (Ericsson AB)
S3 ecnssndis; C:\Windows\System32\Drivers\wwuss64.sys [26664 2011-07-07] (Ericsson AB)
S3 ecnssndisfltr; C:\Windows\System32\Drivers\wwussf64.sys [30248 2011-07-07] (Ericsson AB)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 Mbm3CBus; C:\Windows\system32\drivers\Mbm3CBus.sys [411208 2011-07-07] (MCCI Corporation)
S3 Mbm3DevMt; C:\Windows\system32\drivers\Mbm3DevMt.sys [419912 2011-07-07] (MCCI Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [247216 2013-06-18] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [139616 2013-06-18] (Microsoft Corporation)
S3 nwdelgobi3kfilter; C:\Windows\system32\drivers\nwdelgobi3kfilter.sys [34304 2011-07-07] (Novatel Wireless Inc)
S3 nwdelserial; C:\Windows\system32\drivers\nwdelserial.sys [234112 2011-07-07] (Novatel Wireless Inc.)
R3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [26984 2012-11-21] (Microsoft Corporation)
S1 netdeezn; \??\C:\WINDOWS\system32\drivers\netdeezn.sys [X]
S1 Teefer3; system32\DRIVERS\Teefer3.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-02-25 18:39 - 2014-02-25 18:39 - 00015552 _____ () C:\Users\sdeehan\Desktop\FRST.txt
2014-02-25 18:39 - 2014-02-25 18:39 - 00000000 ____D () C:\FRST
2014-02-25 18:38 - 2014-02-25 18:38 - 02155520 _____ (Farbar) C:\Users\sdeehan\Desktop\FRST64.exe
2014-02-25 15:37 - 2014-02-25 15:37 - 00021936 _____ () C:\Users\sdeehan\Desktop\attach.txt
2014-02-25 15:37 - 2014-02-25 15:37 - 00018738 _____ () C:\Users\sdeehan\Desktop\dds.txt
2014-02-25 15:35 - 2014-02-25 15:36 - 00688992 ____R (Swearware) C:\Users\sdeehan\Desktop\dds.scr
2014-02-25 06:15 - 2014-02-25 06:15 - 00001119 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-25 06:14 - 2014-02-25 06:15 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-25 06:14 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-02-24 18:08 - 2014-02-24 18:11 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\sdeehan\Desktop\mbam-setup-1.75.0.1300.exe
2014-02-13 09:35 - 2014-02-13 09:35 - 00000000 ____D () C:\Users\sdeehan\AppData\Roaming\Malwarebytes
2014-02-13 09:35 - 2014-02-13 09:35 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-12 22:09 - 2014-02-12 22:09 - 00000000 ____D () C:\WINDOWS\pss
2014-02-11 00:21 - 2014-02-11 00:21 - 00000000 ____S () C:\WINDOWS\system32\nkdm.mvr
2014-02-10 22:25 - 2014-02-25 18:06 - 00000074 _____ () C:\WINDOWS\system32\cwvulob.dac
2014-02-10 22:11 - 2014-02-10 22:11 - 00000064 _____ () C:\WINDOWS\system32\zhtngob.rvi
2014-02-10 22:11 - 2014-02-10 22:11 - 00000000 _____ () C:\WINDOWS\system32\lfsefo.ibt
2014-02-10 22:02 - 2014-02-10 22:02 - 00228999 ____S () C:\WINDOWS\system32\mqsmxe.oof
2014-02-10 21:33 - 2014-02-10 21:33 - 00014398 _____ () C:\WINDOWS\system32\CcmFramework.ini
2014-02-10 21:33 - 2014-02-10 21:33 - 00000621 _____ () C:\WINDOWS\system32\CcmFramework.h
2014-02-10 21:32 - 2014-02-10 21:32 - 00000000 ____D () C:\WINDOWS\ms
2014-02-10 07:33 - 2014-02-10 07:33 - 00000000 ____D () C:\a0efeec8-29bc-4ba1-9e6b-b2362f37e45c_Cache
2014-02-09 11:36 - 2014-02-13 09:38 - 00000000 ____D () C:\Users\sdeehan\AppData\Local\ASVworks
2014-02-04 16:58 - 2014-02-04 17:15 - 00001576 _____ () C:\WINDOWS\comsetup.log
2014-01-27 15:36 - 2014-01-27 15:36 - 00000000 ____D () C:\ProgramData\1E
2014-01-27 15:36 - 2014-01-27 15:36 - 00000000 ____D () C:\Program Files\1E
2014-01-27 15:33 - 2013-10-12 03:45 - 02241536 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2014-01-27 15:33 - 2013-10-12 03:45 - 01364992 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2014-01-27 15:33 - 2013-10-12 03:45 - 00051712 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2014-01-27 15:33 - 2013-10-12 03:43 - 03959808 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 02648576 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00855552 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00603136 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00526336 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieui.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00136704 _____ (Microsoft Corporation) C:\WINDOWS\system32\iesysprep.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\iesetup.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00053248 _____ (Microsoft Corporation) C:\WINDOWS\system32\jsproxy.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00039936 _____ (Microsoft Corporation) C:\WINDOWS\system32\iernonce.dll
2014-01-27 15:33 - 2013-10-12 02:03 - 01767936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2014-01-27 15:33 - 2013-10-12 02:03 - 01138176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 02877952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 02049024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00690688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00493056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00391168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieui.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00109056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iesysprep.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00061440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iesetup.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00039424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jsproxy.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00033280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iernonce.dll
2014-01-27 15:33 - 2013-10-12 01:35 - 02706432 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.tlb
2014-01-27 15:33 - 2013-10-12 01:08 - 02706432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.tlb
2014-01-27 15:33 - 2013-10-12 00:44 - 00089600 _____ (Microsoft Corporation) C:\WINDOWS\system32\RegisterIEPKEYs.exe
2014-01-27 15:33 - 2013-10-12 00:15 - 00071680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\RegisterIEPKEYs.exe
2014-01-27 15:32 - 2013-10-12 03:43 - 19269632 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2014-01-27 15:32 - 2013-10-12 03:43 - 15404544 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2014-01-27 15:32 - 2013-10-12 02:02 - 14355968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2014-01-27 15:32 - 2013-10-12 02:02 - 13761024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2014-01-27 14:29 - 2014-02-10 21:32 - 00000000 ____D () C:\WINDOWS\system32\{3DA228BE-34DA-49f4-A081-66465B077429}
2014-01-27 12:54 - 2014-01-27 12:55 - 00001945 _____ () C:\WINDOWS\epplauncher.mif
2014-01-27 12:54 - 2014-01-27 12:55 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-01-27 12:54 - 2014-01-27 12:54 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-01-27 12:50 - 2014-01-27 12:50 - 00000000 ____D () C:\Program Files\Windows Firewall Configuration Provider
2014-01-27 12:41 - 2014-02-10 21:33 - 00003827 _____ () C:\WINDOWS\system32\InstallUtil.InstallLog
2014-01-27 12:40 - 2014-02-11 15:22 - 00000000 ____D () C:\WINDOWS\ccmcache
2014-01-27 12:40 - 2014-02-10 21:34 - 00000000 ____D () C:\WINDOWS\CCM
2014-01-27 12:38 - 2014-01-27 12:39 - 00000000 ____D () C:\Program Files\Microsoft Policy Platform

