Jump to content

Please help removing trojan.0access

rogetsh2

By rogetsh2
in Resolved Malware Removal Logs

 Share

Recommended Posts

rogetsh2

rogetsh2

Posted
Posted

Dear Sirs,

I am trying to clean up my father's computer, remotely, and have encountered trojan.0access. This computer does have premium mbam, though before today, it was the free version, so no scheduled scans. I read in a 0access cleanup thread on this site that there are specific steps to be taken and that the trojan can persist. I have run several mbam (and eset online and adwcleaner) scans in the last 24 hours, removing 6-50 bad guys per scan, before mbam found 0access. The last mbam scan found no threats, but the computer is still dreadfully slow, compared to normal for this machine,  and I do not think it is clean. I have read the 'I'm Infected' thread and am here posting the logs requested. Please advise as to how to remove this threat, and whether it is true that a 0access backdoor requires reformat/reinstallation of windows, or replacement of the computer. 

Many Thanks,

LH

 

 

>>>Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-11-2014

Ran by Roger (administrator) on ROGER-PC on 01-11-2014 15:28:57
Running from C:\Users\Roger\Downloads
Loaded Profile: Roger (Available profiles: Roger)
Platform: Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Apple, Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SEIKO EPSON CORPORATION) C:\Program Files\epson\EpsonCustomerParticipation\EPCP.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Sonic Solutions) C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\tv_w32.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(InstallShield Software Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
(Nuance Communications, Inc.) C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
(Brother Industries, Ltd.) C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Brother Industries, Ltd.) C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
(Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON Software\Event Manager\EEventManager.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON Software\FAX Utility\FUFAXRCV.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON Software\FAX Utility\FUFAXSTM.exe
(SigmaTel, Inc.) C:\Windows\sttray.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Brother Industries, Ltd.) C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(AOL Inc.) C:\Program Files\Common Files\aol\acs\AOLacsd.exe
(AOL Inc.) C:\Program Files\Common Files\aol\1179885413\ee\aolsoftware.exe
(AOL Inc.) C:\Program Files\Common Files\aol\1179885413\ee\aolupdates.exe
(AOL Inc.) C:\Program Files\AOL Desktop 9.7a\waol.exe
(AOL Inc.) C:\Program Files\AOL Desktop 9.7a\shellmon.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Desktop.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [iAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [151552 2006-09-29] (Intel Corporation)
HKLM\...\Run: [iSUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2005-02-16] (InstallShield Software Corporation)
HKLM\...\Run: [sSBkgdUpdate] => C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] => C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [29984 2007-10-11] (Nuance Communications, Inc.)
HKLM\...\Run: [indexSearch] => C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [46368 2007-10-11] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort11reminder] => C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe [328992 2007-08-31] (Nuance Communications, Inc.)
HKLM\...\Run: [brMfcWnd] => C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [1085440 2008-05-29] (Brother Industries, Ltd.)
HKLM\...\Run: [ControlCenter3] => C:\Program Files\Brother\ControlCenter3\brctrcen.exe [86016 2007-12-21] (Brother Industries, Ltd.)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [iSUSPM Startup] => c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2006-10-03] (Macrovision Corporation)
HKLM\...\Run: [HostManager] => C:\Program Files\Common Files\AOL\1179885413\ee\AOLSoftware.exe [41800 2010-03-08] (AOL Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [AVP] => C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe [356128 2013-10-14] (Kaspersky Lab ZAO)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [1058880 2013-03-28] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [FUFAXRCV] => C:\Program Files\Epson Software\FAX Utility\FUFAXRCV.exe [503392 2013-06-25] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [FUFAXSTM] => C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe [863840 2013-06-25] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [sigmatelSysTrayApp] => C:\Windows\sttray.exe [303104 2007-02-08] (SigmaTel, Inc.)
HKU\S-1-5-21-192517801-774707061-2340149944-1000\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-01-26] (Google Inc.)
HKU\S-1-5-21-192517801-774707061-2340149944-1000\...\Run: [AOL Fast Start] => C:\Program Files\AOL Desktop 9.7a\AOL.EXE [72296 2014-08-19] (AOL Inc.)
HKU\S-1-5-21-192517801-774707061-2340149944-1000\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com
HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
SearchScopes: HKLM - {9D4A53EC-0005-4263-BBA7-9DEF04D96ADA} URL = http://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
SearchScopes: HKCU - DefaultScope {B0858340-28FA-480A-BEB5-13A8B58D854B} URL = http://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
SearchScopes: HKCU - {B0858340-28FA-480A-BEB5-13A8B58D854B} URL = http://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
BHO: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: Content Blocker Plugin -> {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} -> C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
BHO: Virtual Keyboard Plugin -> {73455575-E40C-433C-9784-C78DC7761455} -> C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
BHO: SSVHelper Class -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> c:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\OnlineBanking\online_banking_bho.dll (Kaspersky Lab ZAO)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll (Google Inc.)
BHO: URL Advisor Plugin -> {E33CF602-D945-461A-83F0-819F76A199F8} -> C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [147456] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @viewpoint.com/VMP -> C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-11]
FF HKLM\...\Firefox\Extensions: [url_advisor@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\url_advisor@kaspersky.com
FF Extension: Kaspersky URL Advisor - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\url_advisor@kaspersky.com [2013-09-20]
FF HKLM\...\Firefox\Extensions: [virtual_keyboard@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\virtual_keyboard@kaspersky.com
