Jump to content

Successfully blocked connection to potentially malicious ....


Recommended Posts

WIn7 Pro went south on me, so am restoring OS to factory defaults and now rebuilding from up to date file backups. When installed Avast Free started getting intermittent messages about blocking connection to potentially malicious site 176.121.11.12 ... at port 50265 with transaction chrome.exe (always the same info)  ... chrome was not yet installed at the time. Installed malwarebytes and started getting same message but from different ports, 49339, 61619, etc. Have run malwarebytes and hitman pro, and cleaned up PUPs, and neither show any results now.

 

Have installed Google Chrome to see if that affects the message, but it doesn't, still getting the malwarebytes message.

 

Hope you can help. Here is the DDS results:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16540
Run by Bob Fortson at 9:59:12 on 2014-03-26
Microsoft Windows 7 Professional   6.1.7600.0.1252.1.1033.18.4030.1299 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\Hpservice.exe
C:\windows\system32\vcsFPService.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files\Broadcom\Broadcom 802.11\WLTRYSVC.EXE
C:\windows\system32\WLANExt.exe
C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\System32\spoolsv.exe
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\IDT\WDM\AESTSr64.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
c:\Program Files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxtcs.exe
C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\IfxPsdSv.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\windows\SysWow64\ArcVCapRender\uArcCapture.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
C:\windows\system32\wbem\wmiprvse.exe
c:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe
C:\windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\windows\system32\taskeng.exe
C:\Users\Bob Fortson\AppData\Local\Hyper Browser\HyperBrowser.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.EXE
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe
C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\coreshredder.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpConnectionManager.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
C:\windows\system32\taskeng.exe
C:\Users\Bob Fortson\AppData\Local\Hyper Browser\HyperBrowser.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\SDKCOMServer.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdiSdkHelperx64.exe
C:\windows\system32\igfxext.exe
C:\windows\system32\igfxsrvc.exe
C:\windows\system32\taskhost.exe
C:\Program Files (x86)\zabkat\xplorer2_lite\xplorer2_lite.exe
C:\Program Files (x86)\Roxio\Roxio Burn\Roxio Burn.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Users\BOBFOR~1\AppData\Local\HYPERB~1\CHROME~1\chrome.exe
C:\Users\BOBFOR~1\AppData\Local\HYPERB~1\CHROME~1\chrome.exe
C:\Users\BOBFOR~1\AppData\Local\HYPERB~1\CHROME~1\chrome.exe
C:\Program Files (x86)\FastStone Capture\FSCapture.exe
C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Users\BOBFOR~1\AppData\Local\HYPERB~1\CHROME~1\chrome.exe
C:\Users\BOBFOR~1\AppData\Local\HYPERB~1\CHROME~1\chrome.exe
C:\Users\BOBFOR~1\AppData\Local\HYPERB~1\CHROME~1\chrome.exe
C:\Users\BOBFOR~1\AppData\Local\HYPERB~1\CHROME~1\chrome.exe
C:\Users\BOBFOR~1\AppData\Local\HYPERB~1\CHROME~1\chrome.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