==================== One Month Modified Files and Folders =======

2014-02-25 18:39 - 2014-02-25 18:39 - 00015552 _____ () C:\Users\sdeehan\Desktop\FRST.txt
2014-02-25 18:39 - 2014-02-25 18:39 - 00000000 ____D () C:\FRST
2014-02-25 18:38 - 2014-02-25 18:38 - 02155520 _____ (Farbar) C:\Users\sdeehan\Desktop\FRST64.exe
2014-02-25 18:07 - 2013-10-02 08:30 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-02-25 18:06 - 2014-02-10 22:25 - 00000074 _____ () C:\WINDOWS\system32\cwvulob.dac
2014-02-25 16:51 - 2009-07-13 23:45 - 00019120 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-25 16:51 - 2009-07-13 23:45 - 00019120 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-25 16:15 - 2012-08-23 15:05 - 01426117 _____ () C:\WINDOWS\WindowsUpdate.log
2014-02-25 15:37 - 2014-02-25 15:37 - 00021936 _____ () C:\Users\sdeehan\Desktop\attach.txt
2014-02-25 15:37 - 2014-02-25 15:37 - 00018738 _____ () C:\Users\sdeehan\Desktop\dds.txt
2014-02-25 15:36 - 2014-02-25 15:35 - 00688992 ____R (Swearware) C:\Users\sdeehan\Desktop\dds.scr
2014-02-25 14:51 - 2012-08-23 15:47 - 00119564 __RSH () C:\ProgramData\ntuser.pol
2014-02-25 14:28 - 2012-08-23 15:06 - 00000352 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2014-02-25 08:07 - 2012-08-23 15:08 - 00000568 _____ () C:\WINDOWS\SMSCFG.INI
2014-02-25 08:05 - 2009-07-14 00:08 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-02-25 08:05 - 2009-07-13 23:51 - 00043253 _____ () C:\WINDOWS\setupact.log
2014-02-25 06:15 - 2014-02-25 06:15 - 00001119 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-25 06:15 - 2014-02-25 06:14 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-24 18:11 - 2014-02-24 18:08 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\sdeehan\Desktop\mbam-setup-1.75.0.1300.exe
2014-02-21 16:56 - 2013-11-22 13:41 - 00000000 ____D () C:\Users\sdeehan\Desktop\Smithfield Call Reports
2014-02-21 15:20 - 2009-07-13 22:20 - 00000000 ____D () C:\WINDOWS\system32\NDF
2014-02-20 13:23 - 2013-10-28 10:12 - 00116899 _____ () C:\Users\sdeehan\Desktop\Inline Open Order Sheet 10-28-13.xlsx
2014-02-20 12:01 - 2012-08-23 15:12 - 00000000 ____D () C:\Users\SvcPCNet
2014-02-13 16:27 - 2013-02-21 08:11 - 00000000 ____D () C:\Users\sdeehan\Desktop\My Accounts
2014-02-13 15:49 - 2011-05-04 14:10 - 00748302 _____ () C:\WINDOWS\system32\perfh00C.dat
2014-02-13 15:49 - 2011-05-04 14:10 - 00748094 _____ () C:\WINDOWS\system32\perfh00A.dat
2014-02-13 15:49 - 2011-05-04 14:10 - 00158886 _____ () C:\WINDOWS\system32\perfc00A.dat
2014-02-13 15:49 - 2011-05-04 14:10 - 00149860 _____ () C:\WINDOWS\system32\perfc00C.dat
2014-02-13 15:49 - 2009-07-14 00:13 - 02573054 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-02-13 11:33 - 2010-11-20 22:47 - 00049190 _____ () C:\WINDOWS\PFRO.log
2014-02-13 09:38 - 2014-02-09 11:36 - 00000000 ____D () C:\Users\sdeehan\AppData\Local\ASVworks
2014-02-13 09:35 - 2014-02-13 09:35 - 00000000 ____D () C:\Users\sdeehan\AppData\Roaming\Malwarebytes
2014-02-13 09:35 - 2014-02-13 09:35 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-12 22:09 - 2014-02-12 22:09 - 00000000 ____D () C:\WINDOWS\pss
2014-02-11 15:22 - 2014-01-27 12:40 - 00000000 ____D () C:\WINDOWS\ccmcache
2014-02-11 00:21 - 2014-02-11 00:21 - 00000000 ____S () C:\WINDOWS\system32\nkdm.mvr
2014-02-11 00:20 - 2012-08-23 15:47 - 00000000 ____D () C:\Users\sdeehan
2014-02-11 00:16 - 2012-08-23 15:08 - 00000000 ____D () C:\WINDOWS\ccmsetup
2014-02-10 22:11 - 2014-02-10 22:11 - 00000064 _____ () C:\WINDOWS\system32\zhtngob.rvi
2014-02-10 22:11 - 2014-02-10 22:11 - 00000000 _____ () C:\WINDOWS\system32\lfsefo.ibt
2014-02-10 22:02 - 2014-02-10 22:02 - 00228999 ____S () C:\WINDOWS\system32\mqsmxe.oof
2014-02-10 21:34 - 2014-01-27 12:40 - 00000000 ____D () C:\WINDOWS\CCM
2014-02-10 21:33 - 2014-02-10 21:33 - 00014398 _____ () C:\WINDOWS\system32\CcmFramework.ini
2014-02-10 21:33 - 2014-02-10 21:33 - 00000621 _____ () C:\WINDOWS\system32\CcmFramework.h
2014-02-10 21:33 - 2014-01-27 12:41 - 00003827 _____ () C:\WINDOWS\system32\InstallUtil.InstallLog
2014-02-10 21:32 - 2014-02-10 21:32 - 00000000 ____D () C:\WINDOWS\ms
2014-02-10 21:32 - 2014-01-27 14:29 - 00000000 ____D () C:\WINDOWS\system32\{3DA228BE-34DA-49f4-A081-66465B077429}
2014-02-10 07:33 - 2014-02-10 07:33 - 00000000 ____D () C:\a0efeec8-29bc-4ba1-9e6b-b2362f37e45c_Cache
2014-02-07 08:56 - 2011-05-04 11:41 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-02-04 17:15 - 2014-02-04 16:58 - 00001576 _____ () C:\WINDOWS\comsetup.log
2014-02-04 16:58 - 2009-07-13 22:20 - 00000000 ____D () C:\WINDOWS\registration
2014-01-28 16:00 - 2011-05-04 11:34 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-01-27 15:36 - 2014-01-27 15:36 - 00000000 ____D () C:\ProgramData\1E
2014-01-27 15:36 - 2014-01-27 15:36 - 00000000 ____D () C:\Program Files\1E
2014-01-27 12:55 - 2014-01-27 12:54 - 00001945 _____ () C:\WINDOWS\epplauncher.mif
2014-01-27 12:55 - 2014-01-27 12:54 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-01-27 12:54 - 2014-01-27 12:54 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-01-27 12:50 - 2014-01-27 12:50 - 00000000 ____D () C:\Program Files\Windows Firewall Configuration Provider
2014-01-27 12:39 - 2014-01-27 12:38 - 00000000 ____D () C:\Program Files\Microsoft Policy Platform
2014-01-27 12:39 - 2012-08-23 15:09 - 00000000 ____D () C:\WINDOWS\SysWOW64\CCM
2014-01-27 12:38 - 2009-07-13 22:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-01-26 00:07 - 2010-11-20 22:27 - 00270496 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
ZeroAccess:
C:\Users\sdeehan\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-299502267-343818398-725345543-1237573\$6df8e0a88c80f05baa32b589c7192ba8

Alureon:
C:\Users\sdeehan\AppData\Local\Temp\sdwbprv\sfuuovv\wow.dll

Some content of TEMP:
====================
C:\Users\sdeehan\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\sdeehan\AppData\Local\Temp\O58R9.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 22:24] - [2010-11-20 22:24] - 0513024 ____A (Microsoft Corporation) BAC15C7DDC4587900203909343E9A914

ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-02-19 08:20

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 26-02-2014
Ran by sdeehan at 2014-02-25 18:40:08
Running from C:\Users\sdeehan\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: System Center Endpoint Protection (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: System Center Endpoint Protection (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

Update for Microsoft Office 2007 (KB2508958) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0C5823AA-7B6F-44E1-8D5B-8FD1FF0E6438}) (Version: - Microsoft)
1E NomadBranch x64 (HKLM\...\{C9F7F3F7-5913-4FF5-BE79-DD8BF4A133D0}) (Version: 5.0.100 - 1E)
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}) (Version: - Microsoft)
2007 Microsoft Office Suite Service Pack 2 (SP2) (x32 Version: - Microsoft) Hidden
64 Bit HP CIO Components Installer (Version: 13.2.1 - Hewlett-Packard) Hidden
7Zip64_9.20_R01 (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\{4CFE23CC-779D-4572-A76F-AB60A958BC79}) (Version: 11.8.800.94 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.04) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.04 - Adobe Systems Incorporated)
Avery Toolbar (HKLM-x32\...\{41565256-3700-A76A-76A7-A758B70C0A03}) (Version: 12.10.3.4680 - APN, LLC)
BlueZone (HKLM-x32\...\{E7D97385-3E64-4839-AFA5-A03915046712}) (Version: 5.2c2 - Rocket Software, Inc.)
CalPrintingAssistOutlook2007SP2_12.04518_R01 (HKLM-x32\...\{90120000-00A7-0409-0000-0000000FF1CE}) (Version: 12.0.6425.1000 - Microsoft Corporation)
Canon IJ Network Scan Utility (HKLM-x32\...\Canon_IJ_Network_Scan_UTILITY) (Version: - )
Canon IJ Network Tool (HKLM-x32\...\Canon_IJ_Network_UTILITY) (Version: - )
Canon MP Navigator EX 1.0 (HKLM-x32\...\MP Navigator EX 1.0) (Version: - )
Canon MX700 series (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX700_series) (Version: - )
Canon My Printer (HKLM\...\CanonMyPrinter) (Version: - )
Canon Utilities Easy-PhotoPrint EX (HKLM-x32\...\Easy-PhotoPrint EX) (Version: - )
Canon Utilities Solution Menu (HKLM-x32\...\CanonSolutionMenu) (Version: - )
Cisco AnyConnect VPN Client (HKLM-x32\...\{92083A9A-549D-4057-88E8-223EA08563FA}) (Version: 2.4.1012 - Cisco Systems, Inc.)
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
Citrix online plug-in (DV) (x32 Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (HDX) (x32 Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (HKLM-x32\...\CitrixOnlinePluginFull) (Version: 12.1.44.1 - Citrix Systems, Inc.)
Citrix online plug-in (PNA) (x32 Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (SSON) (x32 Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (USB) (x32 Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Citrix online plug-in (Web) (x32 Version: 12.1.44.1 - Citrix Systems, Inc.) Hidden
Configuration Manager Client (Version: 5.00.7804.1000 - Microsoft Corporation) Hidden
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1208.101.118 - ALPS ELECTRIC CO., LTD.)
DreamFactory Player for Internet Explorer (HKLM-x32\...\DreamFactoryPlayerIE) (Version: - )
ITDFonts_2.0_R01 (HKLM-x32\...\{7CD8B6A3-7526-4102-B1BD-D328CE3631A9}) (Version: 2.0.0 - ITD)
JavaJRE32_6.0.20_R01 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216020FF}) (Version: 6.0.200 - Sun Microsystems, Inc.)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM-x32\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Endpoint Protection Management Components (Version: 4.3.0215.0 - Microsoft Corporation) Hidden
Microsoft Forefront Endpoint Protection 2010 Server Management (Version: 4.3.0215.0 - Microsoft Corporation) Hidden
Microsoft Office 2007 Primary Interop Assemblies (HKLM-x32\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 2 (SP2) (x32 Version: - Microsoft) Hidden
Microsoft Office Access MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (French) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (Spanish) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel 2007 Help Actualización (KB963678) (HKLM-x32\...\{90120000-0016-0C0A-0000-0000000FF1CE}_PROPLUS_{59E09C3D-4878-47D9-87DB-6D0018026889}) (Version: - Microsoft)
Microsoft Office Excel MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (French) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (Spanish) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (French) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (Spanish) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Language Pack 2007 Service Pack 2 (SP2) (x32 Version: - Microsoft) Hidden
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook 2007 Help Actualización (KB963677) (HKLM-x32\...\{90120000-001A-0C0A-0000-0000000FF1CE}_PROPLUS_{59C244C2-0C37-4E85-8F7E-DBDD3958B694}) (Version: - Microsoft)
Microsoft Office Outlook MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (French) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (Spanish) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Powerpoint 2007 Help Actualización (KB963669) (HKLM-x32\...\{90120000-0018-0C0A-0000-0000000FF1CE}_PROPLUS_{F318245D-05AE-4681-A749-A036CE44AF29}) (Version: - Microsoft)
Microsoft Office PowerPoint MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (French) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (Spanish) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional Plus 2007 (HKLM-x32\...\PROPLUS) (Version: 12.0.6425.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Arabic) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Basque) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Catalan) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Dutch) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Galician) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (German) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Portuguese (Brazil)) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing (French) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing (Spanish) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) (x32 Version: - Microsoft) Hidden
Microsoft Office Publisher MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (French) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (Spanish) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (French) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (Spanish) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (French) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (Spanish) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Visio Viewer 2007 (HKLM-x32\...\{95120000-0052-0409-0000-0000000FF1CE}) (Version: 12.0.6425.1000 - Microsoft Corporation)
Microsoft Office Word 2007 Help Actualización (KB963665) (HKLM-x32\...\{90120000-001B-0C0A-0000-0000000FF1CE}_PROPLUS_{377BA42A-1C84-45D6-94B8-6D00887D172D}) (Version: - Microsoft)
Microsoft Office Word MUI (English) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (French) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (Spanish) 2007 (x32 Version: 12.0.6425.1000 - Microsoft Corporation) Hidden
Microsoft Policy Platform (Version: 1.2.3602.0 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.3.0215.0 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.10411.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.31117 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.31121 - Microsoft Corporation) Hidden
Mise à jour Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-040C-0000-0000000FF1CE}_PROPLUS_{B761869A-B85C-40E2-994C-A1CE78AC8F2C}) (Version: - Microsoft)
Mise à jour Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-040C-0000-0000000FF1CE}_PROPLUS_{51EFB347-1F3D-4BAC-8B79-F056B904FE21}) (Version: - Microsoft)
Mise à jour Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-040C-0000-0000000FF1CE}_PROPLUS_{C3DCA38E-005E-41BA-A52A-7C3429F351C3}) (Version: - Microsoft)
Mise à jour Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-040C-0000-0000000FF1CE}_PROPLUS_{81536A04-DBFB-4DB3-978F-0F284590C223}) (Version: - Microsoft)
Office2003To2007TransTool_1.0_R01 (HKLM-x32\...\{65A5B541-C1C3-4511-9DAE-3960803EFB94}) (Version: 1.0.0 - <no manufacturer>)
OfficeTemplates_2.5_R01 (HKLM-x32\...\{B0CA6969-C538-4871-B658-CCCCB9E02F88}) (Version: 2.5 - Microsoft)
Presto! PageManager 7.15.16 (HKLM-x32\...\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}) (Version: 7.15.16 - NewSoft Technology Corporation)
Salesforce for Outlook (HKLM-x32\...\{3B037825-A72D-4B41-BA9F-BC8EDC9254FA}) (Version: 2.3.05.1231 - salesforce.com)
SCCMShortCutsWin764_1.0_R01 (x32 Version: 1.0 - Microsoft) Hidden
SQLServerNativeClient2008W764_10.0.1600.22_R01 (HKLM\...\{C79A7EAB-9D6F-4072-8A6D-F8F54957CD93}) (Version: 10.0.1600.22 - Microsoft Corporation)
System Center Endpoint Protection (HKLM\...\Microsoft Security Client) (Version: 4.3.215.0 - Microsoft Corporation)
UniPrint Client 5.0 (HKLM-x32\...\{1C6BF09D-6356-4EAE-97D9-556119A2C69C}) (Version: 5.0.0 - UniPrint)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2836939) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2836939) (HKLM-x32\...\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}.KB2836939) (Version: 1 - Microsoft Corporation)
Update for Microsoft Office 2007 Help for Common Features (KB963673) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{AB365889-0395-4FAD-B702-CA5985D53D42}) (Version: - Microsoft)
Update for Microsoft Office Access 2007 Help (KB963663) (HKLM-x32\...\{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}) (Version: - Microsoft)
Update for Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{199DF7B6-169C-448C-B511-1054101BE9C9}) (Version: - Microsoft)
Update for Microsoft Office Infopath 2007 Help (KB963662) (HKLM-x32\...\{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{716B81B8-B13C-41DF-8EAC-7A2F656CAB63}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2412171) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{752A0B7C-BD24-4362-AC86-AB63FEE6F46F}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{0451F231-E3E3-4943-AB9F-58EB96171784}) (Version: - Microsoft)
Update for Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{397B1D4F-ED7B-4ACA-A637-43B670843876}) (Version: - Microsoft)
Update for Microsoft Office Publisher 2007 Help (KB963667) (HKLM-x32\...\{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2E40DE55-B289-4C8B-8901-5D369B16814F}) (Version: - Microsoft)
Update for Microsoft Office Script Editor Help (KB963671) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{CD11C6A2-FFC6-4271-8EAB-79C3582F505C}) (Version: - Microsoft)
Update for Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{80E762AA-C921-4839-9D7D-DB62A72C0726}) (Version: - Microsoft)
Update for Outlook 2007 Junk Email Filter (KB2522999) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{CC8A81F7-5A36-4DE9-ABB3-5499132062C5}) (Version: - Microsoft)
USMT 4.0 (HKLM-x32\...\{EF578891-941C-4622-A772-3AC322BF33E0}) (Version: 4.0 - RockTenn)
WebExMeetingCtr_8.5.17_R01 (HKLM-x32\...\{62C447B4-C668-457B-ABB2-D2D31904CEB9}) (Version: 8.5.1700 - Cisco WebEx LLC)
Windows Firewall Configuration Provider (HKLM\...\{109A5A16-E09E-4B82-A784-D1780F1190D6}) (Version: 1.2.3412.0 - Microsoft Corporation)