FF Extension: Virtual Keyboard - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\virtual_keyboard@kaspersky.com [2013-09-20]
FF HKLM\...\Firefox\Extensions: [content_blocker@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\content_blocker@kaspersky.com
FF Extension: Dangerous Websites Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\content_blocker@kaspersky.com [2013-09-20]
FF HKLM\...\Firefox\Extensions: [anti_banner@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\anti_banner@kaspersky.com
FF Extension: Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\anti_banner@kaspersky.com [2013-09-20]
FF HKLM\...\Firefox\Extensions: [online_banking@kaspersky.com] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\online_banking@kaspersky.com
FF Extension: Safe Money - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\FFExt\online_banking@kaspersky.com [2013-09-20]
FF StartMenuInternet: FIREFOX.EXE - firefox.exe
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\21.0.1180.89\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\38.0.2125.111\gcswf32.dll No File
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\38.0.2125.111\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\38.0.2125.111\pdf.dll ()
CHR Plugin: (Norton Confidential) - C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\2012.1.0.30_0\npcoplgn.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll No File
CHR Plugin: (MetaStream 3 Plugin) - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ()
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Profile: C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-19]
CHR Extension: (Kaspersky URL Advisor) - C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj [2013-09-20]
CHR Extension: (Safe Money) - C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\hakdifolhalapjijoafobooafbilfakh [2013-09-20]
CHR Extension: (Virtual Keyboard) - C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh [2013-09-20]
CHR Extension: (Kaspersky Protection) - C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpoimibckejjdjcfbdnajaicnklhfplh [2014-06-08]
CHR Extension: (Google Wallet) - C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-20]
CHR Extension: (Anti-Banner) - C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman [2013-09-20]
CHR HKLM\...\Chrome\Extension: [dchlnpcodkpfdpacogkljefecpegganj] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\urladvisor.crx [2012-08-18]
CHR HKLM\...\Chrome\Extension: [hakdifolhalapjijoafobooafbilfakh] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\online_banking_chrome.crx [2012-08-18]
CHR HKLM\...\Chrome\Extension: [hghkgaeecgjhjkannahfamoehjmkjail] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\content_blocker_chrome.crx [2012-08-18]
CHR HKLM\...\Chrome\Extension: [jagncdcchgajhfhijbbhecadmaiegcmh] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\virtkbd.crx [2012-08-18]
CHR HKLM\...\Chrome\Extension: [lpoimibckejjdjcfbdnajaicnklhfplh] - https://chrome.google.com/webstore/detail/lpoimibckejjdjcfbdnajaicnklhfplh [2012-08-18]
CHR HKLM\...\Chrome\Extension: [pjldcfjmnllhmgjclecdnfampinooman] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\ChromeExt\ab.crx [2012-08-18]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2011-08-24] (SUPERAntiSpyware.com) [File not signed]
R2 AOL ACS; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [46184 2014-02-06] (AOL Inc.)
R2 Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [110592 2008-01-15] (Apple, Inc.) [File not signed]
R2 AVP; C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe [356128 2013-10-14] (Kaspersky Lab ZAO)
S3 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [70656 2006-11-07] () [File not signed]
R2 EpsonCustomerParticipation; C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [577088 2013-09-20] (SEIKO EPSON CORPORATION)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc.exe [126128 2012-05-17] (Seiko Epson Corporation)
R2 IAANTMON; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [81920 2006-09-29] (Intel Corporation) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [235696 2014-04-09] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [167344 2013-09-20] (McAfee, Inc.)
S3 RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [880640 2006-11-05] (Sonic Solutions) [File not signed]
R2 RoxWatch9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [159744 2006-11-05] (Sonic Solutions) [File not signed]
S3 stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [73728 2006-09-14] (MicroVision Development, Inc.) [File not signed]
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{c39078c0-a917-82ef-3e50-f6c6256a5159}\   \...\???\{c39078c0-a917-82ef-3e50-f6c6256a5159}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 DSproct; C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [4736 2006-10-05] (Gteko Ltd.) [File not signed]
R2 dsunidrv; C:\Program Files\DellSupport\Drivers\dsunidrv.sys [7424 2006-08-17] (Gteko Ltd.) [File not signed]
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [135776 2013-12-10] (Kaspersky Lab ZAO)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [597600 2014-05-19] (Kaspersky Lab ZAO)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [25696 2013-12-10] (Kaspersky Lab ZAO)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [25696 2013-10-14] (Kaspersky Lab ZAO)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [25696 2013-10-14] (Kaspersky Lab ZAO)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [44000 2013-09-20] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [145040 2013-09-20] (Kaspersky Lab ZAO)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [75480 2014-10-01] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-10-01] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2014-11-01] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-10-01] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\system32\drivers\mfeapfk.sys [127992 2012-07-17] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565352 2013-09-20] (McAfee, Inc.)
R1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [206784 2012-07-17] (McAfee, Inc.)
R0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [36528 2006-07-24] (Sonic Solutions) [File not signed]
R3 STHDA; C:\Windows\System32\drivers\stwrt.sys [647680 2007-02-08] (SigmaTel, Inc.)
R3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2006-11-01] (America Online, Inc.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-19] (Microsoft Corporation)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
U5 klflt; C:\Windows\System32\Drivers\klflt.sys [74848 2014-05-19] (Kaspersky Lab ZAO)
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-01 15:28 - 2014-11-01 15:29 - 00023130 _____ () C:\Users\Roger\Downloads\FRST.txt
2014-11-01 15:28 - 2014-11-01 15:29 - 00000000 ____D () C:\FRST
