Jump to content

Recommended Posts

Usually I can dig these things out but this one has got me going pretty good.  I've tried several of the attempts and techniques I've web searched for but the majority, if not all, tell me to get to a command prompt via Safe mode.  New variant I guess but I get shutdown as soon as it logs into Safe mode.  

I used the FRST tool but I can't find the log file.  Weird..  What makes this one even more fun?  Client laptop (Macbook Pro) with Windows 7 Pro as only OS.  I ran Commodo Bootscan and it did find several other infections but this ICE one is still present.   Thanks in advance for any help.

Link to post
Share on other sites

Yeah, but it HAS to be something with this weird setup.  I used another custom boot disk I have and it didn't even see the Windows partition.  I used another Win7Pro CD and got into Safe Mode that way.  Was able to remove the shortcut from the Startup directory and back trace the executable to a temp directory.  Deleted it and I got use of the desktop again.  Ran adwcleaner and cleaned out more garbage.  Looks like this system was overdue for a cleaning anyway.  

Ran ComboFix just to be sure and it did pickup some more registry garbage.  Was running a System File Check when I left the office to cleanup any corrupted system files.  Anything else you might suggest?   I'll post more when I get back in the office.

Link to post
Share on other sites

Well the best place to start is from the beginning:


Please run a Quick Scan with Malwarebytes like this and post the log:
Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.
Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.
Make sure that everything is checked, and click Remove Selected.

If you're using Malwarebytes 2.0, please run a Threat Scan

Then....please start HERE <--------
Post back the 2 logs here.....DDS.txt and Attach.txt
(please don't put logs in code or quotes and use the default font)

Don't forget to RogueKiller below

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.


<====><====><====><====><====><====><====><====>

Next................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes and use the default font)
MrC


Note:
Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly


Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive


<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.


<+>The removal of malware isn't instantaneous, please be patient.


<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs


<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.


------->Your topic will be closed if you haven't replied within 3 days!<--------
(If I don't respond within 24 hours, please send me a PM)

Link to post
Share on other sites

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 3/26/2014

Scan Time: 8:30:43 AM

Logfile: MwB.txt

Administrator: Yes

 

Version: 2.00.0.1000

Malware Database: v2014.03.26.03

Rootkit Database: v2014.03.25.01

License: Trial

Malware Protection: Disabled

Malicious Website Protection: Disabled

Chameleon: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: XXXXXXXXXXXXX

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 253397

Time Elapsed: 10 min, 15 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Shuriken: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 4

PUP.Optional.MediaView.A, HKLM\SOFTWARE\WOW6432NODE\MediaViewV1alpha3853, Quarantined, [e1fa8186adce8ea8e2b2b3a638ca40c0], 

PUP.Optional.MediaWatch.A, HKLM\SOFTWARE\WOW6432NODE\MediaWatchV1home225, Quarantined, [e3f8de291269ab8b06a29ef4f211a060], 

PUP.Optional.SweetIM.A, HKLM\SOFTWARE\WOW6432NODE\SWEETIM, Quarantined, [9843db2c483336007b9c9fda50b302fe], 

PUP.Optional.MediaWatch.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MediaWatchV1home225, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

 

Registry Values: 3

PUP.Optional.MediaView.A, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|ext@MediaViewV1alpha3853.net, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff, Quarantined, [fedda265671442f4761fa8b14eb4b14f]

PUP.Optional.MediaWatch.A, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|ext@MediaWatchV1home225.net, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff, Quarantined, [c4178a7d265596a07d2c4c46f40fb24e]

PUP.Optional.SweetIM.A, HKLM\SOFTWARE\WOW6432NODE\SWEETIM|simapp_id, {2B644D88-4A1B-11E3-BF15-E5F56EDA3826}, Quarantined, [9843db2c483336007b9c9fda50b302fe]

 

Registry Data: 0

(No malicious items detected)

 