==================== Restore Points =========================

03-02-2014 13:11:52 Windows Update
06-02-2014 14:36:40 Windows Update
10-02-2014 12:47:41 Windows Update
13-02-2014 17:11:57 Windows Update
19-02-2014 12:39:58 Windows Update
19-02-2014 13:31:30 Windows Update
20-02-2014 19:31:33 Windows Update
21-02-2014 22:37:00 Windows Update
24-02-2014 15:21:11 Windows Update
24-02-2014 19:40:07 Windows Update
25-02-2014 19:59:00 Windows Update

==================== Hosts content: ==========================

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {109EEEF6-B224-4BD8-B0AD-E58390BC02F8} - System32\Tasks\Rocktenn Reboot Routine => C:\WINDOWS\temp\RebootRoutine.exe
Task: {1B1C5873-7A17-4CE7-957B-65FC86CCEDFA} - System32\Tasks\Citrix Cache Cleanup => Cscript.exe C:\RockTenn\Scripts\CleanupAppData_CitrixPlugin.vbs
Task: {1D431C78-4DF1-4C19-A890-05E21282F03D} - System32\Tasks\RockTenn\Scanstate => C:\Program Files (x86)\USMT\USMT4\SilentUSMT.vbs [2010-10-15] ()
Task: {3297DC4A-7F52-4295-B431-E54244F98CE4} - System32\Tasks\SSCC\SSCCUpdates-System => Wscript.exe C:\Windows\SSCCUtils\SSCCUpdates.vbe /Local
Task: {4A877FE8-DB63-4822-A178-46F957763C0E} - System32\Tasks\SSCC\SSCCUpdates-User => Wscript.exe C:\Windows\SSCCUtils\SSCCUpdates.vbe /Remote
Task: {A6BC18A5-24B2-419A-B919-82A1D706914A} - System32\Tasks\SSCC\Scanstate => C:\Program Files (x86)\USMT\USMT4\SilentUSMT.vbs [2010-10-15] ()
Task: {A7F9FD7B-A195-4497-BE40-156AC337C054} - System32\Tasks\SSCC\SetOU => Wscript.exe C:\Windows\SSCCUtils\SetOU7.vbe
Task: {B489F2AC-762F-4E6A-9AF7-3B658489B564} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Idle Detection
Task: {D0BAB76E-F6F8-464C-BE19-AFB1AE3AB711} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Health Evaluation => C:\WINDOWS\CCM\ccmeval.exe [2012-11-21] (Microsoft Corporation)
Task: {E20B58BD-4A3C-44F2-8EA5-6C4B203BBF8E} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-10-02] (Adobe Systems Incorporated)
Task: {EC055407-0B54-49F0-A048-14858C4BD39C} - System32\Tasks\SSCC\SSCCUpdates-Maintenance => C:\Windows\SSCCUtils\SSCCUpdates.exe [2010-07-12] (Smurfit-Stone Container Corp.)
Task: {EF026821-D9D9-4AF1-9035-564343DD6178} - System32\Tasks\SSCC\LocalReboot => Wscript.exe C:\Windows\SSCCUtils\LocalReboot.vbe
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Disabled items from MSCONFIG ==============

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Online plug-in.lnk => C:\WINDOWS\pss\Online plug-in.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Salesforce for Outlook.lnk => C:\WINDOWS\pss\Salesforce for Outlook.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: ApnTBMon => "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"
MSCONFIG\startupreg: CanonMyPrinter => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
MSCONFIG\startupreg: CanonSolutionMenu => C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon
MSCONFIG\startupreg: ConnectionCenter => "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
MSCONFIG\startupreg: MSC => "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey
MSCONFIG\startupreg: Persistence => C:\WINDOWS\system32\igfxpers.exe
MSCONFIG\startupreg: SysTrayApp => C:\Program Files\IDT\WDM\sttray64.exe
MSCONFIG\startupreg: UniPrint Client Init => C:\Program Files (x86)\UniPrint Suite\Client\UPCInit.exe
MSCONFIG\startupreg: WrtMon.exe => C:\WINDOWS\system32\spool\drivers\x64\3\WrtMon.exe

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Symantec Endpoint Protection Firewall
Description: Symantec Endpoint Protection Firewall
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: Teefer3
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Canon MX700 ser Network
Description: Canon MX700 ser Network
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Canon
Service: StillCam
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
Description: Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: vpnva
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/25/2014 04:06:46 PM) (Source: AutoEnrollment) (User: )
Description: NA\sdeehan0x8007003aThe specified server cannot perform the requested operation.

Error: (02/25/2014 08:06:46 AM) (Source: AutoEnrollment) (User: )
Description: NA\sdeehan0x8007003aThe specified server cannot perform the requested operation.

Error: (02/25/2014 08:05:52 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/25/2014 07:34:08 AM) (Source: AutoEnrollment) (User: )
Description: NA\sdeehan0x8007003aThe specified server cannot perform the requested operation.