mWinlogon: Userinit = userinit.exe,
BHO: File Sanitizer for HP ProtectTools: {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
TB: avast! Online Security: {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
uRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [QLBController] C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
mRun: [File Sanitizer] C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe
mRun: [RUNFBI] C:\SYSTEM.SAV\fbi\FBISM.exe
mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [HPConnectionManager] c:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
mRun: [HPQuickWebProxy] "c:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
mRun: [iFXSPMGT] "c:\Program Files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" /NotifyLogon
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [iJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{8912D613-B805-45B3-BDCF-8239F66EBACE} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{8912D613-B805-45B3-BDCF-8239F66EBACE}\3445553514E45445 : DHCPNameServer = 192.168.1.1
Notify: DeviceNP - DeviceNP.dll
AppInit_DLLs= C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
SSODL: WebCheck - <orphaned>
LSA: Notification Packages =  EpePcNp64 DPPassFilter scecli
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mWinlogon: Userinit = C:\windows\System32\userinit.exe,c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe,
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-TB: avast! Online Security: {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden
x64-Run: [igfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [broadcom Wireless Manager UI] C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.exe
x64-Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [MfeEpePcMonitor] "C:\Program Files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe"
x64-Run: [Logitech Download Assistant] C:\windows\System32\rundll32.exe C:\windows\System32\LogiLDA.dll,LogiFetch
x64-Run: [synTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Bob Fortson\AppData\Roaming\Mozilla\Firefox\Profiles\jzer176s.default\
FF - prefs.js: browser.startup.homepage - hxxp://k2b-bulk.ebay.com/ws/eBayISAPI.dll?SalesRecordConsole&currentpage=SCSold&ssPageName=STRK:ME:LNLK|https://sellercentral.amazon.com/gp/orders-v2/list/ref=ag_myo_dnav_home_|https://www.creektree.net/CTnimda18/login.php?camefrom=orders.php&oID=13070&action=edit&zenAdminID=7f9b01fff0cc66dd5eab621a5e53d8f7|http://www.wizardswhimsy.com/WWnimda18/login.php?zenAdminID=c52e835f05573b5f4eb5c275935fbaf2|https://www.creektree.net/faeryswhimsy/FWnimda18/login.php?camefrom=index.php&zenAdminID=2f828848df19f09e3ef14753d22c38f5|http://www.gothic-shadows.com/GSnimda18/login.php?zenAdminID=1f0d759ea2bb0269229a003b37172103|https://server12.camelot-hosting.com:2096/cpsess4705782290/3rdparty/roundcube/?_task=mail|https://service.ringcentral.com/
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.22.5\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;C:\windows\System32\drivers\aswRvrt.sys [2014-3-24 65776]
R0 aswVmm;avast! VM Monitor;C:\windows\System32\drivers\aswVmm.sys [2014-3-24 207904]
R0 MfeEpePc;MfeEpePc;C:\windows\System32\drivers\MfeEpePc.sys [2011-2-9 168008]
R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2011-3-6 55856]
R1 aswSnx;aswSnx;C:\windows\System32\drivers\aswSnx.sys [2014-3-24 1034464]
R1 aswSP;aswSP;C:\windows\System32\drivers\aswSP.sys [2014-3-24 422216]
R1 PersonalSecureDrive;PersonalSecureDrive;C:\windows\System32\drivers\psd.sys [2010-1-26 44576]
R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2014-3-24 89600]
R2 aswMonFlt;aswMonFlt;C:\windows\System32\drivers\aswMonFlt.sys [2014-3-24 78648]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2014-3-24 50344]
R2 HP Power Assistant Service;HP Power Assistant Service;C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2011-1-26 131128]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2010-8-5 681528]
R2 HPDayStarterService;HP DayStarter Service;C:\Program Files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe [2011-1-28 133688]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-2-4 92216]
R2 HPFSService;File Sanitizer for HP ProtectTools;C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2011-2-7 320000]
R2 hpHotkeyMonitor;hpHotkeyMonitor;C:\Program Files (x86)\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [2011-1-28 281656]
R2 hpsrv;HP Service;C:\windows\System32\hpservice.exe [2011-5-13 30520]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2014-3-24 13336]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe [2010-11-29 210896]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2014-3-24 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2014-3-24 701512]
R2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [2011-2-9 1318912]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-3-6 1128952]
R2 PdiService;Portrait Displays SDK Service;C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2011-3-6 113264]
R2 uArcCapture;ArcCapture;C:\Windows\SysWOW64\ArcVCapRender\uArcCapture.exe [2014-3-24 502464]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2014-3-24 2656280]
R2 vcsFPService;Validity VCS Fingerprint Service;C:\windows\System32\vcsFPService.exe [2011-1-21 3154224]
R3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;C:\windows\System32\drivers\ArcSoftVCapture.sys [2014-3-24 32192]
R3 aswStm;aswStm;C:\windows\System32\drivers\aswstm.sys [2014-3-24 79672]
R3 HP ProtectTools Service;HP ProtectTools Service;C:\Program Files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [2011-1-12 36864]
R3 hpCMSrv;HP Connection Manager 4.0 Service;C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [2011-2-15 1071160]
R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2010-10-14 317440]
R3 JMCR;JMCR;C:\windows\System32\drivers\jmcr.sys [2014-3-24 174168]
R3 johci;JMicron 1394 Filter Driver;C:\windows\System32\drivers\johci.sys [2014-3-24 26712]
R3 MBAMProtector;MBAMProtector;C:\windows\System32\drivers\mbam.sys [2014-3-24 25928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 DAMDrv;DAMDrv;C:\windows\System32\drivers\DAMDrv64.sys [2011-2-7 63336]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;C:\Windows\SysWOW64\flcdlock.exe [2011-2-3 464480]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2011-1-15 1116656]
S3 StorSvc;Storage Service;C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2014-3-25 1255736]
.
=============== Created Last 30 ================
.
2014-03-26 14:23:31    --------    d-----w-    C:\ProgramData\Canon IJ Network Tool
2014-03-26 14:23:29    --------    d-----w-    C:\Program Files (x86)\Canon
2014-03-26 14:23:28    307200    ----a-w-    C:\windows\SysWow64\CNC870L.dll
2014-03-26 14:23:28    15872    ----a-w-    C:\windows\SysWow64\CNHMCA.dll
2014-03-26 14:23:28    102400    ----a-w-    C:\windows\SysWow64\CNC870U.dll
2014-03-26 14:18:38    --------    d-----w-    C:\Program Files (x86)\FastStone Capture
2014-03-26 12:53:38    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\Google
2014-03-26 09:18:20    75888    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CA8D3F12-A9CC-4784-8069-360D129B0D2B}\offreg.dll
2014-03-25 16:25:04    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\Macromedia
2014-03-25 16:14:55    71048    ----a-w-    C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-25 16:14:55    692616    ----a-w-    C:\windows\SysWow64\FlashPlayerApp.exe
2014-03-25 15:26:08    --------    d-----w-    C:\Program Files (x86)\Common Files\L&H
2014-03-25 15:26:02    --------    d-----w-    C:\Program Files (x86)\Microsoft ActiveSync
2014-03-25 15:21:35    --------    d-----w-    C:\windows\PCHEALTH
2014-03-25 15:05:22    --------    d-----w-    C:\Program Files (x86)\zabkat
2014-03-25 14:38:15    --------    d-----w-    C:\Users\Bob Fortson\AppData\Roaming\Roxio Burn
2014-03-25 12:45:54    --------    d-----w-    C:\Program Files\Microsoft Mouse and Keyboard Center
2014-03-25 12:39:49    --------    d-----w-    C:\Program Files (x86)\MSXML 4.0
2014-03-25 12:39:27    --------    d-----w-    C:\windows\SysWow64\Wat
2014-03-25 12:39:27    --------    d-----w-    C:\windows\System32\Wat
2014-03-24 23:47:29    --------    d-----w-    C:\windows\System32\MRT
2014-03-24 23:45:09    367104    ----a-w-    C:\windows\System32\wcncsvc.dll
2014-03-24 23:45:08    276992    ----a-w-    C:\windows\SysWow64\wcncsvc.dll
2014-03-24 23:15:41    785512    ----a-w-    C:\windows\System32\drivers\Wdf01000.sys
2014-03-24 23:15:41    54376    ----a-w-    C:\windows\System32\drivers\WdfLdr.sys
2014-03-24 23:15:41    2560    ----a-w-    C:\windows\System32\drivers\en-US\wdf01000.sys.mui
2014-03-24 23:15:40    9728    ----a-w-    C:\windows\System32\Wdfres.dll
2014-03-24 22:40:23    46080    ----a-w-    C:\windows\System32\atmlib.dll
2014-03-24 22:40:23    367616    ----a-w-    C:\windows\System32\atmfd.dll
2014-03-24 22:40:23    34304    ----a-w-    C:\windows\SysWow64\atmlib.dll
2014-03-24 22:40:23    295424    ----a-w-    C:\windows\SysWow64\atmfd.dll
2014-03-24 22:39:42    87040    ----a-w-    C:\windows\System32\drivers\WUDFPf.sys
2014-03-24 22:39:42    198656    ----a-w-    C:\windows\System32\drivers\WUDFRd.sys
2014-03-24 22:39:41    84992    ----a-w-    C:\windows\System32\WUDFSvc.dll
2014-03-24 22:39:41    194048    ----a-w-    C:\windows\System32\WUDFPlatform.dll
2014-03-24 22:39:40    744448    ----a-w-    C:\windows\System32\WUDFx.dll
2014-03-24 22:39:40    45056    ----a-w-    C:\windows\System32\WUDFCoinstaller.dll
2014-03-24 22:39:40    229888    ----a-w-    C:\windows\System32\WUDFHost.exe
2014-03-24 22:34:23    --------    d-----w-    C:\windows\rescache