Folders: 16

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ch, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff\chrome, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff\chrome\content, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff\chrome\content\icons, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff\chrome\content\icons\default, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ie, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ch, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\chrome, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\chrome\content, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\chrome\content\icons, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\chrome\content\icons\default, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ie, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

 

Files: 15

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff\chrome.manifest, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff\install.rdf, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff\chrome\content\ffMediaViewV1alpha3853.js, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff\chrome\content\overlay.xul, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff\chrome\content\icons\Thumbs.db, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaView.A, C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha3853\ff\chrome\content\icons\default\MediaViewV1alpha3853_32.png, Quarantined, [10cb4eb9fa811224e94384cd020015eb], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\uninstall.exe, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ch\MediaWatchV1home225.crx, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\chrome.manifest, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\install.rdf, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\chrome\content\ffMediaWatchV1home225.js, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\chrome\content\ffMediaWatchV1home225ffaction.js, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\chrome\content\overlay.xul, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\chrome\content\icons\Thumbs.db, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

PUP.Optional.MediaWatch.A, C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home225\ff\chrome\content\icons\default\MediaWatchV1home225_32.png, Quarantined, [5a817b8cfb80cf672e6432219c66e21e], 

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

attach.txt

dds.txt

Link to post
Share on other sites

RogueKiller reports are attached.  

 

You may beat me with a pipe.. I hit Repair out of frustrated habit.  Working two jobs at the moment.  I do have the quarantine folder on the desktop though.  

 

MrCharlie, you are appreciated..  

RKreport0_D_03252014_154226.txt

RKreport0_H_03252014_153656.txt

RKreport0_S_03252014_153630.txt

RKreport0_S_03252014_154128.txt

RKreport0_SC_03252014_153719.txt

Link to post
Share on other sites

RogueKiller V8.6.3 _x64_ [Jul 17 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com




 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Safe mode

User : Tyra Raymond [Admin rights]

Mode : Remove -- Date : 03/25/2014 15:42:26

| ARK || FAK || MBR |

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 12 ¤¤¤

[RUN][sUSP PATH] HKCU\[...]\Run : APISupport ("C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Tyra Raymond\AppData\Local\Conduit\APISupport\APISupport.dll",DLLRunAPISupport [7][x][x]) -> DELETED

[RUN][sUSP PATH] HKUS\S-1-5-21-2956860183-1891983987-973883258-1000\[...]\Run : APISupport ("C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Tyra Raymond\AppData\Local\Conduit\APISupport\APISupport.dll",DLLRunAPISupport [7][x][x]) -> [0x2] The system cannot find the file specified. 

[RUN][sUSP PATH] HKUS\S-1-5-21-2956860183-1891983987-973883258-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\[...]\Run : APISupport ("C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Tyra Raymond\AppData\Local\Conduit\APISupport\APISupport.dll",DLLRunAPISupport [7][x][x]) -> DELETED

[sERVICE][bLVALUE] HKLM\[...]\CS001\[...]\Services : IBUpdaterService (C:\Windows\system32\dmwu.exe [x]) -> DELETED

[sERVICE][bLVALUE] HKLM\[...]\CS003\[...]\Services : IBUpdaterService (C:\Windows\system32\dmwu.exe [x]) -> DELETED

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

[HJ DLL][sUSP PATH] HKLM\[...]\CCSet\[...]\Parameters : ServiceDll (C:\PROGRA~3\lodb3brj.faa [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll)

[HJ DLL][sUSP PATH] HKLM\[...]\CS001\[...]\Parameters : ServiceDll (C:\PROGRA~3\lodb3brj.faa [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll)

[HJ DLL][sUSP PATH] HKLM\[...]\CS002\[...]\Parameters : ServiceDll (C:\PROGRA~3\lodb3brj.faa [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll)

[HJ DLL][sUSP PATH] HKLM\[...]\CS003\[...]\Parameters : ServiceDll (C:\PROGRA~3\lodb3brj.faa [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll)