Error: (02/25/2014 07:33:23 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/25/2014 07:28:15 AM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe_DcomLaunch, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000004eb68f
Faulting process id: 0x30c
Faulting application start time: 0xsvchost.exe_DcomLaunch0
Faulting application path: svchost.exe_DcomLaunch1
Faulting module path: svchost.exe_DcomLaunch2
Report Id: svchost.exe_DcomLaunch3

Error: (02/25/2014 06:30:37 AM) (Source: AutoEnrollment) (User: )
Description: NA\sdeehan0x8007003aThe specified server cannot perform the requested operation.

Error: (02/24/2014 10:30:16 PM) (Source: AutoEnrollment) (User: )
Description: NA\sdeehan0x8007003aThe specified server cannot perform the requested operation.

Error: (02/24/2014 10:29:25 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/24/2014 07:12:26 PM) (Source: Application Error) (User: )
Description: Faulting application name: dllhost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc6b7
Faulting module name: MSHTML.dll, version: 10.0.9200.16736, time stamp: 0x5258d8f5
Exception code: 0xc0000005
Fault offset: 0x00295b1e
Faulting process id: 0x27d4
Faulting application start time: 0xdllhost.exe0
Faulting application path: dllhost.exe1
Faulting module path: dllhost.exe2
Report Id: dllhost.exe3

System errors:
=============
Error: (02/25/2014 04:30:23 PM) (Source: Microsoft-Windows-GroupPolicy) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (02/25/2014 04:27:39 PM) (Source: Microsoft-Windows-GroupPolicy) (User: NA)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (02/25/2014 04:27:39 PM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain NA due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (02/25/2014 04:15:38 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.167.491.0

Update Source: %NT AUTHORITY49

Update Stage: 4.3.0215.00

Source Path: 4.3.0215.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\SYSTEM

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608

Error: (02/25/2014 02:59:52 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070216: Security Update for Windows 7 for x64-based Systems (KB2862330).

Error: (02/25/2014 02:59:44 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070216: Security Update for Windows 7 for x64-based Systems (KB2913602).

Error: (02/25/2014 00:11:08 PM) (Source: NETLOGON) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain NA due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (02/25/2014 00:07:21 PM) (Source: Service Control Manager) (User: )
Description: The Microsoft Policy Platform Local Authority service failed to start due to the following error:
%%1083

Error: (02/25/2014 00:07:21 PM) (Source: DCOM) (User: )
Description: 1083lpasvc{12F246F3-DF68-4252-AE6B-07B9CF73B99A}

Error: (02/25/2014 08:07:59 AM) (Source: TermService) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Percentage of memory in use: 68%
Total physical RAM: 3994.27 MB
Available physical RAM: 1266.11 MB
Total Pagefile: 7986.71 MB
Available Pagefile: 5271.59 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: (OSDisk) (Fixed) (Total:465.47 GB) (Free:417.27 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 2E8EEA5A)
Partition 1: (Active) - (Size=300 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465 GB) - (Type=07 NTFS)

==================== End Of Log ============================

kevinf80 · February 26, 2014

Run FRST one more time:

Type the following in the edit box after "Search:".

rpcss.dll

Click Search button and post the log (Search.txt) it makes to your reply.

deehan · February 26, 2014

Here is the result of that -

Farbar Recovery Scan Tool (x64) Version: 26-02-2014

Ran by sdeehan at 2014-02-25 19:18:26

Running from C:\Users\sdeehan\Desktop

Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll

[2010-11-20 22:24] - [2010-11-20 22:24] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

C:\Windows\System32\rpcss.dll

[2010-11-20 22:24] - [2010-11-20 22:24] - 0513024 ____A (Microsoft Corporation) BAC15C7DDC4587900203909343E9A914

====== End Of Search ======

kevinf80 · February 26, 2014

You have a ZeroAccess Rootkit infection. If you use this PC for any financial transactions or on-line banking you should inform the companies concerned that your system may have been compromised by a hacker and change all passwords used on a clean machine. Do not use this machine again to log into any acounts or make any on-line purchases until we are sure it is clean.

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Next,

Run Malwarebytes, Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick scan

Make sure that everything is checked, and click Remove Selected on any found items.

Post the produced logs...

fixlist.txt

deehan · February 26, 2014

Here is the result -

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-02-2014
Ran by sdeehan at 2014-02-25 19:33:48 Run:1
Running from C:\Users\sdeehan\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Run: [Google Update*] - [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoWindowsUpdate] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoSMMyPictures] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoStartMenuMyMusic] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [ForceStartMenuLogOff] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoSMConfigurePrograms] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoAutoUpdate] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoSharedDocuments] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [DisallowCpl] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume2\Users\sdeehan\AppData\Local\Temp\sdwbprv\sfuuovv\wow.dll ATTENTION! ====> ZeroAccess?
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset
U4 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{6df8e0a8-8c80-f05b-aa32-b589c7192ba8}\ \...\???\{6df8e0a8-8c80-f05b-aa32-b589c7192ba8}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
S1 netdeezn; \??\C:\WINDOWS\system32\drivers\netdeezn.sys [X]
S1 Teefer3; system32\DRIVERS\Teefer3.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\sdeehan\AppData\Local\Google\Desktop\Install
C:\Program Files (x86)\Google\Desktop\Install
C:\$Recycle.Bin\S-1-5-21-299502267-343818398-725345543-1237573\$6df8e0a88c80f05baa32b589c7192ba8
C:\Users\sdeehan\AppData\Local\Temp\sdwbprv\sfuuovv\wow.dll
C:\Users\sdeehan\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\sdeehan\AppData\Local\Temp\O58R9.exe
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
End
*****************

HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoWindowsUpdate => Value deleted successfully.
HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSMMyPictures => Value deleted successfully.
HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoStartMenuMyMusic => Value deleted successfully.
HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ForceStartMenuLogOff => Value deleted successfully.
HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSMConfigurePrograms => Value deleted successfully.
HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoAutoUpdate => Value deleted successfully.
HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSharedDocuments => Value deleted successfully.
HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\DisallowCpl => Value deleted successfully.
HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoWelcomeScreen => Value deleted successfully.
HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully.
HKCR\PROTOCOLS\Filter\application/x-ica => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=euc-jp => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=ISO-8859-1 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS936 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS949 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS950 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=UTF-8 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica; charset=UTF8 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=euc-jp => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=ISO-8859-1 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS936 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS949 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS950 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=UTF-8 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\application/x-ica;charset=UTF8 => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
HKCR\PROTOCOLS\Filter\ica => Key deleted successfully.
HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC} => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000005\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll

========= netsh winsock reset =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

*etadpug => Service deleted successfully.
netdeezn => Service deleted successfully.
Teefer3 => Service deleted successfully.
VGPU => Service deleted successfully.
C:\Users\sdeehan\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Program Files (x86)\Google\Desktop\Install => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-299502267-343818398-725345543-1237573\$6df8e0a88c80f05baa32b589c7192ba8 => Moved successfully.
C:\Users\sdeehan\AppData\Local\Temp\sdwbprv\sfuuovv\wow.dll => Moved successfully.
C:\Users\sdeehan\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.
C:\Users\sdeehan\AppData\Local\Temp\O58R9.exe => Moved successfully.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll

==== End of Fixlog ====

kevinf80 · February 26, 2014

Did you re-boot after FRST fix?

deehan · February 26, 2014

No I did not.

Quick scan is running on Malwarebytes right now - these scans seem to take a while..

deehan · February 26, 2014

Was I supposed to re-boot? Thanks.

kevinf80 · February 26, 2014

Yep, it is written in the log.....

========= netsh winsock reset =========
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

You can do that after Malwarebytes completes. Once the re-boot is done run another scan with FRST, only one log will be produced, post that with MB log...