2014-11-01 15:27 - 2014-11-01 15:27 - 00180829 _____ () C:\Users\Roger\Downloads\2DE2.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00163877 _____ () C:\Users\Roger\Downloads\2DC0.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00150485 _____ () C:\Users\Roger\Downloads\2F21.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00129050 _____ () C:\Users\Roger\Downloads\I'm infected - What do I do now  - Malware Removal Help - Malwarebytes Forum.html
2014-11-01 15:27 - 2014-11-01 15:27 - 00127639 _____ () C:\Users\Roger\Downloads\2DF3.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00113588 _____ () C:\Users\Roger\Downloads\2DB0.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00079618 _____ () C:\Users\Roger\Downloads\2E04.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00056879 _____ () C:\Users\Roger\Downloads\2DAF.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00045223 _____ () C:\Users\Roger\Downloads\2E67.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00030267 _____ () C:\Users\Roger\Downloads\2E24.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00025421 _____ () C:\Users\Roger\Downloads\2DD1.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00012576 _____ () C:\Users\Roger\Downloads\2E36.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00009336 _____ () C:\Users\Roger\Downloads\2EA9.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00008051 _____ () C:\Users\Roger\Downloads\2E78.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00007306 _____ () C:\Users\Roger\Downloads\2E35.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00007145 _____ () C:\Users\Roger\Downloads\2F54.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00007145 _____ () C:\Users\Roger\Downloads\2F43.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00007145 _____ () C:\Users\Roger\Downloads\2F42.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00007145 _____ () C:\Users\Roger\Downloads\2F31.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00007145 _____ () C:\Users\Roger\Downloads\2F01.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00006287 _____ () C:\Users\Roger\Downloads\2E88.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00005869 _____ () C:\Users\Roger\Downloads\2E57.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00004077 _____ () C:\Users\Roger\Downloads\2EBA.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00004071 _____ () C:\Users\Roger\Downloads\2EEF.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00003017 _____ () C:\Users\Roger\Downloads\2EDE.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00002923 _____ () C:\Users\Roger\Downloads\2F00.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00002715 _____ () C:\Users\Roger\Downloads\2E25.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00002207 _____ () C:\Users\Roger\Downloads\2DE1.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00001201 _____ () C:\Users\Roger\Downloads\2ECD.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00001042 _____ () C:\Users\Roger\Downloads\3040.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00000729 _____ () C:\Users\Roger\Downloads\2ECC.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00000558 _____ () C:\Users\Roger\Downloads\2EBB.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00000225 _____ () C:\Users\Roger\Downloads\2EDD.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00000203 _____ () C:\Users\Roger\Downloads\2F55.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00000129 _____ () C:\Users\Roger\Downloads\2EAA.tmp
2014-11-01 15:27 - 2014-11-01 15:27 - 00000000 ____D () C:\Users\Roger\Downloads\I'm infected - What do I do now  - Malware Removal Help - Malwarebytes Forum_files
2014-11-01 13:33 - 2014-11-01 13:33 - 00000000 ____D () C:\ProgramData\Viewpoint
2014-11-01 13:33 - 2014-11-01 13:33 - 00000000 ____D () C:\Program Files\Viewpoint
2014-11-01 13:26 - 2014-11-01 13:37 - 00000000 ____D () C:\Program Files\AOL Desktop 9.7a
2014-11-01 13:15 - 2014-11-01 13:16 - 19828376 _____ (Malwarebytes Corporation ) C:\Users\Roger\Downloads\mbam_premium.exe
2014-11-01 11:35 - 2014-11-01 11:35 - 01105920 _____ (Farbar) C:\Users\Roger\Downloads\FRST.exe
2014-11-01 11:33 - 2014-11-01 11:34 - 14670424 _____ () C:\Users\Roger\Downloads\RogueKiller.exe
2014-11-01 11:27 - 2014-11-01 11:28 - 04184008 _____ (Kaspersky Lab ZAO) C:\Users\Roger\Downloads\tdsskiller.exe
2014-11-01 05:16 - 2014-06-26 18:17 - 00619664 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2014-11-01 05:16 - 2014-06-26 18:17 - 00099480 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2014-11-01 05:16 - 2014-06-26 18:17 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2014-11-01 05:16 - 2014-06-06 00:28 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2014-11-01 05:15 - 2014-06-15 18:18 - 01131664 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-11-01 05:15 - 2014-06-13 14:22 - 00156824 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-11-01 05:15 - 2014-06-13 14:22 - 00081560 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-11-01 04:58 - 2014-09-09 02:24 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-11-01 04:35 - 2014-08-22 21:03 - 00297984 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-11-01 04:22 - 2014-09-27 19:29 - 02054656 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-01 03:18 - 2014-09-16 12:56 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-01 03:18 - 2014-09-04 19:27 - 00143360 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fastfat.sys
2014-11-01 02:23 - 2014-08-23 18:23 - 00068878 _____ () C:\Users\Roger\Downloads\Favorite Placesbak20140823.pfc
2014-11-01 01:34 - 2014-11-01 01:35 - 04977216 _____ (Piriform Ltd) C:\Users\Roger\Downloads\ccsetup419.exe
2014-11-01 01:11 - 2014-11-01 10:00 - 00000000 ____D () C:\AdwCleaner
2014-11-01 00:05 - 2014-10-18 10:54 - 01976320 _____ () C:\Users\Roger\Desktop\adwcleaner_4.000.exe
2014-10-31 18:03 - 2014-06-13 20:44 - 00638400 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2014-10-31 18:03 - 2014-06-13 20:33 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2014-10-31 18:03 - 2014-06-06 04:59 - 00506880 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-10-31 18:03 - 2014-06-02 06:31 - 02263552 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-10-31 18:03 - 2014-06-02 06:31 - 00332800 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2014-10-31 18:03 - 2014-06-02 06:30 - 01993728 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2014-10-31 18:03 - 2014-06-02 06:30 - 00033280 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2014-10-31 18:03 - 2014-06-02 04:56 - 00082432 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2014-10-31 18:03 - 2014-04-26 12:01 - 00502784 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2014-10-31 18:03 - 2014-04-04 22:42 - 00905664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-10-31 18:03 - 2014-03-25 09:26 - 11587584 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-10-31 18:03 - 2013-10-29 22:12 - 00335360 _____ (Microsoft Corporation) C:\Windows\system32\SysFxUI.dll