 

¤¤¤ Scheduled tasks : 0 ¤¤¤

 

¤¤¤ Startup Entries : 0 ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

 

¤¤¤ External Hives: ¤¤¤

 

¤¤¤ Infection :  ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

 

 

127.0.0.1 localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0:  +++++

--- User ---

[MBR] 04a88eb258fd1f5ef708fbb09e13e87b

[bSP] da96666b6f487c6765e9f6cec2d2faf3 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive1:  +++++

--- User ---

[MBR] e4f3e2eaf3944783801c91cd3c57b804

[bSP] 91f69eef8d473585e1bd8f13406038bb : Empty MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 32 | Size: 7633 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

 

Finished : << RKreport[0]_D_03252014_154226.txt >>

RKreport[0]_H_03252014_153656.txt;RKreport[0]_S_03252014_153630.txt;RKreport[0]_S_03252014_154128.txt
Link to post
Share on other sites

Please disable Windows Defender, you have AVAST running and having two anti-virus programs running on a system only causes poor performance, conflicts and spotty protection.

Having two anti-virus programs running on a system only causes poor performance, conflicts and spotty protection.

How to Disable Defender

Dangers of running 2 anti-virus programs

---------------------------------------------------

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

MrC

Link to post
Share on other sites

Run ComboFix:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

 

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

Did you run the uninstall for AVAST:
http://www.avast.com/en-us/uninstall-utility

If you did we can use ComboFix to remove those entries if needed.


3 suspicious files:
c:\windows\system32\drivers\aeruezha.sys
c:\windows\system32\drivers\rpohcaas.sys
c:\windows\system32\winzvprt5.sys

Can you upload them to VirusTotal for a free scan and let me know the results (just copy back the url)

https://www.virustotal.com/

MrC

Link to post
Share on other sites

Link to post
Share on other sites

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 3/27/2014

Scan Time: 8:31:36 AM

Logfile: MwB2.txt

Administrator: Yes

 

Version: 2.00.0.1000

Malware Database: v2014.03.27.02

Rootkit Database: v2014.03.25.01

License: Trial

Malware Protection: Disabled

Malicious Website Protection: Disabled

Chameleon: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: Tyra Raymond

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 253914

Time Elapsed: 5 min, 43 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Shuriken: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

Link to post
Share on other sites

Looks Good, if it's OK and there's no other problems.......

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.81  

 Windows 7 Service Pack 1 x64 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Security Center service is not running! This report may not be accurate! 

 Windows Firewall Enabled!  

avast! Antivirus   

 Antivirus up to date!   

`````````Anti-malware/Other Utilities Check:````````` 

 Adobe Reader XI  

 Google Chrome 33.0.1750.146  

 Google Chrome 33.0.1750.154  