Thanks,

Kevin...

deehan · February 26, 2014

OK thanks - I'll take care of that once Malwarebytes scan finishes - could be a couple hours depending on this scan

kevinf80 · February 26, 2014

That is ok, is after 1:00 am local time for me, maybe another 30 minutes then I will be gone. We will catch up later....

deehan · February 26, 2014

Here are the logs from the MB quick scan - before I re-booted it did not detect any malicious items - log posted below. But after the re-boot, a pop-up message showed up and stated that MB blocked and quarantined an item -

I am going to run FRST now and post that log in my next message

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.02.25.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16736
sdeehan :: LHK1TBT1 [administrator]

Protection: Enabled

2/25/2014 7:37:52 PM
mbam-log-2014-02-25 (19-37-52).txt

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

deehan · February 26, 2014

Here is the log from the FRST scan -

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-02-2014
Ran by sdeehan (administrator) on LHK1TBT1 on 25-02-2014 22:01:51
Running from C:\Users\sdeehan\Desktop
Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\STacSV64.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
(Microsoft Corporation) C:\WINDOWS\system32\WLANExt.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(APN LLC.) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
(1E) C:\Program Files\1E\NomadBranch\NomadBranch.exe
(O2Micro International) C:\WINDOWS\system32\DRIVERS\o2flash.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\HidFind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apntex.exe
(APN) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
(Microsoft Corporation) C:\WINDOWS\CCM\CcmExec.exe
(Smurfit-Stone Container Corp.) C:\Windows\SSCCUtils\SSCCUpdates.exe
(Microsoft Corporation) C:\WINDOWS\CCM\RemCtrl\CmRcService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\WINDOWS\CCM\SCNotification.exe
(Microsoft Corporation) C:\WINDOWS\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [608112 2011-07-07] (Alps Electric Co., Ltd.)
HKLM-x32\...\Run: [ApnTBMon] - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1758160 2014-02-13] (APN)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKLM\...\Policies\Explorer: [NoPublishingWizard] 1
HKLM\...\Policies\Explorer: [NoWebServices] 1
HKU\.DEFAULT\...\RunOnce: [Microsoft Security Client] - C:\Program Files\Microsoft Security Client\msseces.exe [1356240 2013-06-20] (Microsoft Corporation)
HKU\S-1-5-19\...\Run: [sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume2\Users\sdeehan\AppData\Local\Temp\sdwbprv\sfuuovv\wow.dll ATTENTION! ====> ZeroAccess?

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.rocktenn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.rocktenn.com
SearchScopes: HKCU - {B821BB6D-0EDE-4AFF-ABCD-4514A6C859C7} URL = http://www.search.ask.com/web?tpid=AVRV7&o=APN11068&pf=V7&p2=%5EB5N%5EYYYYYY%5EYY%5EUS&gct=&itbv=12.7.0.2446&apn_uid=C1DE8697-D53D-41C2-A719-5493F29D902F&apn_ptnrs=%5EB5N&apn_dtid=%5EYYYYYY%5EYY%5EUS&apn_dbr=iexplore.exe_6_10.0.9200.16660&doi=2013-12-17&trgb=IE&q={searchTerms}&psv=
BHO: Avery Toolbar - {41565256-3700-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\AVRV7\Passport_x64.dll (APN LLC.)
BHO-x32: Avery Toolbar - {41565256-3700-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\AVRV7\Passport.dll (APN LLC.)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - Avery Toolbar - {41565256-3700-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\AVRV7\Passport_x64.dll (APN LLC.)
Toolbar: HKLM-x32 - Avery Toolbar - {41565256-3700-A76A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\AVRV7\Passport.dll (APN LLC.)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
Tcpip\Parameters: [DhcpNameServer] 68.94.156.1 68.94.157.1 192.168.1.1