2014-03-24 22:32:14    --------    d-----w-    C:\Program Files\Common Files\Intel
2014-03-24 22:32:13    --------    d-----w-    C:\Program Files (x86)\Common Files\Intel
2014-03-24 22:28:12    80896    ----a-w-    C:\windows\System32\imagehlp.dll
2014-03-24 22:28:12    5120    ----a-w-    C:\windows\SysWow64\wmi.dll
2014-03-24 22:28:12    5120    ----a-w-    C:\windows\System32\wmi.dll
2014-03-24 22:28:12    22896    ----a-w-    C:\windows\System32\drivers\fs_rec.sys
2014-03-24 22:28:12    158720    ----a-w-    C:\windows\SysWow64\imagehlp.dll
2014-03-24 22:24:05    26712    ----a-w-    C:\windows\System32\drivers\johci.sys
2014-03-24 22:24:05    203352    ----a-w-    C:\windows\SysWow64\jmcricon.dll
2014-03-24 22:24:05    203352    ----a-w-    C:\windows\System32\jmcricon.dll
2014-03-24 22:24:05    174168    ----a-w-    C:\windows\System32\drivers\jmcr.sys
2014-03-24 22:18:07    2048    ----a-w-    C:\windows\SysWow64\tzres.dll
2014-03-24 22:18:07    2048    ----a-w-    C:\windows\System32\tzres.dll
2014-03-24 22:16:58    3150848    ----a-w-    C:\windows\System32\win32k.sys
2014-03-24 22:15:59    2048    ----a-w-    C:\windows\SysWow64\user.exe
2014-03-24 22:14:59    476160    ----a-w-    C:\windows\System32\XpsGdiConverter.dll
2014-03-24 22:14:59    288256    ----a-w-    C:\windows\SysWow64\XpsGdiConverter.dll
2014-03-24 22:14:58    9216    ----a-w-    C:\windows\System32\rdrmemptylst.exe
2014-03-24 22:14:58    27008    ----a-w-    C:\windows\System32\drivers\Diskdump.sys
2014-03-24 22:14:57    76288    ----a-w-    C:\windows\System32\rdpwsx.dll
2014-03-24 22:14:57    149504    ----a-w-    C:\windows\System32\rdpcorekmts.dll
2014-03-24 22:14:56    478208    ----a-w-    C:\windows\System32\dpnet.dll
2014-03-24 22:14:56    376832    ----a-w-    C:\windows\SysWow64\dpnet.dll
2014-03-24 22:13:40    204800    ----a-w-    C:\windows\System32\drivers\rdpwd.sys
2014-03-24 22:10:44    5497688    ----a-w-    C:\windows\System32\ntoskrnl.exe
2014-03-24 22:10:42    3958120    ----a-w-    C:\windows\SysWow64\ntkrnlpa.exe
2014-03-24 22:10:42    3902312    ----a-w-    C:\windows\SysWow64\ntoskrnl.exe
2014-03-24 22:10:41    6656    ----a-w-    C:\windows\SysWow64\apisetschema.dll
2014-03-24 22:10:41    43520    ----a-w-    C:\windows\System32\csrsrv.dll
2014-03-24 22:10:41    112640    ----a-w-    C:\windows\System32\smss.exe
2014-03-24 22:10:39    723456    ----a-w-    C:\windows\System32\EncDec.dll
2014-03-24 22:10:39    534528    ----a-w-    C:\windows\SysWow64\EncDec.dll
2014-03-24 22:10:38    861184    ----a-w-    C:\windows\System32\oleaut32.dll
2014-03-24 22:10:38    331776    ----a-w-    C:\windows\System32\oleacc.dll
2014-03-24 22:10:37    571904    ----a-w-    C:\windows\SysWow64\oleaut32.dll
2014-03-24 22:10:37    233472    ----a-w-    C:\windows\SysWow64\oleacc.dll
2014-03-24 22:04:59    1739160    ----a-w-    C:\windows\System32\ntdll.dll
2014-03-24 22:04:59    1292592    ----a-w-    C:\windows\SysWow64\ntdll.dll
2014-03-24 22:02:32    182272    ----a-w-    C:\windows\System32\cryptsvc.dll
2014-03-24 22:02:32    1462784    ----a-w-    C:\windows\System32\crypt32.dll
2014-03-24 22:02:32    140288    ----a-w-    C:\windows\System32\cryptnet.dll
2014-03-24 22:02:32    139264    ----a-w-    C:\windows\SysWow64\cryptsvc.dll
2014-03-24 22:02:32    1157632    ----a-w-    C:\windows\SysWow64\crypt32.dll
2014-03-24 22:02:32    103936    ----a-w-    C:\windows\SysWow64\cryptnet.dll
2014-03-24 22:01:40    77312    ----a-w-    C:\windows\System32\packager.dll
2014-03-24 22:01:40    67072    ----a-w-    C:\windows\SysWow64\packager.dll
2014-03-24 22:00:39    826368    ----a-w-    C:\windows\SysWow64\rdpcore.dll
2014-03-24 22:00:39    23552    ----a-w-    C:\windows\System32\drivers\tdtcp.sys
2014-03-24 22:00:39    1031680    ----a-w-    C:\windows\System32\rdpcore.dll
2014-03-24 21:56:25    2622464    ----a-w-    C:\windows\System32\wucltux.dll
2014-03-24 21:56:16    99840    ----a-w-    C:\windows\System32\wudriver.dll
2014-03-24 21:56:10    36864    ----a-w-    C:\windows\System32\wuapp.exe
2014-03-24 21:56:10    186752    ----a-w-    C:\windows\System32\wuwebv.dll
2014-03-24 21:49:55    12872    ----a-w-    C:\windows\System32\bootdelete.exe
2014-03-24 21:45:44    --------    d-----w-    C:\Program Files\HitmanPro
2014-03-24 21:44:49    --------    d-----w-    C:\ProgramData\HitmanPro
2014-03-24 21:43:06    --------    d-----w-    C:\Users\Bob Fortson\_Documents
2014-03-24 21:27:08    101376    ----a-w-    C:\windows\System32\Spool\prtprocs\x64\HPZPPWN7.DLL
2014-03-24 21:15:08    --------    d-----w-    C:\Users\Bob Fortson\AppData\Roaming\Malwarebytes
2014-03-24 21:15:00    --------    d-----w-    C:\ProgramData\Malwarebytes
2014-03-24 21:14:59    25928    ----a-w-    C:\windows\System32\drivers\mbam.sys
2014-03-24 21:14:59    --------    d-----w-    C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-03-24 21:14:41    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\Programs
2014-03-24 21:10:48    --------    d-----w-    C:\ProgramData\DigitalPersona
2014-03-24 20:11:47    --------    d-----w-    C:\Users\Bob Fortson\AppData\Roaming\AVAST Software
2014-03-24 20:11:07    92544    ----a-w-    C:\windows\System32\drivers\aswRdr2.sys
2014-03-24 20:11:07    79672    ----a-w-    C:\windows\System32\drivers\aswstm.sys
2014-03-24 20:11:07    78648    ----a-w-    C:\windows\System32\drivers\aswMonFlt.sys
2014-03-24 20:11:07    65776    ----a-w-    C:\windows\System32\drivers\aswRvrt.sys
2014-03-24 20:11:07    207904    ----a-w-    C:\windows\System32\drivers\aswVmm.sys
2014-03-24 20:11:07    1034464    ----a-w-    C:\windows\System32\drivers\aswSnx.sys
2014-03-24 20:11:04    43152    ----a-w-    C:\windows\avastSS.scr
2014-03-24 20:10:51    --------    d-----w-    C:\Program Files\AVAST Software
2014-03-24 20:10:13    10521840    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{CA8D3F12-A9CC-4784-8069-360D129B0D2B}\mpengine.dll
2014-03-24 20:09:23    --------    d-----w-    C:\ProgramData\AVAST Software
2014-03-24 20:00:52    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\Hyper Browser
2014-03-24 20:00:44    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\SearchProtect
2014-03-24 20:00:33    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\d8fc0f41-5ef6-4314-7234-a243a7f50974
2014-03-24 19:56:00    --------    d-----w-    C:\Users\Bob Fortson\AppData\Roaming\Intel Corporation
2014-03-24 19:55:57    --------    d-----w-    C:\Users\Bob Fortson\AppData\Roaming\Synaptics
2014-03-24 19:55:52    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\PDFC
2014-03-24 19:55:43    --------    d-----r-    C:\Users\Bob Fortson\Virtual Machines
2014-03-24 19:55:33    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\VirtualStore
2014-03-24 19:54:57    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\RemEngine
2014-03-24 19:51:57    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\Hewlett-Packard
2014-03-24 19:51:47    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\Hewlett-Packard_Company
2014-03-24 19:49:34    --------    d-----w-    C:\Program Files (x86)\Windows XP Mode
2014-03-24 19:48:42    --------    d-----w-    C:\Users\Bob Fortson\AppData\Local\Downloaded Installations
2014-03-24 19:48:18    3120    ----a-w-    C:\windows\SysWow64\drivers\wdbgbhi.sys
2014-03-24 19:48:18    3120    ----a-w-    C:\windows\System32\drivers\wdbgbhi.sys
2014-03-24 19:48:08    --------    d-----w-    C:\Users\Bob Fortson\AppData\Roaming\Symantec
2014-03-24 19:48:07    --------    d-----w-    C:\Program Files\Symantec
2014-03-24 19:47:37    --------    d-----w-    C:\windows\SysWow64\ArcVCapRender
2014-03-24 19:47:36    32192    ----a-w-    C:\windows\System32\drivers\ArcSoftVCapture.sys
2014-03-24 19:47:36    30272    ----a-w-    C:\windows\System32\arcvcapcoin.dll
2014-03-24 19:47:16    --------    d-----w-    C:\ProgramData\Validity
2014-03-24 19:47:12    --------    d-----w-    C:\Program Files\Validity Sensors
2014-03-24 19:47:08    18063752    ----a-w-    C:\Program Files (x86)\Online Services\Skype\SkypeSetup.exe
2014-03-24 19:44:32    221184    ----a-w-    C:\windows\System32\HPToneCtrls64.dll
2014-03-24 19:41:11    --------    d-----w-    C:\Program Files (x86)\Common Files\Telespree
2014-03-24 19:40:25    --------    d-----w-    C:\windows\Hewlett-Packard
2014-03-24 19:40:16    40064    ----a-w-    C:\windows\System32\drivers\sncduvc.sys
2014-03-24 19:40:16    --------    d-----w-    C:\Program Files (x86)\Common Files\SNP2UVC
2014-03-24 19:40:11    12800    ------w-    C:\windows\EricssonMobileBroadbandVer.dll
2014-03-24 19:38:57    --------    d-----w-    C:\ProgramData\Atheros
2014-03-24 19:38:51    64000    ------w-    C:\windows\SysWow64\agrsmdel.exe
2014-03-24 19:38:51    27648    ------w-    C:\windows\SysWow64\agrsco64.dll
2014-03-24 19:38:51    26624    ------w-    C:\windows\SysWow64\agrscoin.dll
2014-03-24 19:38:50    --------    d-----w-    C:\Program Files\LSI SoftModem
2014-03-24 19:38:47    --------    d-----w-    C:\windows\Options
2014-03-24 19:38:39    --------    d-----w-    C:\windows\SysWow64\SDA
2014-03-24 19:38:39    --------    d-----w-    C:\Program Files (x86)\JMicron
2014-03-24 19:38:15    8192    ----a-w-    C:\windows\System32\drivers\IntelMEFWVer.dll
2014-03-24 19:38:12    --------    d-----w-    C:\Program Files (x86)\Common Files\postureAgent
2014-03-24 19:38:06    --------    d-----w-    C:\Program Files (x86)\Cisco
2014-03-24 19:36:44    --------    d-----w-    C:\Users\Bob Fortson\AppData\Roaming\hpqLog
.
==================== Find3M  ====================
.
2014-03-24 19:37:23    7767040    ----a-w-    C:\windows\System32\BCMWLCPL.CPL
.
============= FINISH: 10:00:09.91 ===============