````````Process Check: objlist.exe by Laurent````````  

 Malwarebytes Anti-Malware mbam.exe  

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C:  

````````````````````End of Log`````````````````````` 
Link to post
Share on other sites

Like I said before, we can use ComboFix to get rid of the reference to Avast:

Using ComboFix......

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt to the same location as ComboFix.exe

CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......

Please provide the contents of the ComboFix log (C:\ComboFix.txt) in your next reply.

MrC

Link to post
Share on other sites

ComboFix 14-03-24.01 - XXXX XXXXXXX 03/27/2014   9:30.3.2 - x64 NETWORK

Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8168.7160 [GMT -4:00]

Running from: c:\users\XXXX XXXXXXX\Desktop\ComboFix.exe

Command switches used :: c:\users\XXXX XXXXXXX\Desktop\CFScript.txt

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 * Created a new restore point

.

.

(((((((((((((((((((((((((   Files Created from 2014-02-27 to 2014-03-27  )))))))))))))))))))))))))))))))

.

.

2014-03-27 13:37 . 2014-03-27 13:37 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-03-26 15:00 . 2014-03-26 15:00 -------- d-----w- c:\programdata\SystemExplorer

2014-03-26 15:00 . 2014-03-26 15:00 -------- d-----w- c:\program files (x86)\System Explorer

2014-03-26 14:48 . 2014-03-26 14:48 -------- d-s---w- c:\windows\SysWow64\Microsoft

2014-03-25 19:28 . 2014-03-27 12:09 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-03-25 19:27 . 2014-03-25 19:27 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware

2014-03-25 19:27 . 2014-03-25 19:27 -------- d-----w- c:\programdata\Malwarebytes

2014-03-25 19:27 . 2014-03-05 13:26 63192 ----a-w- c:\windows\system32\drivers\mwac.sys

2014-03-25 19:27 . 2014-03-05 13:26 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-03-25 19:27 . 2014-03-05 13:26 25816 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-03-25 19:00 . 2014-03-25 19:05 -------- d-----w- C:\FRST

2014-03-25 19:00 . 2014-03-25 19:00 421704 ----a-w- c:\windows\system32\drivers\rpohcaas.sys

2014-03-25 18:57 . 2014-03-25 20:21 -------- d-----w- C:\AdwCleaner

2014-03-25 10:49 . 2014-03-25 11:08 -------- d---a-w- C:\cce_linux

2014-03-25 09:45 . 2014-03-25 09:45 -------- d---a-w- c:\windows\jumpshot.com

2014-03-24 10:22 . 2014-03-07 04:43 10521840 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{61C24FF8-C256-45F3-8683-C968007F7B7A}\mpengine.dll

2014-03-22 20:04 . 2014-03-26 12:30 -------- d-----w- c:\program files (x86)\MediaWatchV1

2014-02-27 13:32 . 2014-02-27 13:32 -------- d-----w- c:\program files\iPod

2014-02-27 13:32 . 2014-02-27 13:32 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69

2014-02-27 13:32 . 2014-02-27 13:32 -------- d-----w- c:\program files\iTunes

2014-02-27 13:32 . 2014-02-27 13:32 -------- d-----w- c:\program files (x86)\iTunes

2014-02-27 13:10 . 2014-03-26 12:30 -------- d-----w- c:\program files (x86)\MediaViewV1

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-02-16 19:14 . 2014-02-16 19:14 608 --sha-w- c:\windows\system32\winzvprt5.sys

2014-01-28 00:47 . 2013-08-03 15:04 86054176 ----a-w- c:\windows\system32\MRT.exe

2014-01-14 13:26 . 2014-01-14 13:26 10 ----a-w- c:\windows\Fonts\wfonts.key

2014-01-06 19:23 . 2014-01-06 19:23 4558848 ----a-w- c:\windows\SysWow64\GPhotos.scr

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-11-20 59720]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-06 43848]

"Agile1pAgent"="c:\program files (x86)\1Password\Agile1pAgent.exe" [2013-12-18 2247952]

"StatusAlerts"="c:\program files (x86)\HP\StatusAlerts\bin\HPStatusAlerts.exe" [2012-07-18 313248]

"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-02-21 152392]

"SystemExplorerAutoStart"="c:\program files (x86)\System Explorer\SystemExplorer.exe" [2014-03-18 2861600]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes Anti-Malware (cleanup)"="c:\programdata\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe" [2014-03-05 54072]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

CodeMeter Control Center.lnk - c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeterCC.exe [2012-9-6 8443832]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

"EnableLinkedConnections"= 1 (0x1)

.

R2 Agile1Password;1Password;c:\program files (x86)\1Password\Agile1pService.exe;c:\program files (x86)\1Password\Agile1pService.exe [x]

R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe;c:\windows\SYSNATIVE\AppleOSSMgr.exe [x]