==================== Services (Whitelisted) =================

R2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [166352 2014-02-13] (APN LLC.)
R2 CcmExec; C:\WINDOWS\CCM\CcmExec.exe [1842352 2013-08-31] (Microsoft Corporation)
R2 CmRcService; C:\WINDOWS\CCM\RemCtrl\CmRcService.exe [633952 2012-11-21] (Microsoft Corporation)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-06-20] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-06-20] (Microsoft Corporation)
R2 NomadBranch; C:\Program Files\1E\NomadBranch\NomadBranch.exe [2160952 2013-03-07] (1E)
S3 smstsmgr; C:\WINDOWS\CCM\TSManager.exe [401584 2013-08-31] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 d554gps; C:\Windows\system32\drivers\d554gps64.sys [101416 2011-07-07] (Ericsson AB)
S3 ecnssndis; C:\Windows\System32\Drivers\wwuss64.sys [26664 2011-07-07] (Ericsson AB)
S3 ecnssndisfltr; C:\Windows\System32\Drivers\wwussf64.sys [30248 2011-07-07] (Ericsson AB)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 Mbm3CBus; C:\Windows\system32\drivers\Mbm3CBus.sys [411208 2011-07-07] (MCCI Corporation)
S3 Mbm3DevMt; C:\Windows\system32\drivers\Mbm3DevMt.sys [419912 2011-07-07] (MCCI Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [247216 2013-06-18] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [139616 2013-06-18] (Microsoft Corporation)
S3 nwdelgobi3kfilter; C:\Windows\system32\drivers\nwdelgobi3kfilter.sys [34304 2011-07-07] (Novatel Wireless Inc)
S3 nwdelserial; C:\Windows\system32\drivers\nwdelserial.sys [234112 2011-07-07] (Novatel Wireless Inc.)
R3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [26984 2012-11-21] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-02-25 19:18 - 2014-02-25 19:21 - 00000630 _____ () C:\Users\sdeehan\Desktop\Search.txt
2014-02-25 18:40 - 2014-02-25 18:40 - 00031292 _____ () C:\Users\sdeehan\Desktop\Addition.txt
2014-02-25 18:39 - 2014-02-25 22:01 - 00007846 _____ () C:\Users\sdeehan\Desktop\FRST.txt
2014-02-25 18:39 - 2014-02-25 22:01 - 00000000 ____D () C:\FRST
2014-02-25 18:38 - 2014-02-25 18:38 - 02155520 _____ (Farbar) C:\Users\sdeehan\Desktop\FRST64.exe
2014-02-25 15:37 - 2014-02-25 15:37 - 00021936 _____ () C:\Users\sdeehan\Desktop\attach.txt
2014-02-25 15:37 - 2014-02-25 15:37 - 00018738 _____ () C:\Users\sdeehan\Desktop\dds.txt
2014-02-25 15:35 - 2014-02-25 15:36 - 00688992 ____R (Swearware) C:\Users\sdeehan\Desktop\dds.scr
2014-02-25 06:15 - 2014-02-25 06:15 - 00001119 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-25 06:14 - 2014-02-25 06:15 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-25 06:14 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2014-02-24 18:08 - 2014-02-24 18:11 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\sdeehan\Desktop\mbam-setup-1.75.0.1300.exe
2014-02-13 09:35 - 2014-02-13 09:35 - 00000000 ____D () C:\Users\sdeehan\AppData\Roaming\Malwarebytes
2014-02-13 09:35 - 2014-02-13 09:35 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-12 22:09 - 2014-02-12 22:09 - 00000000 ____D () C:\WINDOWS\pss
2014-02-11 00:21 - 2014-02-11 00:21 - 00000000 ____S () C:\WINDOWS\system32\nkdm.mvr
2014-02-10 22:25 - 2014-02-25 21:23 - 00000074 _____ () C:\WINDOWS\system32\cwvulob.dac
2014-02-10 22:11 - 2014-02-10 22:11 - 00000064 _____ () C:\WINDOWS\system32\zhtngob.rvi
2014-02-10 22:11 - 2014-02-10 22:11 - 00000000 _____ () C:\WINDOWS\system32\lfsefo.ibt
2014-02-10 22:02 - 2014-02-10 22:02 - 00228999 ____S () C:\WINDOWS\system32\mqsmxe.oof
2014-02-10 21:33 - 2014-02-10 21:33 - 00014398 _____ () C:\WINDOWS\system32\CcmFramework.ini
2014-02-10 21:33 - 2014-02-10 21:33 - 00000621 _____ () C:\WINDOWS\system32\CcmFramework.h
2014-02-10 21:32 - 2014-02-10 21:32 - 00000000 ____D () C:\WINDOWS\ms
2014-02-10 07:33 - 2014-02-10 07:33 - 00000000 ____D () C:\a0efeec8-29bc-4ba1-9e6b-b2362f37e45c_Cache
2014-02-09 11:36 - 2014-02-13 09:38 - 00000000 ____D () C:\Users\sdeehan\AppData\Local\ASVworks
2014-02-04 16:58 - 2014-02-04 17:15 - 00001576 _____ () C:\WINDOWS\comsetup.log
2014-01-27 15:36 - 2014-01-27 15:36 - 00000000 ____D () C:\ProgramData\1E
2014-01-27 15:36 - 2014-01-27 15:36 - 00000000 ____D () C:\Program Files\1E
2014-01-27 15:33 - 2013-10-12 03:45 - 02241536 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2014-01-27 15:33 - 2013-10-12 03:45 - 01364992 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2014-01-27 15:33 - 2013-10-12 03:45 - 00051712 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2014-01-27 15:33 - 2013-10-12 03:43 - 03959808 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 02648576 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00855552 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00603136 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00526336 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieui.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00136704 _____ (Microsoft Corporation) C:\WINDOWS\system32\iesysprep.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00067072 _____ (Microsoft Corporation) C:\WINDOWS\system32\iesetup.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00053248 _____ (Microsoft Corporation) C:\WINDOWS\system32\jsproxy.dll
2014-01-27 15:33 - 2013-10-12 03:43 - 00039936 _____ (Microsoft Corporation) C:\WINDOWS\system32\iernonce.dll
2014-01-27 15:33 - 2013-10-12 02:03 - 01767936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2014-01-27 15:33 - 2013-10-12 02:03 - 01138176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 02877952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 02049024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00690688 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00493056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00391168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieui.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00109056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iesysprep.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00061440 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iesetup.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00039424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jsproxy.dll
2014-01-27 15:33 - 2013-10-12 02:02 - 00033280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iernonce.dll
2014-01-27 15:33 - 2013-10-12 01:35 - 02706432 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.tlb
2014-01-27 15:33 - 2013-10-12 01:08 - 02706432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.tlb
2014-01-27 15:33 - 2013-10-12 00:44 - 00089600 _____ (Microsoft Corporation) C:\WINDOWS\system32\RegisterIEPKEYs.exe
2014-01-27 15:33 - 2013-10-12 00:15 - 00071680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\RegisterIEPKEYs.exe
2014-01-27 15:32 - 2013-10-12 03:43 - 19269632 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2014-01-27 15:32 - 2013-10-12 03:43 - 15404544 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2014-01-27 15:32 - 2013-10-12 02:02 - 14355968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2014-01-27 15:32 - 2013-10-12 02:02 - 13761024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2014-01-27 14:29 - 2014-02-10 21:32 - 00000000 ____D () C:\WINDOWS\system32\{3DA228BE-34DA-49f4-A081-66465B077429}
2014-01-27 12:54 - 2014-01-27 12:55 - 00001945 _____ () C:\WINDOWS\epplauncher.mif
2014-01-27 12:54 - 2014-01-27 12:55 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-01-27 12:54 - 2014-01-27 12:54 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-01-27 12:50 - 2014-01-27 12:50 - 00000000 ____D () C:\Program Files\Windows Firewall Configuration Provider
2014-01-27 12:41 - 2014-02-10 21:33 - 00003827 _____ () C:\WINDOWS\system32\InstallUtil.InstallLog
2014-01-27 12:40 - 2014-02-11 15:22 - 00000000 ____D () C:\WINDOWS\ccmcache
2014-01-27 12:40 - 2014-02-10 21:34 - 00000000 ____D () C:\WINDOWS\CCM
2014-01-27 12:38 - 2014-01-27 12:39 - 00000000 ____D () C:\Program Files\Microsoft Policy Platform