 

The attach.zip is here as well.

 

Please advise. Thanks for your help & attention.

 

Bob
 

attach.zip

Link to post
Share on other sites

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
Something on your computer is trying to call home...and I think I know what it is.
 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Show All ( should be unchecked by default )

    [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

Hello, Marius, thanks for your quick response. The GMER results are:

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-03-26 11:30:28
Windows 6.1.7600  x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PC3O 298.09GB
Running: mz6y65jx.exe; Driver: C:\Users\BOBFOR~1\AppData\Local\Temp\pxtiqkob.sys


---- Threads - GMER 2.1 ----

Thread   C:\windows\system32\taskhost.exe [5960:2504]                                                                                                                       000007fef5d1ef24
---- Processes - GMER 2.1 ----

Library  C:\Users\Bob Fortson\AppData\Local\Hyper Browser\HyperBrowser.exe (*** suspicious ***) @ C:\Users\Bob Fortson\AppData\Local\Hyper Browser\HyperBrowser.exe [3868]  0000000000d20000
Library  C:\Users\Bob Fortson\AppData\Local\Hyper Browser\HyperBrowser.exe (*** suspicious ***) @ C:\Users\Bob Fortson\AppData\Local\Hyper Browser\HyperBrowser.exe [5800]  0000000000d20000

---- EOF - GMER 2.1 ----

 

FYI, looked into the path it gave and in the Hyper Browser folder is a chrome-bin folder, containing a chrome.exe module

 

Would this have been a part of the HP factory default recovery file or could it have snuck in somehow before I could install Avast?

 

Looking forward to hearing from you,

 

Bob

Link to post
Share on other sites

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!