2014-10-31 18:03 - 2013-10-29 21:43 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2014-10-31 18:03 - 2013-10-29 20:43 - 00167936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
2014-10-31 18:03 - 2013-08-26 22:47 - 01029120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2014-10-31 18:03 - 2013-08-26 22:47 - 00219648 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2014-10-31 18:03 - 2013-08-26 22:47 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2014-10-31 18:03 - 2013-08-26 22:47 - 00160768 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2014-10-31 18:03 - 2013-08-26 21:52 - 01172480 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-10-31 18:03 - 2013-08-26 21:50 - 00486400 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2014-10-31 18:03 - 2013-08-26 21:32 - 00683008 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2014-10-31 18:03 - 2013-08-26 21:28 - 01069056 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2014-10-31 18:03 - 2013-08-26 21:28 - 00798208 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2014-10-31 18:03 - 2013-07-20 06:44 - 00102608 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2014-10-31 18:02 - 2014-09-19 18:53 - 12364288 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-10-31 18:02 - 2014-09-19 18:44 - 01810432 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-10-31 18:02 - 2014-09-19 18:41 - 09739776 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-10-31 18:02 - 2014-09-19 18:39 - 01138688 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-10-31 18:02 - 2014-09-19 18:38 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-10-31 18:02 - 2014-09-19 18:37 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-10-31 18:02 - 2014-09-19 18:36 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-10-31 18:02 - 2014-09-19 18:36 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-10-31 18:02 - 2014-09-19 18:36 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-10-31 18:02 - 2014-09-19 18:35 - 01802752 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-10-31 18:02 - 2014-09-19 18:35 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-10-31 18:02 - 2014-09-19 18:35 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-10-31 18:02 - 2014-09-19 18:35 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-10-31 18:02 - 2014-09-19 18:35 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-10-31 18:02 - 2014-09-19 18:34 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-10-31 18:02 - 2014-09-19 18:34 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-10-31 18:02 - 2014-09-19 18:34 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-10-31 18:02 - 2014-09-19 18:34 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-10-31 18:02 - 2014-09-19 18:34 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-10-31 18:02 - 2014-09-19 18:34 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-10-31 18:02 - 2014-09-19 18:33 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-10-31 18:01 - 2014-05-30 02:53 - 00273408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-10-31 18:01 - 2014-03-09 21:22 - 01401344 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2014-10-31 18:01 - 2014-03-09 21:22 - 01248768 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-10-31 18:01 - 2013-06-28 22:07 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-10-31 18:01 - 2013-06-28 22:07 - 00197632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-10-31 18:01 - 2013-06-28 22:07 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-10-31 18:01 - 2013-06-28 22:06 - 00006016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-10-31 18:01 - 2011-05-05 09:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-10-31 18:01 - 2011-05-05 09:54 - 00023552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-10-31 18:00 - 2014-02-05 21:56 - 00894464 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-10-31 18:00 - 2013-10-22 03:19 - 00158208 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2014-10-31 18:00 - 2013-10-10 22:08 - 00444928 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2014-10-31 18:00 - 2013-10-10 22:08 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2014-10-31 18:00 - 2013-10-10 22:08 - 00131072 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2014-10-31 18:00 - 2013-10-10 22:08 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wshcon.dll
2014-10-31 18:00 - 2013-10-10 22:07 - 00596480 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2014-10-31 18:00 - 2013-10-10 20:39 - 00218228 _____ () C:\Windows\system32\WFP.TMF
2014-10-31 18:00 - 2013-10-10 20:35 - 00155648 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2014-10-31 18:00 - 2013-10-10 20:35 - 00135168 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2014-10-31 18:00 - 2013-10-03 08:45 - 00993792 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2014-10-31 18:00 - 2013-08-02 00:09 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2014-10-31 18:00 - 2013-07-16 00:35 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\themeui.dll
2014-10-31 18:00 - 2013-07-04 00:21 - 00532480 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2014-10-31 18:00 - 2013-07-02 22:33 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbscan.sys
2014-10-31 18:00 - 2013-07-02 22:10 - 00025472 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidparse.sys
2014-10-31 18:00 - 2013-06-26 19:01 - 00527064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys
2014-10-31 18:00 - 2013-06-04 00:16 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2014-10-31 18:00 - 2013-06-03 21:49 - 00293376 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2014-10-31 17:58 - 2014-01-30 03:46 - 00876032 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-10-31 16:53 - 2014-11-01 15:24 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-31 16:52 - 2014-11-01 09:54 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-31 16:52 - 2014-10-31 16:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-31 16:52 - 2014-10-01 11:11 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-31 16:52 - 2014-10-01 11:11 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-31 16:09 - 2014-10-31 16:09 - 00002181 _____ () C:\Users\Roger\Downloads\TrainingWithDrDavidEifrig.ics
2014-10-31 13:57 - 2014-10-31 13:57 - 00000000 _____ () C:\Windows\EEventManager.INI
2014-10-30 13:56 - 2014-10-30 13:56 - 00554554 _____ () C:\Users\Roger\Documents\CoverLetter-IndBroadway.zip
2014-10-30 13:56 - 2014-10-30 13:56 - 00000000 ____D () C:\Users\Roger\Documents\CoverLetter-IndBroadway