R2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe;c:\windows\SYSNATIVE\AppleTimeSrv.exe [x]

R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.3.124.0\BBSvc.exe;c:\program files (x86)\Microsoft\BingBar\7.3.124.0\BBSvc.exe [x]

R2 BcmBtRSupport;Bluetooth Driver Management Service;c:\windows\system32\BtwRSupportService.exe;c:\windows\SYSNATIVE\BtwRSupportService.exe [x]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe;c:\program files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe [x]

R2 HP LaserJet Service;HP LaserJet Service;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe;c:\program files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [x]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]

R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys;c:\windows\SYSNATIVE\drivers\KeyAgent.sys [x]

R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys;c:\windows\SYSNATIVE\drivers\MacHALDriver.sys [x]

R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]

R2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]

R2 Sentinel64;Sentinel64;c:\windows\System32\Drivers\Sentinel64.sys;c:\windows\SYSNATIVE\Drivers\Sentinel64.sys [x]

R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe;c:\program files (x86)\Microsoft\BingBar\7.3.124.0\SeaPort.exe [x]

R3 bcbtums;Bluetooth USB LD Filter;c:\windows\system32\drivers\bcbtums.sys;c:\windows\SYSNATIVE\drivers\bcbtums.sys [x]

R3 btwampfl;btwampfl;c:\windows\system32\DRIVERS\btwampfl.sys;c:\windows\SYSNATIVE\DRIVERS\btwampfl.sys [x]

R3 HP DS Service;HP DS Service;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe;c:\program files (x86)\HP\HPBDSService\HPBDSService.exe [x]

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]

R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]

R3 SNTUSB64;SafeNet USB SuperPro/UltraPro/HardwareKey;c:\windows\system32\DRIVERS\SNTUSB64.SYS;c:\windows\SYSNATIVE\DRIVERS\SNTUSB64.SYS [x]

R3 SystemExplorerHelpService;System Explorer Service;c:\program files (x86)\System Explorer\service\SystemExplorerService64.exe;c:\program files (x86)\System Explorer\service\SystemExplorerService64.exe [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

S0 AppleHFS;AppleHFS; [x]

S0 AppleMNT;AppleMNT; [x]

S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys;c:\windows\SYSNATIVE\DRIVERS\applemtm.sys [x]

S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys;c:\windows\SYSNATIVE\DRIVERS\applemtp.sys [x]

S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys;c:\windows\SYSNATIVE\DRIVERS\IRFilter.sys [x]

S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys;c:\windows\SYSNATIVE\DRIVERS\KeyMagic.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-03-16 19:45 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-11 16:09]

.

2014-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-11 16:09]

.

2014-03-26 c:\windows\Tasks\User_Feed_Synchronization-{184DF83B-DF7C-4039-A4B1-B39CDABB51D1}.job

- c:\windows\system32\msfeedssync.exe [2013-11-22 00:50]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-03-25 8114720]

"Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2011-06-29 741760]

"HP LaserJet 200 color MFP M276 Series Fax"="c:\program files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe" [2011-10-10 3706424]

"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

LSP: c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nvLsp.dll

TCP: DhcpNameServer = 192.168.0.250


.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-<NO NAME> - (no file)

WebBrowser-{41565256-3700-A76A-76A7-7A786E7484D7} - (no file)

ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)

AddRemove-MediaViewV1alpha3853 - c:\program files (x86)\MediaViewV1\MediaViewV1alpha3853\uninstall.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2014-03-27  09:40:09

ComboFix-quarantined-files.txt  2014-03-27 13:40

ComboFix2.txt  2014-03-26 15:25

ComboFix3.txt  2014-03-25 20:44

.

Pre-Run: 372,161,159,168 bytes free

Post-Run: 372,076,646,400 bytes free

.

- - End Of File - - E086CDB8D84A874758472850D34A45DB

A36C5E4F47E84449FF07ED3517B43A31
Link to post
Share on other sites

All looks good.....

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete. (right click.....Delete)

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:

If you used FRST and can't delete the quarantine folder:

Download the fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

That will delete the quarantine folder created by FRST.

The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (My Preventive Maintenance also found HERE)

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.