  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe



When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

Link to post
Share on other sites

Good morning, Marius ... the ComboFix results are:

 

 

ComboFix 14-03-24.01 - Bob Fortson 03/27/2014   6:47.1.4 - x64
Microsoft Windows 7 Professional   6.1.7600.0.1252.1.1033.18.4030.950 [GMT -5:00]
Running from: c:\users\Bob Fortson\_Documents\_DMZ\Malwarebytes-addons\ComboFix\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
c:\windows\KB16178.log
G:\Autorun.inf
G:\setup.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-27 to 2014-03-27  )))))))))))))))))))))))))))))))
.
.
2014-03-27 12:10 . 2014-03-27 12:10    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-03-26 21:13 . 2014-03-26 21:13    --------    d-----w-    c:\program files\Microsoft Games
2014-03-26 18:40 . 2014-03-26 18:40    --------    d-----w-    c:\windows\system32\appmgmt
2014-03-26 18:17 . 2014-03-26 18:20    --------    d-----w-    C:\wamp
2014-03-26 16:12 . 2007-05-22 10:00    82944    ----a-w-    c:\windows\system32\Spool\prtprocs\x64\CNMPP95.DLL
2014-03-26 16:12 . 2007-05-22 10:00    27648    ----a-w-    c:\windows\system32\Spool\prtprocs\x64\CNMPD95.DLL
2014-03-26 16:12 . 2007-05-22 10:00    258560    ----a-w-    c:\windows\system32\CNMLM95.DLL
2014-03-26 16:12 . 2007-04-27 16:08    247296    ----a-w-    c:\windows\system32\CNC700L.DLL
2014-03-26 16:12 . 2007-03-23 21:33    1439744    ----a-w-    c:\windows\system32\CNC700C.DLL
2014-03-26 16:12 . 2007-03-23 21:32    92672    ----a-w-    c:\windows\system32\CNC700I.DLL
2014-03-26 16:12 . 2007-03-15 19:13    229888    ----a-w-    c:\windows\system32\CNC700O.DLL
2014-03-26 16:12 . 2007-05-21 19:40    183296    ----a-w-    c:\windows\system32\CNCF2Le.DLL
2014-03-26 16:12 . 2007-05-21 19:35    143360    ----a-w-    c:\windows\system32\CNCFMSe.EXE
2014-03-26 16:12 . 2007-05-21 19:32    3584    ----a-w-    c:\windows\system32\CNCFLeUS.DLL
2014-03-26 16:12 . 2007-05-21 19:32    3072    ----a-w-    c:\windows\system32\CNCFLeJP.DLL
2014-03-26 14:23 . 2014-03-26 14:23    --------    d-----w-    c:\programdata\Canon IJ Network Tool
2014-03-26 14:23 . 2014-03-26 14:23    --------    d-----w-    c:\program files (x86)\Canon
2014-03-26 14:23 . 2011-01-06 18:07    102400    ----a-w-    c:\windows\SysWow64\CNC870U.dll
2014-03-26 14:23 . 2009-10-19 21:29    307200    ----a-w-    c:\windows\SysWow64\CNC870L.dll
2014-03-26 14:23 . 2008-08-25 23:02    15872    ----a-w-    c:\windows\SysWow64\CNHMCA.dll
2014-03-26 14:21 . 2014-03-26 14:21    --------    d--h--w-    c:\program files\CanonBJ
2014-03-26 14:18 . 2014-03-26 14:18    --------    d-----w-    c:\program files (x86)\FastStone Capture
2014-03-26 14:05 . 2014-03-26 14:07    --------    d-----w-    c:\program files (x86)\Google
2014-03-26 09:18 . 2014-03-26 09:18    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{CA8D3F12-A9CC-4784-8069-360D129B0D2B}\offreg.dll
2014-03-25 16:14 . 2014-03-25 16:59    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-25 16:14 . 2014-03-25 16:59    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-03-25 16:14 . 2014-03-25 16:14    --------    d-----w-    c:\windows\system32\Macromed
2014-03-25 15:26 . 2014-03-25 15:26    --------    d-----w-    c:\program files (x86)\Common Files\L&H
2014-03-25 15:26 . 2014-03-25 15:26    --------    d-----w-    c:\program files (x86)\Microsoft ActiveSync
2014-03-25 15:25 . 2014-03-25 15:25    --------    d-----w-    c:\program files (x86)\Microsoft Works
2014-03-25 15:21 . 2014-03-25 15:21    --------    d-----w-    c:\windows\PCHEALTH
2014-03-25 15:18 . 2014-03-25 15:18    --------    d-----r-    C:\MSOCache
2014-03-25 15:05 . 2014-03-25 15:05    --------    d-----w-    c:\program files (x86)\zabkat
2014-03-25 12:45 . 2014-03-25 12:46    --------    d-----w-    c:\program files\Microsoft Mouse and Keyboard Center
2014-03-25 12:39 . 2014-03-25 12:39    --------    d-----w-    c:\program files (x86)\MSXML 4.0
2014-03-25 12:39 . 2014-03-25 12:39    --------    d-----w-    c:\windows\SysWow64\Wat
2014-03-25 12:39 . 2014-03-25 12:39    --------    d-----w-    c:\windows\system32\Wat
2014-03-24 23:47 . 2014-03-24 23:49    --------    d-----w-    c:\windows\system32\MRT
2014-03-24 23:45 . 2010-09-14 06:45    367104    ----a-w-    c:\windows\system32\wcncsvc.dll
2014-03-24 23:45 . 2010-09-14 06:07    276992    ----a-w-    c:\windows\SysWow64\wcncsvc.dll
2014-03-24 23:15 . 2012-07-26 04:55    785512    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2014-03-24 23:15 . 2012-07-26 04:55    54376    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2014-03-24 23:15 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2014-03-24 23:15 . 2012-07-26 02:36    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2014-03-24 22:40 . 2012-12-16 16:52    46080    ----a-w-    c:\windows\system32\atmlib.dll
2014-03-24 22:40 . 2012-12-16 14:40    367616    ----a-w-    c:\windows\system32\atmfd.dll
2014-03-24 22:40 . 2012-12-16 14:25    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2014-03-24 22:40 . 2012-12-16 14:25    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2014-03-24 22:39 . 2012-07-26 02:26    87040    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2014-03-24 22:39 . 2012-07-26 02:26    198656    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2014-03-24 22:39 . 2012-07-26 03:08    84992    ----a-w-    c:\windows\system32\WUDFSvc.dll
2014-03-24 22:39 . 2012-07-26 03:08    194048    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2014-03-24 22:39 . 2012-07-26 03:08    229888    ----a-w-    c:\windows\system32\WUDFHost.exe
2014-03-24 22:39 . 2012-07-26 03:08    744448    ----a-w-    c:\windows\system32\WUDFx.dll
2014-03-24 22:39 . 2012-07-26 03:08    45056    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2014-03-24 22:34 . 2014-03-25 17:22    --------    d-----w-    c:\windows\rescache
2014-03-24 22:32 . 2014-03-24 22:32    --------    d-----w-    c:\program files\Common Files\Intel
2014-03-24 22:32 . 2014-03-24 22:32    --------    d-----w-    c:\program files (x86)\Common Files\Intel
2014-03-24 22:28 . 2012-03-01 06:54    22896    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2014-03-24 22:28 . 2012-03-01 06:40    80896    ----a-w-    c:\windows\system32\imagehlp.dll
2014-03-24 22:28 . 2012-03-01 06:35    5120    ----a-w-    c:\windows\system32\wmi.dll
2014-03-24 22:28 . 2012-03-01 05:45    158720    ----a-w-    c:\windows\SysWow64\imagehlp.dll
2014-03-24 22:28 . 2012-03-01 05:40    5120    ----a-w-    c:\windows\SysWow64\wmi.dll
2014-03-24 22:24 . 2011-02-08 17:26    26712    ----a-w-    c:\windows\system32\drivers\johci.sys
2014-03-24 22:24 . 2011-01-30 19:04    174168    ----a-w-    c:\windows\system32\drivers\jmcr.sys
2014-03-24 22:24 . 2010-07-26 13:08    203352    ----a-w-    c:\windows\SysWow64\jmcricon.dll
2014-03-24 22:24 . 2010-07-26 13:08    203352    ----a-w-    c:\windows\system32\jmcricon.dll
2014-03-24 22:18 . 2012-11-09 05:34    2048    ----a-w-    c:\windows\system32\tzres.dll
2014-03-24 22:18 . 2012-11-09 04:49    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2014-03-24 22:16 . 2013-03-01 03:32    3150848    ----a-w-    c:\windows\system32\win32k.sys
2014-03-24 22:15 . 2013-01-04 02:48    2048    ----a-w-    c:\windows\SysWow64\user.exe
2014-03-24 22:14 . 2011-02-24 06:30    476160    ----a-w-    c:\windows\system32\XpsGdiConverter.dll
2014-03-24 22:14 . 2011-02-24 05:32    288256    ----a-w-    c:\windows\SysWow64\XpsGdiConverter.dll
2014-03-24 22:14 . 2012-04-26 05:28    9216    ----a-w-    c:\windows\system32\rdrmemptylst.exe
2014-03-24 22:14 . 2011-04-22 20:18    27008    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-03-24 22:14 . 2012-04-26 05:34    76288    ----a-w-    c:\windows\system32\rdpwsx.dll
2014-03-24 22:14 . 2012-04-26 05:34    149504    ----a-w-    c:\windows\system32\rdpcorekmts.dll
2014-03-24 22:14 . 2012-11-02 05:27    478208    ----a-w-    c:\windows\system32\dpnet.dll
2014-03-24 22:14 . 2012-11-02 04:48    376832    ----a-w-    c:\windows\SysWow64\dpnet.dll
2014-03-24 22:14 . 2011-06-16 05:31    199680    ----a-w-    c:\windows\system32\xmllite.dll
2014-03-24 22:13 . 2012-04-28 03:50    204800    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2014-03-24 22:10 . 2013-03-19 06:19    5497688    ----a-w-    c:\windows\system32\ntoskrnl.exe
2014-03-24 22:10 . 2013-03-19 05:06    3958120    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2014-03-24 22:10 . 2013-03-19 05:06    3902312    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2014-03-24 22:10 . 2013-03-19 05:54    43520    ----a-w-    c:\windows\system32\csrsrv.dll
2014-03-24 22:10 . 2013-03-19 04:53    6656    ----a-w-    c:\windows\SysWow64\apisetschema.dll
2014-03-24 22:10 . 2013-03-19 03:19    112640    ----a-w-    c:\windows\system32\smss.exe
2014-03-24 22:10 . 2011-10-15 06:25    723456    ----a-w-    c:\windows\system32\EncDec.dll
2014-03-24 22:10 . 2011-10-15 05:48    534528    ----a-w-    c:\windows\SysWow64\EncDec.dll
2014-03-24 22:10 . 2011-08-27 05:40    861184    ----a-w-    c:\windows\system32\oleaut32.dll
2014-03-24 22:10 . 2011-08-27 05:40    331776    ----a-w-    c:\windows\system32\oleacc.dll
2014-03-24 22:10 . 2011-08-27 04:43    571904    ----a-w-    c:\windows\SysWow64\oleaut32.dll
2014-03-24 22:10 . 2011-08-27 04:43    233472    ----a-w-    c:\windows\SysWow64\oleacc.dll
2014-03-24 22:04 . 2011-11-17 07:14    1739160    ----a-w-    c:\windows\system32\ntdll.dll
2014-03-24 22:04 . 2011-11-17 05:41    1292592    ----a-w-    c:\windows\SysWow64\ntdll.dll
2014-03-24 22:02 . 2012-06-02 05:25    182272    ----a-w-    c:\windows\system32\cryptsvc.dll
2014-03-24 22:02 . 2012-06-02 05:25    1462784    ----a-w-    c:\windows\system32\crypt32.dll
2014-03-24 22:02 . 2012-06-02 05:25    140288    ----a-w-    c:\windows\system32\cryptnet.dll
2014-03-24 22:02 . 2012-06-02 04:45    139264    ----a-w-    c:\windows\SysWow64\cryptsvc.dll
2014-03-24 22:02 . 2012-06-02 04:45    1157632    ----a-w-    c:\windows\SysWow64\crypt32.dll
2014-03-24 22:02 . 2012-06-02 04:45    103936    ----a-w-    c:\windows\SysWow64\cryptnet.dll
2014-03-24 22:01 . 2011-11-19 15:07    77312    ----a-w-    c:\windows\system32\packager.dll
2014-03-24 22:01 . 2011-11-19 14:06    67072    ----a-w-    c:\windows\SysWow64\packager.dll
2014-03-24 22:00 . 2012-02-15 06:27    1031680    ----a-w-    c:\windows\system32\rdpcore.dll
2014-03-24 22:00 . 2012-02-15 05:44    826368    ----a-w-    c:\windows\SysWow64\rdpcore.dll
2014-03-24 22:00 . 2012-02-15 04:46    23552    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2014-03-24 21:56 . 2012-06-02 22:19    2428952    ----a-w-    c:\windows\system32\wuaueng.dll
2014-03-24 21:56 . 2012-06-02 22:19    57880    ----a-w-    c:\windows\system32\wuauclt.exe
2014-03-24 21:56 . 2012-06-02 22:19    44056    ----a-w-    c:\windows\system32\wups2.dll
2014-03-24 21:56 . 2012-06-02 22:15    2622464    ----a-w-    c:\windows\system32\wucltux.dll
2014-03-24 21:56 . 2012-06-02 22:19    38424    ----a-w-    c:\windows\system32\wups.dll
2014-03-24 21:56 . 2012-06-02 22:19    701976    ----a-w-    c:\windows\system32\wuapi.dll
2014-03-24 21:56 . 2012-06-02 22:15    99840    ----a-w-    c:\windows\system32\wudriver.dll
2014-03-24 21:56 . 2012-06-02 20:19    186752    ----a-w-    c:\windows\system32\wuwebv.dll
2014-03-24 21:56 . 2012-06-02 20:15    36864    ----a-w-    c:\windows\system32\wuapp.exe
2014-03-24 21:53 . 2014-03-24 21:53    --------    d-----w-    c:\program files (x86)\Mozilla Maintenance Service
2014-03-24 21:49 . 2014-03-24 21:49    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2014-03-24 21:45 . 2014-03-24 21:45    --------    d-----w-    c:\program files\HitmanPro
2014-03-24 21:44 . 2014-03-24 21:50    --------    d-----w-    c:\programdata\HitmanPro
2014-03-24 21:27 . 2009-07-14 01:41    101376    ----a-w-    c:\windows\system32\Spool\prtprocs\x64\HPZPPWN7.DLL
2014-03-24 21:15 . 2014-03-24 21:15    --------    d-----w-    c:\programdata\Malwarebytes
2014-03-24 21:14 . 2014-03-24 21:15    --------    d-----w-    c:\program files (x86)\Malwarebytes' Anti-Malware
2014-03-24 21:14 . 2013-04-04 19:50    25928    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-24 21:10 . 2014-03-24 21:10    --------    d-----w-    c:\programdata\DigitalPersona
2014-03-24 20:11 . 2014-03-24 20:11    79672    ----a-w-    c:\windows\system32\drivers\aswstm.sys
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    131248    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    131248    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    131248    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"QLBController"="c:\program files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe" [2011-01-28 299576]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-02-07 12274688]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-01-26 283160]
"HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-02-15 94264]
"HPQuickWebProxy"="c:\program files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [2011-02-11 76344]
"IFXSPMGT"="c:\program files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" [2011-01-20 1125728]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-03-24 3764024]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
.
c:\users\Bob Fortson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-3-26 32667896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-02-03 23:09    75360    ----a-w-    c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    REG_MULTI_SZ       DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [x]
R3 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys;c:\windows\SYSNATIVE\DRIVERS\DAMDrv64.sys [x]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe;c:\windows\SysWOW64\flcdlock.exe [x]
R3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 MfeEpePc;MfeEpePc; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys;c:\windows\SYSNATIVE\drivers\psd.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [x]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe;c:\program files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [x]
S2 hpHotkeyMonitor;hpHotkeyMonitor;c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe;c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [x]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe;c:\program files (x86)\PDF Complete\pdfsvc.exe [x]
S2 PdiService;Portrait Displays SDK Service;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [x]
S2 uArcCapture;ArcCapture;c:\windows\SysWow64\ArcVCapRender\uArcCapture.exe;c:\windows\SysWow64\ArcVCapRender\uArcCapture.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe;c:\windows\SYSNATIVE\vcsFPService.exe [x]
S3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;c:\windows\system32\DRIVERS\ArcSoftVCapture.sys;c:\windows\SYSNATIVE\DRIVERS\ArcSoftVCapture.sys [x]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
S3 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys;c:\windows\SYSNATIVE\DRIVERS\johci.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 18:36    451872    ----a-w-    c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-26 14:07    1150280    ----a-w-    c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-25 16:59]
.
2014-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-03-26 14:05]
.
2014-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-03-26 14:05]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-03-24 20:11    287280    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    164016    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    164016    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    164016    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    164016    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-01-27 13880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-07 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-07 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-07 418328]
"Broadcom Wireless Manager UI"="c:\program files\Broadcom\Broadcom 802.11\WLTRAY.exe" [2014-03-24 5398528]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-27 835072]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-02-09 200704]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
.
------- Supplementary Scan -------
.

uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Bob Fortson\AppData\Roaming\Mozilla\Firefox\Profiles\jzer176s.default\
FF - prefs.js: browser.startup.homepage - hxxp://k2b-bulk.ebay.com/ws/eBayISAPI.dll?SalesRecordConsole&currentpage=SCSold&ssPageName=STRK:ME:LNLK|https://sellercentral.amazon.com/gp/orders-v2/list/ref=ag_myo_dnav_home_|https://www.creektree.net/CTnimda18/login.php?camefrom=orders.php&oID=13070&action=edit&zenAdminID=7f9b01fff0cc66dd5eab621a5e53d8f7|http://www.wizardswhimsy.com/WWnimda18/login.php?zenAdminID=c52e835f05573b5f4eb5c275935fbaf2|https://www.creektree.net/faeryswhimsy/FWnimda18/login.php?camefrom=index.php&zenAdminID=2f828848df19f09e3ef14753d22c38f5|http://www.gothic-shadows.com/GSnimda18/login.php?zenAdminID=1f0d759ea2bb0269229a003b37172103|https://server12.camelot-hosting.com:2096/cpsess4705782290/3rdparty/roundcube/?_task=mail|https://service.ringcentral.com/
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-RUNFBI - c:\system.sav\fbi\FBISM.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Hyper Browser - c:\users\BOBFOR~1\AppData\Local\HYPERB~1\uninstall.exe
AddRemove-{E02FBF01-0DE3-4BCB-89E8-D300FEFC3289} - c:\program files (x86)\InstallShield Installation Information\{E02FBF01-0DE3-4BCB-89E8-D300FEFC3289}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.12"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Hewlett-Packard\Embedded Security Software\ifxtcs.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files (x86)\Hewlett-Packard\Embedded Security Software\IfxPsdSv.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\Dropbox.exe
c:\program files (x86)\Hewlett-Packard\Embedded Security Software\PSDrt.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2014-03-27  07:31:12 - machine was rebooted
ComboFix-quarantined-files.txt  2014-03-27 12:31
.
Pre-Run: 207,779,332,096 bytes free
Post-Run: 209,706,594,304 bytes free
.
- - End Of File - - EDA590F4D3F8A32D84DC370CA385AFA8
 

We did not get the error message you mentioned.