2014-10-27 21:06 - 2014-10-27 21:07 - 05279866 _____ () C:\Users\Roger\Documents\IMG_0520.mov
2014-10-24 10:36 - 2014-10-24 10:36 - 00251599 _____ () C:\Users\Roger\Documents\DSCN1264.zip
2014-10-24 10:36 - 2014-10-24 10:36 - 00000000 ____D () C:\Users\Roger\Documents\DSCN1264
2014-10-23 16:50 - 2014-10-23 16:50 - 00000000 ____D () C:\Users\Roger\AppData\Roaming\Leadertech
2014-10-23 16:46 - 2014-11-01 14:46 - 00000917 _____ () C:\Windows\Tasks\EPSON WF-3640 Series Update {EB7D8C24-B7B8-415C-BDA0-5D7629D12421}.job
2014-10-23 16:46 - 2014-11-01 14:46 - 00000731 _____ () C:\Windows\Tasks\EPSON WF-3640 Series Invitation {EB7D8C24-B7B8-415C-BDA0-5D7629D12421}.job
2014-10-23 16:46 - 2014-10-23 16:46 - 00000000 ____D () C:\Program Files\Common Files\EPSON
2014-10-23 16:44 - 2014-10-23 16:44 - 00000159 _____ () C:\Users\Public\Desktop\Epson WF-3640 User’s Guide.url
2014-10-23 16:43 - 2014-10-30 13:43 - 00000000 ____D () C:\Users\Roger\AppData\Roaming\Epson
2014-10-23 16:41 - 2014-10-23 16:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON Software
2014-10-23 16:41 - 2014-10-23 16:43 - 00000000 ____D () C:\Program Files\EPSON Software
2014-10-23 16:41 - 2014-10-23 16:41 - 00000000 ____D () C:\Program Files\EpsonNet
2014-10-23 16:41 - 2012-11-12 20:41 - 00458310 _____ (SEIKO EPSON CORPORATION) C:\Windows\system32\ensppui.dll
2014-10-23 16:41 - 2012-11-12 20:41 - 00458310 _____ (SEIKO EPSON CORPORATION) C:\Windows\system32\enppui.dll
2014-10-23 16:41 - 2012-11-12 15:15 - 00476027 _____ (SEIKO EPSON CORPORATION) C:\Windows\system32\ensppmon.dll
2014-10-23 16:41 - 2012-11-12 15:15 - 00476027 _____ (SEIKO EPSON CORPORATION) C:\Windows\system32\enppmon.dll
2014-10-23 16:41 - 2012-10-22 17:19 - 00218112 _____ (SEIKO EPSON CORPORATION) C:\Windows\system32\enspres.dll
2014-10-23 16:41 - 2012-10-22 17:19 - 00218112 _____ (SEIKO EPSON CORPORATION) C:\Windows\system32\enpres.dll
2014-10-23 16:39 - 2014-10-23 16:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON
2014-10-23 16:39 - 2014-10-23 16:44 - 00000000 ____D () C:\Program Files\epson
2014-10-23 16:39 - 2014-10-23 16:39 - 00000767 _____ () C:\Users\Public\Desktop\EPSON Scan.lnk
2014-10-23 16:39 - 2012-07-24 00:00 - 00342016 _____ (Seiko Epson Corporation) C:\Windows\system32\esw2ud.dll
2014-10-23 16:39 - 2012-05-17 00:00 - 00126128 _____ (Seiko Epson Corporation) C:\Windows\system32\escsvc.exe
2014-10-23 16:39 - 2010-11-22 13:27 - 00147472 _____ (TWAIN Working Group) C:\Windows\system32\twaindsm.dll
2014-10-23 16:36 - 2013-10-22 04:04 - 00142848 _____ (SEIKO EPSON CORPORATION) C:\Windows\system32\E_TLMBKDE.DLL
2014-10-23 16:36 - 2011-03-15 03:03 - 00081408 _____ (SEIKO EPSON CORPORATION) C:\Windows\system32\E_TD4BKDE.DLL
2014-10-23 16:36 - 2007-04-10 01:06 - 00008192 _____ (SEIKO EPSON CORP.) C:\Windows\system32\E_DCINST.DLL
2014-10-23 16:35 - 2014-10-23 17:08 - 00000000 ____D () C:\ProgramData\EPSON
2014-10-23 16:33 - 2014-10-23 16:50 - 00000081 _____ () C:\Windows\WF-3640.ini
2014-10-22 17:00 - 2014-10-22 17:00 - 00031744 _____ () C:\Users\Roger\Documents\DIRADRS-updatedOct2014.xls
2014-10-16 18:03 - 2014-10-16 18:03 - 00000000 _____ () C:\Users\Roger\Downloads\Minecraft_exe.jht790q.partial
2014-10-10 22:26 - 2014-10-10 22:26 - 01422871 _____ () C:\Users\Roger\Downloads\October Adens
2014-10-10 16:10 - 2014-10-10 16:11 - 00000000 ____D () C:\Users\Roger\Documents\MTGNOTIC_Oct2014
2014-10-10 16:10 - 2014-10-10 16:10 - 00038714 _____ () C:\Users\Roger\Documents\MTGNOTIC_Oct2014.zip
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-01 15:23 - 2013-09-20 21:52 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2014-11-01 15:23 - 2012-10-11 07:13 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-01 14:57 - 2012-05-25 20:47 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-01 14:07 - 2013-09-20 08:21 - 01222376 _____ () C:\Windows\WindowsUpdate.log
2014-11-01 14:03 - 2006-11-02 08:45 - 00003552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-01 14:03 - 2006-11-02 08:45 - 00003552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-01 13:35 - 2011-07-12 10:57 - 00092990 _____ () C:\install.log
2014-11-01 13:34 - 2013-10-14 21:44 - 00000805 _____ () C:\Users\Public\Desktop\AOL Desktop 9.7.lnk
2014-11-01 13:34 - 2013-10-14 21:44 - 00000749 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\AOL Desktop 9.7.lnk
2014-11-01 13:34 - 2007-05-22 20:40 - 00000000 ____D () C:\Users\Roger\AppData\Roaming\AOL
2014-11-01 13:34 - 2007-05-22 20:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AOL
2014-11-01 13:33 - 2007-05-22 21:56 - 00000000 ____D () C:\Program Files\Common Files\aol
2014-11-01 13:28 - 2007-05-22 20:40 - 00000000 ____D () C:\Users\Roger\AppData\Local\AOL
2014-11-01 13:26 - 2007-05-22 21:56 - 00000000 ____D () C:\Program Files\Common Files\aolshare
2014-11-01 13:26 - 2007-05-22 20:38 - 00000000 ____D () C:\ProgramData\AOL
2014-11-01 10:09 - 2006-11-02 06:33 - 00707604 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-01 10:03 - 2014-02-13 06:03 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf28a2e35ede20.job
2014-11-01 10:03 - 2006-11-02 08:58 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-01 10:02 - 2013-09-20 08:17 - 00013086 _____ () C:\Windows\PFRO.log
2014-11-01 10:02 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\SchCache
2014-11-01 10:01 - 2006-11-02 08:58 - 00032626 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-11-01 06:17 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\rescache
2014-11-01 06:16 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-11-01 05:53 - 2006-11-02 08:44 - 00427712 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-01 03:59 - 2013-08-15 03:11 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-31 16:52 - 2013-08-21 15:49 - 00000000 ____D () C:\Program Files\Malwarebytes' Anti-Malware
2014-10-31 16:52 - 2012-01-03 22:23 - 00000000 ____D () C:\Users\Roger\AppData\Roaming\Malwarebytes
2014-10-31 16:52 - 2012-01-03 22:23 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-28 06:35 - 2009-10-03 01:44 - 00229000 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-27 17:35 - 2012-10-11 07:13 - 00001933 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-23 16:46 - 2013-09-21 18:17 - 00003228 _____ () C:\Windows\setupact.log
2014-10-23 16:43 - 2007-05-16 03:30 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-10-23 16:40 - 2007-05-22 18:21 - 00000000 ____D () C:\Users\Roger
2014-10-23 16:39 - 2006-11-02 08:35 - 00000000 ____D () C:\Windows\twain_32
2014-10-13 07:29 - 2012-11-06 23:11 - 00000000 ____D () C:\Users\Roger\AppData\Local\CrashDumps
2014-10-03 10:03 - 2006-11-02 06:24 - 100290944 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
ZeroAccess:
C:\Users\Roger\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install
 