==================== One Month Modified Files and Folders =======

2014-02-25 22:02 - 2014-02-25 18:39 - 00007846 _____ () C:\Users\sdeehan\Desktop\FRST.txt
2014-02-25 22:01 - 2014-02-25 18:39 - 00000000 ____D () C:\FRST
2014-02-25 21:48 - 2012-08-23 15:05 - 01435123 _____ () C:\WINDOWS\WindowsUpdate.log
2014-02-25 21:46 - 2009-07-13 23:45 - 00019120 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-25 21:46 - 2009-07-13 23:45 - 00019120 ____H () C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-25 21:41 - 2012-08-23 15:08 - 00000568 _____ () C:\WINDOWS\SMSCFG.INI
2014-02-25 21:38 - 2009-07-14 00:08 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-02-25 21:38 - 2009-07-13 23:51 - 00043309 _____ () C:\WINDOWS\setupact.log
2014-02-25 21:23 - 2014-02-10 22:25 - 00000074 _____ () C:\WINDOWS\system32\cwvulob.dac
2014-02-25 21:07 - 2013-10-02 08:30 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2014-02-25 19:21 - 2014-02-25 19:18 - 00000630 _____ () C:\Users\sdeehan\Desktop\Search.txt
2014-02-25 18:40 - 2014-02-25 18:40 - 00031292 _____ () C:\Users\sdeehan\Desktop\Addition.txt
2014-02-25 18:38 - 2014-02-25 18:38 - 02155520 _____ (Farbar) C:\Users\sdeehan\Desktop\FRST64.exe
2014-02-25 15:37 - 2014-02-25 15:37 - 00021936 _____ () C:\Users\sdeehan\Desktop\attach.txt
2014-02-25 15:37 - 2014-02-25 15:37 - 00018738 _____ () C:\Users\sdeehan\Desktop\dds.txt
2014-02-25 15:36 - 2014-02-25 15:35 - 00688992 ____R (Swearware) C:\Users\sdeehan\Desktop\dds.scr
2014-02-25 14:51 - 2012-08-23 15:47 - 00119564 __RSH () C:\ProgramData\ntuser.pol
2014-02-25 14:28 - 2012-08-23 15:06 - 00000352 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2014-02-25 06:15 - 2014-02-25 06:15 - 00001119 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-02-25 06:15 - 2014-02-25 06:14 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-02-24 18:11 - 2014-02-24 18:08 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\sdeehan\Desktop\mbam-setup-1.75.0.1300.exe
2014-02-21 16:56 - 2013-11-22 13:41 - 00000000 ____D () C:\Users\sdeehan\Desktop\Smithfield Call Reports
2014-02-21 15:20 - 2009-07-13 22:20 - 00000000 ____D () C:\WINDOWS\system32\NDF
2014-02-20 13:23 - 2013-10-28 10:12 - 00116899 _____ () C:\Users\sdeehan\Desktop\Inline Open Order Sheet 10-28-13.xlsx
2014-02-20 12:01 - 2012-08-23 15:12 - 00000000 ____D () C:\Users\SvcPCNet
2014-02-13 16:27 - 2013-02-21 08:11 - 00000000 ____D () C:\Users\sdeehan\Desktop\My Accounts
2014-02-13 15:49 - 2011-05-04 14:10 - 00748302 _____ () C:\WINDOWS\system32\perfh00C.dat
2014-02-13 15:49 - 2011-05-04 14:10 - 00748094 _____ () C:\WINDOWS\system32\perfh00A.dat
2014-02-13 15:49 - 2011-05-04 14:10 - 00158886 _____ () C:\WINDOWS\system32\perfc00A.dat
2014-02-13 15:49 - 2011-05-04 14:10 - 00149860 _____ () C:\WINDOWS\system32\perfc00C.dat
2014-02-13 15:49 - 2009-07-14 00:13 - 02573054 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-02-13 11:33 - 2010-11-20 22:47 - 00049190 _____ () C:\WINDOWS\PFRO.log
2014-02-13 09:38 - 2014-02-09 11:36 - 00000000 ____D () C:\Users\sdeehan\AppData\Local\ASVworks
2014-02-13 09:35 - 2014-02-13 09:35 - 00000000 ____D () C:\Users\sdeehan\AppData\Roaming\Malwarebytes
2014-02-13 09:35 - 2014-02-13 09:35 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-02-12 22:09 - 2014-02-12 22:09 - 00000000 ____D () C:\WINDOWS\pss
2014-02-11 15:22 - 2014-01-27 12:40 - 00000000 ____D () C:\WINDOWS\ccmcache
2014-02-11 00:21 - 2014-02-11 00:21 - 00000000 ____S () C:\WINDOWS\system32\nkdm.mvr
2014-02-11 00:20 - 2012-08-23 15:47 - 00000000 ____D () C:\Users\sdeehan
2014-02-11 00:16 - 2012-08-23 15:08 - 00000000 ____D () C:\WINDOWS\ccmsetup
2014-02-10 22:11 - 2014-02-10 22:11 - 00000064 _____ () C:\WINDOWS\system32\zhtngob.rvi
2014-02-10 22:11 - 2014-02-10 22:11 - 00000000 _____ () C:\WINDOWS\system32\lfsefo.ibt
2014-02-10 22:02 - 2014-02-10 22:02 - 00228999 ____S () C:\WINDOWS\system32\mqsmxe.oof
2014-02-10 21:34 - 2014-01-27 12:40 - 00000000 ____D () C:\WINDOWS\CCM
2014-02-10 21:33 - 2014-02-10 21:33 - 00014398 _____ () C:\WINDOWS\system32\CcmFramework.ini
2014-02-10 21:33 - 2014-02-10 21:33 - 00000621 _____ () C:\WINDOWS\system32\CcmFramework.h
2014-02-10 21:33 - 2014-01-27 12:41 - 00003827 _____ () C:\WINDOWS\system32\InstallUtil.InstallLog
2014-02-10 21:32 - 2014-02-10 21:32 - 00000000 ____D () C:\WINDOWS\ms
2014-02-10 21:32 - 2014-01-27 14:29 - 00000000 ____D () C:\WINDOWS\system32\{3DA228BE-34DA-49f4-A081-66465B077429}
2014-02-10 07:33 - 2014-02-10 07:33 - 00000000 ____D () C:\a0efeec8-29bc-4ba1-9e6b-b2362f37e45c_Cache
2014-02-07 08:56 - 2011-05-04 11:41 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-02-04 17:15 - 2014-02-04 16:58 - 00001576 _____ () C:\WINDOWS\comsetup.log
2014-02-04 16:58 - 2009-07-13 22:20 - 00000000 ____D () C:\WINDOWS\registration
2014-01-28 16:00 - 2011-05-04 11:34 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-01-27 15:36 - 2014-01-27 15:36 - 00000000 ____D () C:\ProgramData\1E
2014-01-27 15:36 - 2014-01-27 15:36 - 00000000 ____D () C:\Program Files\1E
2014-01-27 12:55 - 2014-01-27 12:54 - 00001945 _____ () C:\WINDOWS\epplauncher.mif
2014-01-27 12:55 - 2014-01-27 12:54 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-01-27 12:54 - 2014-01-27 12:54 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-01-27 12:50 - 2014-01-27 12:50 - 00000000 ____D () C:\Program Files\Windows Firewall Configuration Provider
2014-01-27 12:39 - 2014-01-27 12:38 - 00000000 ____D () C:\Program Files\Microsoft Policy Platform
2014-01-27 12:39 - 2012-08-23 15:09 - 00000000 ____D () C:\WINDOWS\SysWOW64\CCM
2014-01-27 12:38 - 2009-07-13 22:20 - 00000000 ____D () C:\Program Files\Common Files\Microsoft Shared
2014-01-26 00:07 - 2010-11-20 22:27 - 00270496 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-02-19 08:20

==================== End Of Log ============================

deehan · February 26, 2014

Please let me know if you need to see the log created by the MB quarantine action. It is very long - I tried posting it but received error messages stating that it is too long. If you need to see it I need a suggestion of how to post it. Thanks.

kevinf80 · February 26, 2014

Yes I would like to see he log, if it exceeds forum character limit you can attach the file. Select "More Reply Options" tab under the reply box, that opens new reply options. Now select "Browse" tab to navigate to the file, select that file, then select "Attach This File" That can be done multiple times if there are multiple files to attach..

FRST log still shows evidence of ZeroAccess, we continue...

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Next,

1.Download Malwarebytes Anti-Rootkit from this link:

http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

7. The following image opens, select Update

8. When the update completes select Next.

9. In the following window ensure "Targets" are ticked. Then select "Scan"

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

13. Verify that your system is now running normally, making sure that the following items are functional:

Internet access
Windows Update
Windows Firewall

14. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log

Mbar - log Date and time of scan will also be shown

Next,

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

When the scan is complete

If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

If threats were found

click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

close program

copy and paste the report in next reply

Thanks,

Kevin...

fixlist.txt

deehan · February 26, 2014

OK I just attached the log - I'll follow your next steps now

protection-log-2014-02-25.txt

deehan · February 26, 2014

Here is the Log from running FRST

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-02-2014
Ran by sdeehan at 2014-02-26 07:38:07 Run:2
Running from C:\Users\sdeehan\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
HKU\S-1-5-21-299502267-343818398-725345543-1237573\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume2\Users\sdeehan\AppData\Local\Temp\sdwbprv\sfuuovv\wow.dll ATTENTION! ====> ZeroAccess?
End
*****************

HKU\S-1-5-21-299502267-343818398-725345543-1237573\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully.

==== End of Fixlog ====

kevinf80 · February 26, 2014

Thanks for the logs, the protection log is typical from an infected system. The error code for rpcss.dll will be related to where the patched file resides, MB is try to remove the infected file from FRST Quarantine folder. That folder is protected, basically it will not let go.... lol

Post the other logs whenever you`re ready, ESET scan will take several hours so we will have to be patient....

Thanks,

Kevin

deehan · February 26, 2014

Hello - I just finished with the MB Anti-Root Kit Scan. It did not detect any malware.

Internet access is OK

My network administrator manages/controls my windows updates/firewall - I do not have access/control of those.

Should I continue and run the eset scan now?

kevinf80 · February 26, 2014

Yes please run ESET and post its log...

Internet access is OK
My network administrator manages/controls my windows updates/firewall - I do not have access/control of those.

Is this a business PC?

deehan · February 26, 2014

Yes it is a business computer

kevinf80 · February 26, 2014

The intention of this forum is not to replace a company's IT department or outsource staff, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

It may be in the company's best interest to re-image the machine.

deehan · February 26, 2014

OK I will. Thank you for your help with this issue. I was not aware of the business/personal distinction and was not attempting to circumvent any policies.

Malwarebytes successfully blocked access to potentially malicious website

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information