 

Bob

Link to post
Share on other sites

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is saved to.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

CFScript.txt

Link to post
Share on other sites

Hello, Marius ... results on this run are are:

ComboFix 14-03-24.01 - Bob Fortson 03/27/2014   8:03.2.4 - x64
Microsoft Windows 7 Professional   6.1.7600.0.1252.1.1033.18.4030.2387 [GMT -5:00]
Running from: c:\users\Bob Fortson\_Documents\_DMZ\Malwarebytes-addons\ComboFix\ComboFix.exe
Command switches used :: c:\users\Bob Fortson\_Documents\_DMZ\Malwarebytes-addons\ComboFix\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-02-27 to 2014-03-27  )))))))))))))))))))))))))))))))
.
.
2014-03-27 13:09 . 2014-03-27 13:09    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-03-27 12:35 . 2014-03-27 12:35    43152    ----a-w-    c:\windows\avastSS.scr
2014-03-26 21:13 . 2014-03-26 21:13    --------    d-----w-    c:\program files\Microsoft Games
2014-03-26 18:40 . 2014-03-26 18:40    --------    d-----w-    c:\windows\system32\appmgmt
2014-03-26 18:17 . 2014-03-26 18:20    --------    d-----w-    C:\wamp
2014-03-26 16:12 . 2007-05-22 10:00    82944    ----a-w-    c:\windows\system32\Spool\prtprocs\x64\CNMPP95.DLL
2014-03-26 16:12 . 2007-05-22 10:00    27648    ----a-w-    c:\windows\system32\Spool\prtprocs\x64\CNMPD95.DLL
2014-03-26 16:12 . 2007-05-22 10:00    258560    ----a-w-    c:\windows\system32\CNMLM95.DLL
2014-03-26 16:12 . 2007-04-27 16:08    247296    ----a-w-    c:\windows\system32\CNC700L.DLL
2014-03-26 16:12 . 2007-03-23 21:33    1439744    ----a-w-    c:\windows\system32\CNC700C.DLL
2014-03-26 16:12 . 2007-03-23 21:32    92672    ----a-w-    c:\windows\system32\CNC700I.DLL
2014-03-26 16:12 . 2007-03-15 19:13    229888    ----a-w-    c:\windows\system32\CNC700O.DLL
2014-03-26 16:12 . 2007-05-21 19:40    183296    ----a-w-    c:\windows\system32\CNCF2Le.DLL
2014-03-26 16:12 . 2007-05-21 19:35    143360    ----a-w-    c:\windows\system32\CNCFMSe.EXE
2014-03-26 16:12 . 2007-05-21 19:32    3584    ----a-w-    c:\windows\system32\CNCFLeUS.DLL
2014-03-26 16:12 . 2007-05-21 19:32    3072    ----a-w-    c:\windows\system32\CNCFLeJP.DLL
2014-03-26 14:23 . 2014-03-26 14:23    --------    d-----w-    c:\programdata\Canon IJ Network Tool
2014-03-26 14:23 . 2014-03-26 14:23    --------    d-----w-    c:\program files (x86)\Canon
2014-03-26 14:23 . 2011-01-06 18:07    102400    ----a-w-    c:\windows\SysWow64\CNC870U.dll
2014-03-26 14:23 . 2009-10-19 21:29    307200    ----a-w-    c:\windows\SysWow64\CNC870L.dll
2014-03-26 14:23 . 2008-08-25 23:02    15872    ----a-w-    c:\windows\SysWow64\CNHMCA.dll
2014-03-26 14:21 . 2014-03-26 14:21    --------    d--h--w-    c:\program files\CanonBJ
2014-03-26 14:18 . 2014-03-26 14:18    --------    d-----w-    c:\program files (x86)\FastStone Capture
2014-03-26 14:05 . 2014-03-26 14:07    --------    d-----w-    c:\program files (x86)\Google
2014-03-26 09:18 . 2014-03-26 09:18    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{CA8D3F12-A9CC-4784-8069-360D129B0D2B}\offreg.dll
2014-03-25 16:14 . 2014-03-25 16:59    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-03-25 16:14 . 2014-03-25 16:59    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-03-25 16:14 . 2014-03-25 16:14    --------    d-----w-    c:\windows\system32\Macromed
2014-03-25 15:26 . 2014-03-25 15:26    --------    d-----w-    c:\program files (x86)\Common Files\L&H
2014-03-25 15:26 . 2014-03-25 15:26    --------    d-----w-    c:\program files (x86)\Microsoft ActiveSync
2014-03-25 15:25 . 2014-03-25 15:25    --------    d-----w-    c:\program files (x86)\Microsoft Works
2014-03-25 15:21 . 2014-03-25 15:21    --------    d-----w-    c:\windows\PCHEALTH
2014-03-25 15:18 . 2014-03-25 15:18    --------    d-----r-    C:\MSOCache
2014-03-25 15:05 . 2014-03-25 15:05    --------    d-----w-    c:\program files (x86)\zabkat
2014-03-25 12:45 . 2014-03-25 12:46    --------    d-----w-    c:\program files\Microsoft Mouse and Keyboard Center
2014-03-25 12:39 . 2014-03-25 12:39    --------    d-----w-    c:\program files (x86)\MSXML 4.0
2014-03-25 12:39 . 2014-03-25 12:39    --------    d-----w-    c:\windows\SysWow64\Wat
2014-03-25 12:39 . 2014-03-25 12:39    --------    d-----w-    c:\windows\system32\Wat
2014-03-24 23:47 . 2014-03-24 23:49    --------    d-----w-    c:\windows\system32\MRT
2014-03-24 23:45 . 2010-09-14 06:45    367104    ----a-w-    c:\windows\system32\wcncsvc.dll
2014-03-24 23:45 . 2010-09-14 06:07    276992    ----a-w-    c:\windows\SysWow64\wcncsvc.dll
2014-03-24 23:15 . 2012-07-26 04:55    785512    ----a-w-    c:\windows\system32\drivers\Wdf01000.sys
2014-03-24 23:15 . 2012-07-26 04:55    54376    ----a-w-    c:\windows\system32\drivers\WdfLdr.sys
2014-03-24 23:15 . 2012-07-26 04:47    2560    ----a-w-    c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2014-03-24 23:15 . 2012-07-26 02:36    9728    ----a-w-    c:\windows\system32\Wdfres.dll
2014-03-24 22:40 . 2012-12-16 16:52    46080    ----a-w-    c:\windows\system32\atmlib.dll
2014-03-24 22:40 . 2012-12-16 14:40    367616    ----a-w-    c:\windows\system32\atmfd.dll
2014-03-24 22:40 . 2012-12-16 14:25    295424    ----a-w-    c:\windows\SysWow64\atmfd.dll
2014-03-24 22:40 . 2012-12-16 14:25    34304    ----a-w-    c:\windows\SysWow64\atmlib.dll
2014-03-24 22:39 . 2012-07-26 02:26    87040    ----a-w-    c:\windows\system32\drivers\WUDFPf.sys
2014-03-24 22:39 . 2012-07-26 02:26    198656    ----a-w-    c:\windows\system32\drivers\WUDFRd.sys
2014-03-24 22:39 . 2012-07-26 03:08    84992    ----a-w-    c:\windows\system32\WUDFSvc.dll
2014-03-24 22:39 . 2012-07-26 03:08    194048    ----a-w-    c:\windows\system32\WUDFPlatform.dll
2014-03-24 22:39 . 2012-07-26 03:08    229888    ----a-w-    c:\windows\system32\WUDFHost.exe
2014-03-24 22:39 . 2012-07-26 03:08    744448    ----a-w-    c:\windows\system32\WUDFx.dll
2014-03-24 22:39 . 2012-07-26 03:08    45056    ----a-w-    c:\windows\system32\WUDFCoinstaller.dll
2014-03-24 22:34 . 2014-03-25 17:22    --------    d-----w-    c:\windows\rescache
2014-03-24 22:32 . 2014-03-24 22:32    --------    d-----w-    c:\program files\Common Files\Intel
2014-03-24 22:32 . 2014-03-24 22:32    --------    d-----w-    c:\program files (x86)\Common Files\Intel
2014-03-24 22:28 . 2012-03-01 06:54    22896    ----a-w-    c:\windows\system32\drivers\fs_rec.sys
2014-03-24 22:28 . 2012-03-01 06:40    80896    ----a-w-    c:\windows\system32\imagehlp.dll
2014-03-24 22:28 . 2012-03-01 06:35    5120    ----a-w-    c:\windows\system32\wmi.dll
2014-03-24 22:28 . 2012-03-01 05:45    158720    ----a-w-    c:\windows\SysWow64\imagehlp.dll
2014-03-24 22:28 . 2012-03-01 05:40    5120    ----a-w-    c:\windows\SysWow64\wmi.dll
2014-03-24 22:24 . 2011-02-08 17:26    26712    ----a-w-    c:\windows\system32\drivers\johci.sys
2014-03-24 22:24 . 2011-01-30 19:04    174168    ----a-w-    c:\windows\system32\drivers\jmcr.sys
2014-03-24 22:24 . 2010-07-26 13:08    203352    ----a-w-    c:\windows\SysWow64\jmcricon.dll
2014-03-24 22:24 . 2010-07-26 13:08    203352    ----a-w-    c:\windows\system32\jmcricon.dll
2014-03-24 22:18 . 2012-11-09 05:34    2048    ----a-w-    c:\windows\system32\tzres.dll
2014-03-24 22:18 . 2012-11-09 04:49    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2014-03-24 22:16 . 2013-03-01 03:32    3150848    ----a-w-    c:\windows\system32\win32k.sys
2014-03-24 22:15 . 2013-01-04 02:48    2048    ----a-w-    c:\windows\SysWow64\user.exe
2014-03-24 22:14 . 2011-02-24 06:30    476160    ----a-w-    c:\windows\system32\XpsGdiConverter.dll
2014-03-24 22:14 . 2011-02-24 05:32    288256    ----a-w-    c:\windows\SysWow64\XpsGdiConverter.dll
2014-03-24 22:14 . 2012-04-26 05:28    9216    ----a-w-    c:\windows\system32\rdrmemptylst.exe
2014-03-24 22:14 . 2011-04-22 20:18    27008    ----a-w-    c:\windows\system32\drivers\Diskdump.sys
2014-03-24 22:14 . 2012-04-26 05:34    76288    ----a-w-    c:\windows\system32\rdpwsx.dll
2014-03-24 22:14 . 2012-04-26 05:34    149504    ----a-w-    c:\windows\system32\rdpcorekmts.dll
2014-03-24 22:14 . 2012-11-02 05:27    478208    ----a-w-    c:\windows\system32\dpnet.dll
2014-03-24 22:14 . 2012-11-02 04:48    376832    ----a-w-    c:\windows\SysWow64\dpnet.dll
2014-03-24 22:14 . 2011-06-16 05:31    199680    ----a-w-    c:\windows\system32\xmllite.dll
2014-03-24 22:13 . 2012-04-28 03:50    204800    ----a-w-    c:\windows\system32\drivers\rdpwd.sys
2014-03-24 22:10 . 2013-03-19 06:19    5497688    ----a-w-    c:\windows\system32\ntoskrnl.exe
2014-03-24 22:10 . 2013-03-19 05:06    3958120    ----a-w-    c:\windows\SysWow64\ntkrnlpa.exe
2014-03-24 22:10 . 2013-03-19 05:06    3902312    ----a-w-    c:\windows\SysWow64\ntoskrnl.exe
2014-03-24 22:10 . 2013-03-19 05:54    43520    ----a-w-    c:\windows\system32\csrsrv.dll
2014-03-24 22:10 . 2013-03-19 04:53    6656    ----a-w-    c:\windows\SysWow64\apisetschema.dll
2014-03-24 22:10 . 2013-03-19 03:19    112640    ----a-w-    c:\windows\system32\smss.exe
2014-03-24 22:10 . 2011-10-15 06:25    723456    ----a-w-    c:\windows\system32\EncDec.dll
2014-03-24 22:10 . 2011-10-15 05:48    534528    ----a-w-    c:\windows\SysWow64\EncDec.dll
2014-03-24 22:10 . 2011-08-27 05:40    861184    ----a-w-    c:\windows\system32\oleaut32.dll
2014-03-24 22:10 . 2011-08-27 05:40    331776    ----a-w-    c:\windows\system32\oleacc.dll
2014-03-24 22:10 . 2011-08-27 04:43    571904    ----a-w-    c:\windows\SysWow64\oleaut32.dll
2014-03-24 22:10 . 2011-08-27 04:43    233472    ----a-w-    c:\windows\SysWow64\oleacc.dll
2014-03-24 22:04 . 2011-11-17 07:14    1739160    ----a-w-    c:\windows\system32\ntdll.dll
2014-03-24 22:04 . 2011-11-17 05:41    1292592    ----a-w-    c:\windows\SysWow64\ntdll.dll
2014-03-24 22:02 . 2012-06-02 05:25    182272    ----a-w-    c:\windows\system32\cryptsvc.dll
2014-03-24 22:02 . 2012-06-02 05:25    1462784    ----a-w-    c:\windows\system32\crypt32.dll
2014-03-24 22:02 . 2012-06-02 05:25    140288    ----a-w-    c:\windows\system32\cryptnet.dll
2014-03-24 22:02 . 2012-06-02 04:45    139264    ----a-w-    c:\windows\SysWow64\cryptsvc.dll
2014-03-24 22:02 . 2012-06-02 04:45    1157632    ----a-w-    c:\windows\SysWow64\crypt32.dll
2014-03-24 22:02 . 2012-06-02 04:45    103936    ----a-w-    c:\windows\SysWow64\cryptnet.dll
2014-03-24 22:01 . 2011-11-19 15:07    77312    ----a-w-    c:\windows\system32\packager.dll
2014-03-24 22:01 . 2011-11-19 14:06    67072    ----a-w-    c:\windows\SysWow64\packager.dll
2014-03-24 22:00 . 2012-02-15 06:27    1031680    ----a-w-    c:\windows\system32\rdpcore.dll
2014-03-24 22:00 . 2012-02-15 05:44    826368    ----a-w-    c:\windows\SysWow64\rdpcore.dll
2014-03-24 22:00 . 2012-02-15 04:46    23552    ----a-w-    c:\windows\system32\drivers\tdtcp.sys
2014-03-24 21:56 . 2012-06-02 22:19    2428952    ----a-w-    c:\windows\system32\wuaueng.dll
2014-03-24 21:56 . 2012-06-02 22:19    57880    ----a-w-    c:\windows\system32\wuauclt.exe
2014-03-24 21:56 . 2012-06-02 22:19    44056    ----a-w-    c:\windows\system32\wups2.dll
2014-03-24 21:56 . 2012-06-02 22:15    2622464    ----a-w-    c:\windows\system32\wucltux.dll
2014-03-24 21:56 . 2012-06-02 22:19    38424    ----a-w-    c:\windows\system32\wups.dll
2014-03-24 21:56 . 2012-06-02 22:19    701976    ----a-w-    c:\windows\system32\wuapi.dll
2014-03-24 21:56 . 2012-06-02 22:15    99840    ----a-w-    c:\windows\system32\wudriver.dll
2014-03-24 21:56 . 2012-06-02 20:19    186752    ----a-w-    c:\windows\system32\wuwebv.dll
2014-03-24 21:56 . 2012-06-02 20:15    36864    ----a-w-    c:\windows\system32\wuapp.exe
2014-03-24 21:53 . 2014-03-24 21:53    --------    d-----w-    c:\program files (x86)\Mozilla Maintenance Service
2014-03-24 21:49 . 2014-03-24 21:49    12872    ----a-w-    c:\windows\system32\bootdelete.exe
2014-03-24 21:45 . 2014-03-24 21:45    --------    d-----w-    c:\program files\HitmanPro
2014-03-24 21:44 . 2014-03-24 21:50    --------    d-----w-    c:\programdata\HitmanPro
2014-03-24 21:27 . 2009-07-14 01:41    101376    ----a-w-    c:\windows\system32\Spool\prtprocs\x64\HPZPPWN7.DLL
2014-03-24 21:15 . 2014-03-24 21:15    --------    d-----w-    c:\programdata\Malwarebytes
2014-03-24 21:14 . 2014-03-24 21:15    --------    d-----w-    c:\program files (x86)\Malwarebytes' Anti-Malware
2014-03-24 21:14 . 2013-04-04 19:50    25928    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-24 21:10 . 2014-03-24 21:10    --------    d-----w-    c:\programdata\DigitalPersona
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\wamp ----
.
.
---- Directory of c:\windows\system32\appmgmt ----
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    131248    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    131248    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    131248    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2010-05-19 2736128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"QLBController"="c:\program files (x86)\Hewlett-Packard\HP HotKey Support\QLBController.exe" [2011-01-28 299576]
"File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2011-02-07 12274688]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-01-26 283160]
"HPConnectionManager"="c:\program files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe" [2011-02-15 94264]
"HPQuickWebProxy"="c:\program files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [2011-02-11 76344]
"IFXSPMGT"="c:\program files (x86)\Hewlett-Packard\Embedded Security Software\ifxspmgt.exe" [2011-01-20 1125728]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-03-27 3854640]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
.
c:\users\Bob Fortson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-3-26 32667896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2011-02-03 23:09    75360    ----a-w-    c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    REG_MULTI_SZ       DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys;c:\windows\SYSNATIVE\DRIVERS\DAMDrv64.sys [x]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe;c:\windows\SysWOW64\flcdlock.exe [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 MfeEpePc;MfeEpePc; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys;c:\windows\SYSNATIVE\drivers\psd.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [x]
S2 HPAuto;HP Auto;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe;c:\program files\Hewlett-Packard\HP Auto\HPAuto.exe [x]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe;c:\program files\Hewlett-Packard\HP DayStarter\32-bit\HPDayStarterService.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [x]
S2 hpHotkeyMonitor;hpHotkeyMonitor;c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe;c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\HpHotkeyMonitor.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe;c:\program files (x86)\Intel\Services\IPT\jhi_service.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [x]
S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe;c:\program files (x86)\PDF Complete\pdfsvc.exe [x]
S2 PdiService;Portrait Displays SDK Service;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [x]
S2 uArcCapture;ArcCapture;c:\windows\SysWow64\ArcVCapRender\uArcCapture.exe;c:\windows\SysWow64\ArcVCapRender\uArcCapture.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe;c:\windows\SYSNATIVE\vcsFPService.exe [x]
S3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;c:\windows\system32\DRIVERS\ArcSoftVCapture.sys;c:\windows\SYSNATIVE\DRIVERS\ArcSoftVCapture.sys [x]
S3 HP ProtectTools Service;HP ProtectTools Service;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe;c:\program files (x86)\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [x]
S3 hpCMSrv;HP Connection Manager 4.0 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x]
S3 johci;JMicron 1394 Filter Driver;c:\windows\system32\DRIVERS\johci.sys;c:\windows\SYSNATIVE\DRIVERS\johci.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-05-19 18:36    451872    ----a-w-    c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-26 14:07    1150280    ----a-w-    c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-03-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-25 16:59]
.
2014-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-03-26 14:05]
.
2014-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-03-26 14:05]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-03-27 12:35    290888    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    164016    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    164016    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    164016    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-11 02:09    164016    ----a-w-    c:\users\Bob Fortson\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-01-27 13880]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-07 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-07 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-07 418328]
"Broadcom Wireless Manager UI"="c:\program files\Broadcom\Broadcom 802.11\WLTRAY.exe" [2014-03-24 5398528]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-01-27 835072]
"MfeEpePcMonitor"="c:\program files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe" [2011-02-09 200704]
"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [bU]
.
------- Supplementary Scan -------
.

uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Bob Fortson\AppData\Roaming\Mozilla\Firefox\Profiles\jzer176s.default\
FF - prefs.js: browser.startup.homepage - hxxp://k2b-bulk.ebay.com/ws/eBayISAPI.dll?SalesRecordConsole&currentpage=SCSold&ssPageName=STRK:ME:LNLK|https://sellercentral.amazon.com/gp/orders-v2/list/ref=ag_myo_dnav_home_|https://www.creektree.net/CTnimda18/login.php?camefrom=orders.php&oID=13070&action=edit&zenAdminID=7f9b01fff0cc66dd5eab621a5e53d8f7|http://www.wizardswhimsy.com/WWnimda18/login.php?zenAdminID=c52e835f05573b5f4eb5c275935fbaf2|https://www.creektree.net/faeryswhimsy/FWnimda18/login.php?camefrom=index.php&zenAdminID=2f828848df19f09e3ef14753d22c38f5|http://www.gothic-shadows.com/GSnimda18/login.php?zenAdminID=1f0d759ea2bb0269229a003b37172103|https://server12.camelot-hosting.com:2096/cpsess4705782290/3rdparty/roundcube/?_task=mail|https://service.ringcentral.com/
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
AddRemove-Hyper Browser - c:\users\BOBFOR~1\AppData\Local\HYPERB~1\uninstall.exe
AddRemove-{E02FBF01-0DE3-4BCB-89E8-D300FEFC3289} - c:\program files (x86)\InstallShield Installation Information\{E02FBF01-0DE3-4BCB-89E8-D300FEFC3289}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_77_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.12"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_77.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-03-27  08:13:05
ComboFix-quarantined-files.txt  2014-03-27 13:13
ComboFix2.txt  2014-03-27 12:31
.
Pre-Run: 209,678,749,696 bytes free
Post-Run: 208,761,950,208 bytes free
.
- - End Of File - - 34C295C79A1197A7E569BA739958DFC4
 

Bob

Link to post
Share on other sites

C:\wamp

c:\windows\system32\appmgmt

 

Delete these folders.

 

 

 

Full System Scan with Malwarebytes Antimalware


  • If not existing, please download
Malwarebytes Anti-Malware to your desktop.
Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

[*]Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Hello, Marius ... regardless of what ComboFix reported, the wamp folder is not empty. The Wampserver software is operational there, and the modules and data are working, though the versions in use are rather old. However, that was left in place as your instructions were followed.

 

The MBAM scan had 0 detections:

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.27.04

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Bob Fortson :: HP6460B-BHF [administrator]

Protection: Enabled

3/27/2014 10:18:03 AM
mbam-log-2014-03-27 (10-18-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235903
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

 

The ESET scan had multiple detections, the log follows. These were all in an archive (the _DMZ folder) of software installation modules, some of them quite old, some from this current OS recovery effort. If necessary, the items can be remove easily.

 

C:\Users\Bob Fortson\_Documents\_DMZ\Ad-Aware 2008\noadware-2009.exe    multiple threats
C:\Users\Bob Fortson\_Documents\_DMZ\Avast-Free-2014\avast-2014-free.exe    a variant of MSIL/Adware.Colooader.A application
C:\Users\Bob Fortson\_Documents\_DMZ\ColorCop-ColorPicker\7zip_installer_d6583311.exe    a variant of Win32/InstallIQ.A potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\CPU-Z\cpu-z_1.60.1-setup-en.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Bob Fortson\_Documents\_DMZ\Doom-PrBoom\cnet_prboom-plus-2_5_1_1-win32_zip.exe    a variant of Win32/InstallCore.D potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\Efficient Calendar Free\cbsidlm-tr1_14-Efficient_Calendar_Free-SEO-10920848.exe    Win32/DownloadAdmin.G potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\EZCards\ezcardsalloccasionsFree.exe    a variant of Win32/InstallIQ.A potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\FalcoGifAnimator\FalcoGIFAnimatorSetup.exe    a variant of Win32/Toolbar.Montiera.A potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\Filezilla\FileZilla_3.7.4.1_win32-setup.exe    a variant of Win32/InstallCore.LA potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\HxD-Hex-Editor\cnet_HxDSetupEN_zip.exe    a variant of Win32/InstallCore.D potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\ImgBurn\SetupImgBurn_2.5.5.0.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Bob Fortson\_Documents\_DMZ\PrimoPDF\InternationalPrimoPDF.exe    Win32/OpenCandy potentially unsafe application
C:\Users\Bob Fortson\_Documents\_DMZ\SpeedUpMyPC\speedupmypc.exe    Win32/SpeedUpMyPC potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\_Video\DVD Flick\Video_Converter_TSV31KODS.exe    a variant of Win32/Wajam.F potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\_Video\DVD-Shrink\DVDShrink_Setup.exe    a variant of Win32/InstallCore.ES potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\_Video\DVD-Styler\DVDStyler-2.6.1-win32.exe    Win32/Somoto.E potentially unwanted application
C:\Users\Bob Fortson\_Documents\_DMZ\_Video\ImgBurn\SetupImgBurn_2.5.8.0.exe    Win32/OpenCandy potentially unsafe application

 

Really appreciate your help on all this, and look forward to hearing from you.

 

Bob

Link to post
Share on other sites

The files ESET detected are no malware but contain security risks. I´d delete them immediately - your choice.

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[s1].txt also




Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.





SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Link to post
Share on other sites

Good morning, Marius ... results of the runs are:

 

 

AdwCleaner:

# AdwCleaner v3.022 - Report created 28/03/2014 at 06:23:22
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Professional  (64 bits)
# Username : Bob Fortson - HP6460B-BHF
# Running from : C:\Users\Bob Fortson\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Bob Fortson\AppData\Local\SearchProtect

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\Software\SearchProtect

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16540


-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Bob Fortson\AppData\Roaming\Mozilla\Firefox\Profiles\jzer176s.default\prefs.js ]


-\\ Google Chrome v33.0.1750.154

[ File : C:\Users\Bob Fortson\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1984 octets] - [28/03/2014 06:17:49]
AdwCleaner[s0].txt - [1687 octets] - [28/03/2014 06:23:22]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [1747 octets] ##########
 

 

JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.3 (03.23.2014:1)
OS: Windows 7 Professional x64
Ran by Bob Fortson on Fri 03/28/2014 at  6:35:24.14
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 03/28/2014 at  6:43:39.96
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

Security Check:

 Results of screen317's Security Check version 0.99.81  
 Windows 7  x64 (UAC is enabled)  
 Out of date service pack!!
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Adobe Flash Player 12.0.0.77  
 Mozilla Firefox (28.0)
 Google Chrome 33.0.1750.154  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````
 

 

A few questions, please ...

Can you tell if the issue was actually part of the Win 7 recovery file or it snuck in after the OS was recovered?

How much of the software you had me run is safe to run independently, as a precautionary effort?

Link to post
Share on other sites

There was no real malware on your system just some adware that wanted to connect its home - what was blocked by Malwarebytes! ;)

I´ll tell you at the end of this topic what you can do to protect yourself.

 

 

Your system is clean now! :)

 

 

 

Windows 7 out of date

Your Microsoft Windows installation is out of date. Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure. Out-of-date Windows installations represent a risk to your system and are also a conduit for the spread of malware. You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP1) can be obtained directly from Microsoft here.

 

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.

 

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.


    [*]Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

    [*]Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system. [*]Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.

    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.



Link to post
Share on other sites

Hello, Marius ... have uninstalled ComboFiix and run delfix successfully. As noted before, I am recovering Win7, so will be updating quickly to get up to date. Your other points have been noted and are well taken, and will be taken to heart.

 

I appreciate the effort you and others at Malwarebytes put forth to resolve such problems.

 

Bob Fortson

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.