Some content of TEMP:
====================
C:\Users\Roger\AppData\Local\Temp\AcsInstall.dll
C:\Users\Roger\AppData\Local\Temp\Quarantine.exe
C:\Users\Roger\AppData\Local\Temp\SHFOLDER.DLL
C:\Users\Roger\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-11-01 10:09
 
==================== End Of Log ============================

 

 

 

 

>>>Additional scan result of Farbar Recovery Scan Tool (x86) Version: 01-11-2014

Ran by Roger at 2014-11-01 15:31:03
Running from C:\Users\Roger\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Kaspersky Internet Security (Enabled - Up to date) {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
AS: Kaspersky Internet Security (Enabled - Up to date) {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security (Enabled) {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.4.634 - Adobe Systems, Inc.)
Advanced Uninstaller PRO - Version 11 (HKLM\...\AU11_is1) (Version: 11 - Innovative Solutions)
AOL Install (HKLM\...\{2357B8BC-88C9-4A72-818C-050CC4EB0778}) (Version: 1.0.0 - America Online, Inc)
AOL Mail and AIM Gadget (HKLM\...\{F226C1DA-66D7-4ABC-86B5-3F978A660EBF}) (Version: 1.0.0 - AOL LLC)
AOL Toolbar (HKLM\...\AOL Toolbar) (Version:  - )
AOL Uninstaller (Choose which Products to Remove) (HKLM\...\AOL Uninstaller) (Version:  - AOL Inc.)
Apple Application Support (HKLM\...\{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}) (Version: 2.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}) (Version: 1.1.3.26 - Apple Inc.)
Bonjour (HKLM\...\{07287123-B8AC-41CE-8346-3D777245C35B}) (Version: 1.0.106 - Apple Inc.)
Brother MFL-Pro Suite MFC-490CW (HKLM\...\{D9461574-5FC0-4641-BBDC-D1038B196F55}) (Version: 1.1.5.0 - Brother Industries, Ltd.)
Canon MP Navigator 2.2 (HKLM\...\MP Navigator 2.2) (Version:  - )
Canon MP530 (HKLM\...\{3215EBED-1D06-42fb-A05C-A752A46FB24C}) (Version:  - )
Canon MP530 User Registration (HKLM\...\Canon MP530 User Registration) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 3.12 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Conexant D850 PCI V.92 Modem (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1) (Version:  - )
Corel Paint Shop Pro Photo XI (HKLM\...\{93A1B09E-BAFA-4628-A5B6-921CB026955A}) (Version: 11.003.0000 - Corel Inc)
Corel Snapfire Plus (HKLM\...\{7ADE3A47-B425-45E9-8FF6-11BE2B775645}) (Version: 1.003.0000 - Corel)
Dell Support Center (HKLM\...\{E3BFEE55-39E2-4BE0-B966-89FE583822C1}) (Version: 2.0.07311 - Dell)
Dell System Customization Wizard (HKLM\...\{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}) (Version: 1.00.0000 - Dell Inc.)
DellSupport (HKLM\...\{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}) (Version: 6.0.3030 - Dell)
Digital Line Detect (HKLM\...\{E646DCF0-5A68-11D5-B229-002078017FBF}) (Version: 1.20 - BVRP Software, Inc)
Documentation & Support Launcher (HKLM\...\{89CEAE14-DD0F-448E-9554-15781EC9DB24}) (Version: 1.00.0000 - Dell Inc.)
EPSON Connect version 1.0 (HKLM\...\EPSON Connect_is1) (Version: 1.0 - Epson America Inc.)
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.6.3.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM\...\{116DBCAF-9544-4592-9156-AC99F6C2D426}) (Version: 3.10.0016 - Seiko Epson Corporation)
Epson FAX Utility (HKLM\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.42.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON WF-3640 Series Printer Uninstall (HKLM\...\EPSON WF-3640 Series) (Version:  - SEIKO EPSON Corporation)
Epson WF-3640 User’s Guide version 1.0 (HKLM\...\UsersGuideEpson WF-3640 User’s Guide_is1) (Version: 1.0 - )
EpsonNet Print (HKLM\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.6.0 - SEIKO EPSON CORPORATION)
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
FileOpen Client Installer (HKLM\...\{39468292-5D68-4E93-9E09-5D9D5CA00E7A}) (Version: 3.0.6.878 - FileOpen Systems, Inc.)
Foxit Reader (HKLM\...\Foxit Reader) (Version: 3.3.1.518 - Foxit Software Company)
Games, Music, & Photos Launcher (HKLM\...\{3E25E350-949F-4DB7-8288-2A60E018B4C1}) (Version: 1.00.0000 - Dell Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.)
Google Earth (HKLM\...\{7A25D130-4EC8-11E1-BEA4-B8AC6F97B88E}) (Version: 6.2.1.6014 - Google)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version:  - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.5 - Google Inc.) Hidden
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - )
Internet Service Offers Launcher (HKLM\...\{CCFF1E13-77A2-4032-8B12-7566982A27DF}) (Version: 1.00.0000 - Dell Inc.)
Java SE Runtime Environment 6 (HKLM\...\{3248F0A8-6813-11D6-A77B-00B0D0160000}) (Version: 1.6.0.0 - Sun Microsystems, Inc.)
Kaspersky Internet Security 2013 (HKLM\...\InstallWIX_{560985FB-4B76-4121-9189-7A2CDC7886D6}) (Version: 13.0.1.4190 - Kaspersky Lab)
Kaspersky Internet Security 2013 (Version: 13.0.1.4190 - Kaspersky Lab) Hidden
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Works (HKLM\...\{6D52C408-B09A-4520-9B18-475B81D393F1}) (Version: 08.05.0818 - Microsoft Corporation)
Modem Diagnostic Tool (HKLM\...\{F63A3748-B93D-4360-9AD4-B064481A5C7B}) (Version: 1.0.17.8 - Dell)
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB941833) (HKLM\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NetWaiting (HKLM\...\{3F92ABBB-6BBF-11D5-B229-002078017FBF}) (Version: 2.5.41 - BVRP Software, Inc)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.3 - NVIDIA Corporation)
PaperPort Image Printer (HKLM\...\{2BC2781A-F7F6-452E-95EB-018A522F1B2C}) (Version: 1.00.0000 - Nuance Communications, Inc.)
PowerDVD (HKLM\...\{281ECE39-F043-492B-8337-F2E546B5604A}) (Version: 7.0 - Dell)
QuickTime (HKLM\...\{C9E14402-3631-4182-B377-6B0DFB1C0339}) (Version: 7.70.80.34 - Apple Inc.)
Recuva (HKLM\...\Recuva) (Version: 1.37 - Piriform)
Roxio Creator Audio (HKLM\...\{83FFCFC7-88C6-41c6-8752-958A45325C82}) (Version: 3.3.0 - Roxio)
Roxio Creator BDAV Plugin (HKLM\...\{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}) (Version: 3.3.0 - Roxio)
Roxio Creator Copy (HKLM\...\{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}) (Version: 3.3.0 - Roxio)
Roxio Creator Data (HKLM\...\{0D397393-9B50-4c52-84D5-77E344289F87}) (Version: 3.3.0 - Roxio)
Roxio Creator DE (HKLM\...\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}) (Version: 3.3.0 - Roxio)
Roxio Creator Tools (HKLM\...\{0394CDC8-FABD-4ed8-B104-03393876DFDF}) (Version: 3.3.0 - Roxio)
Roxio Drag-to-Disc (HKLM\...\{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}) (Version: 9.0 - Roxio)
Roxio Express Labeler (HKLM\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 2.1.0 - Roxio)
Roxio MyDVD DE (HKLM\...\{D639085F-4B6E-4105-9F37-A0DBB023E2FB}) (Version: 9.0.116 - Roxio, Inc.)
Roxio Update Manager (HKLM\...\{30465B6C-B53F-49A1-9EBA-A3F187AD502E}) (Version: 3.0.0 - Roxio)
RTC Client API v1.2 (HKLM\...\{44CDBD1B-89FB-4E02-8319-2A4C550F664A}) (Version: 1.2.0000 - Microsoft)
ScanSoft PaperPort 11 (HKLM\...\{7A8FF745-BBC5-482B-88E4-18D3178249A9}) (Version: 11.1.0000 - Nuance Communications, Inc.)
SigmaTel Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: 5.10.5102.0 - SigmaTel)
SketchUp Pro 8 (HKLM\...\{045D5A51-F07E-4350-8642-B85772A2876B}) (Version: 3.0.16846 - Trimble Navigation Limited)
Software Updater (HKLM\...\{A737E18A-5171-40D0-8034-7DD243420081}) (Version: 4.1.1 - SEIKO EPSON CORPORATION)
Sonic Activation Module (Version: 1.0 - Sonic Solutions) Hidden
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TeamViewer 8 (HKLM\...\TeamViewer 8) (Version: 8.0.30992 - TeamViewer)
Viewpoint Media Player (HKLM\...\ViewpointMediaPlayer) (Version:  - )
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{0D7FDC12-4366-3687-B4C4-93C84983BEB5}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{22A04790-1951-4514-AF1D-BC94B8B63C70}\InprocServer32 -> C:\Users\Roger\AppData\Roaming\Kaseya\PluginManager\IE\MessageProtocolX.dll (Kaseya International Limited)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{368CB9E8-3035-3AA5-B0D1-50FE1C930319}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{392777B8-79C3-4E1B-8CA2-DB2F9AD4DF37}\InprocServer32 -> C:\Users\Roger\AppData\Roaming\Kaseya\PluginManager\IE\TaskManagerX.dll (Kaseya International Limited)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{4218E1B5-2288-4189-807C-6CFA4C8C629B}\InprocServer32 -> C:\Users\Roger\AppData\Roaming\Kaseya\PluginManager\IE\EventLoggingX.dll (Kaseya International Limited)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{4431F57E-8B58-387E-AC60-6DD3E7850CD5}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{60E1979E-326D-3D30-A96C-C6ADCDD2AF66}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{634C733B-EABF-3922-BA49-5CB3927D480C}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{7629C9DE-2E38-4963-A01C-02FFAC203D87}\InprocServer32 -> C:\Program Files\AOL Desktop 9.7a\axtrack.dll (AOL Inc.)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{790ACEF7-453A-4713-99C8-8D09A9B60186}\InprocServer32 -> C:\Users\Roger\AppData\Roaming\Kaseya\PluginManager\IE\CommandLineX.dll (Kaseya International Limited)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{96F86545-7514-4F4A-98F7-E26B36A9C50A}\InprocServer32 -> C:\Users\Roger\AppData\Roaming\Kaseya\PluginManager\IE\RegistryEditorX.dll (Kaseya International Limited)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{B8AAE7B6-87D4-4A2A-87E8-E4CAEF111E6D}\InprocServer32 -> C:\Users\Roger\AppData\Roaming\Kaseya\PluginManager\IE\LiveConnectRelayX.dll (Kaseya International Limited)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{BB048B39-D3CB-37BF-A746-068C9F9FF26B}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{DC249AB2-0964-41F7-945F-AFC7039D7BA9}\InprocServer32 -> C:\Users\Roger\AppData\Roaming\Kaseya\PluginManager\IE\FileManagerX.dll (Kaseya International Limited)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{F13EEFC9-D471-4824-8D54-8FA9F4FF587F}\InprocServer32 -> C:\Users\Roger\AppData\Roaming\Kaseya\PluginManager\IE\DesktopThumbnailX.ocx (Kaseya International Limited)
CustomCLSID: HKU\S-1-5-21-192517801-774707061-2340149944-1000_Classes\CLSID\{F6389D10-3244-4375-808A-1DFBC16317AE}\InprocServer32 -> C:\Users\Roger\AppData\Roaming\Kaseya\PluginManager\IE\LocalUsersGroupsX.dll (Kaseya International Limited)
 
==================== Restore Points  =========================
 
23-10-2014 02:30:47 Scheduled Checkpoint
23-10-2014 20:36:36 Device Driver Package Install: EPSON Printers
23-10-2014 20:39:54 Device Driver Package Install: EPSON Imaging devices
23-10-2014 20:40:34 Installed EpsonNet Print
23-10-2014 20:42:51 Installed FAX Utility
25-10-2014 04:00:04 Scheduled Checkpoint
26-10-2014 04:00:03 Scheduled Checkpoint
27-10-2014 04:00:05 Scheduled Checkpoint
28-10-2014 04:00:05 Scheduled Checkpoint
29-10-2014 04:00:05 Scheduled Checkpoint
30-10-2014 04:00:04 Scheduled Checkpoint
31-10-2014 04:00:04 Scheduled Checkpoint
01-11-2014 07:03:29 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2006-11-02 06:23 - 2011-12-03 19:16 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {01FE05B7-25E9-40FC-9B68-FA17F941F2EE} - System32\Tasks\Carbonite Upgrade Check => C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe
Task: {18DFD9FC-082E-4E9B-8285-5F21D2B4EDAE} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {347167BF-0C97-4610-ABC8-F005DF21F481} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-20] (Google Inc.)
Task: {364405BE-ADD2-4741-9CE3-F599D5F2363E} - System32\Tasks\EPSON WF-3640 Series Update {EB7D8C24-B7B8-415C-BDA0-5D7629D12421} => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_TTSKDE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {54E37598-CBA3-447E-B0D2-B386E9D0BB86} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {7BAE8880-8351-4C00-818D-4FFA16A0F589} - System32\Tasks\EPSON WF-3640 Series Invitation {EB7D8C24-B7B8-415C-BDA0-5D7629D12421} => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_TTSKDE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {88E3E3DF-C1B1-4C14-ACD1-EADA186FEB28} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-24] (Adobe Systems Incorporated)
Task: {8B0E6FAB-F43A-4988-AF0A-A21646C212F0} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {A629AA1D-8564-4F43-AEEF-16903D5DBE11} - System32\Tasks\GoogleUpdateTaskMachineCore1cf28a2e35ede20 => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-20] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\EPSON WF-3640 Series Invitation {EB7D8C24-B7B8-415C-BDA0-5D7629D12421}.job => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_TTSKDE.EXE
Task: C:\Windows\Tasks\EPSON WF-3640 Series Update {EB7D8C24-B7B8-415C-BDA0-5D7629D12421}.job => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_TTSKDE.EXE
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf28a2e35ede20.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2007-06-07 11:06 - 2006-10-26 16:21 - 00056056 _____ () C:\Windows\system32\DLAAPI_W.DLL
2012-08-17 21:39 - 2013-09-20 22:03 - 01310136 _____ () C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\kpcengine.2.2.dll
2006-11-05 10:28 - 2006-11-05 10:28 - 04587520 ____R () C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\ROXIPP41.dll
2012-08-17 21:38 - 2012-08-17 21:38 - 00479160 _____ () C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2013\dblite.dll
2014-08-19 14:34 - 2014-08-19 14:34 - 00048640 _____ () C:\Program Files\AOL Desktop 9.7a\zlib.dll
2014-08-19 14:34 - 2014-08-19 14:34 - 21151232 _____ () C:\Program Files\AOL Desktop 9.7a\libcef.dll
2014-08-19 14:34 - 2014-08-19 14:34 - 00648704 _____ () C:\Program Files\AOL Desktop 9.7a\libglesv2.dll
2014-08-19 14:34 - 2014-08-19 14:34 - 00122880 _____ () C:\Program Files\AOL Desktop 9.7a\libegl.dll
2014-10-27 17:35 - 2014-10-22 00:04 - 08910664 _____ () C:\Program Files\Google\Chrome\Application\38.0.2125.111\pdf.dll
2014-10-27 17:34 - 2014-10-22 00:04 - 01681224 _____ () C:\Program Files\Google\Chrome\Application\38.0.2125.111\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\Users\Roger\Documents\Carsofthe50'sand60's-2-12.eml:OECustomProperty
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Digital Line Detect.lnk => C:\Windows\pss\Digital Line Detect.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: dscactivate => "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
MSCONFIG\startupreg: dsentu => "C:\Windows\System32\rundll32.exe" "C:\Users\Roger\AppData\Roaming\dsentu.dll",Optimize
MSCONFIG\startupreg: HostManager => C:\Program Files\Common Files\AOL\1179885413\ee\AOLSoftware.exe
MSCONFIG\startupreg: ISUSPM Startup => C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
MSCONFIG\startupreg: pcwauy => C:\Users\Roger\pcwauy.exe /w
MSCONFIG\startupreg: PDVDDXSrv => "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: rymuxhuxxick => C:\Users\Roger\rymuxhuxxick.exe
MSCONFIG\startupreg: suftattipmih => C:\Users\Roger\suftattipmih.exe
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSCONFIG\startupreg: swg => "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
MSCONFIG\startupreg: sylsuwafepuj => C:\Users\Roger\sylsuwafepuj.exe
MSCONFIG\startupreg: Windows Defender => %ProgramFiles%\Windows Defender\MSASCui.exe -hide
MSCONFIG\startupreg: WMPNSCFG => C:\Program Files\Windows Media Player\WMPNSCFG.exe
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-192517801-774707061-2340149944-500 - Administrator - Disabled)
Guest (S-1-5-21-192517801-774707061-2340149944-501 - Limited - Disabled)
Roger (S-1-5-21-192517801-774707061-2340149944-1000 - Administrator - Enabled) => C:\Users\Roger
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (11/01/2014 05:54:25 AM) (Source: .NET Runtime Optimization Service) (EventID: 1107) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to execute command from the offline queue: uninstall "Microsoft.Transactions.Bridge.Dtc, Version=3.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=x86".  The error returned was Error: The specified assembly is not installed.
.
 
Error: (11/01/2014 05:54:25 AM) (Source: .NET Runtime Optimization Service) (EventID: 1107) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to execute command from the offline queue: uninstall "Microsoft.Build.Tasks, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil" /NoDependencies .  The error returned was Error: The specified assembly is not installed.
.
 
Error: (11/01/2014 05:54:14 AM) (Source: .NET Runtime Optimization Service) (EventID: 1107) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to execute command from the offline queue: uninstall "AspNetMMCExt, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil" /NoDependencies .  The error returned was Error: The specified assembly is not installed.
.
 
Error: (11/01/2014 05:54:13 AM) (Source: .NET Runtime Optimization Service) (EventID: 1107) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to execute command from the offline queue: uninstall "System.Web.Mobile, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil" /NoDependencies .  The error returned was Error: The specified assembly is not installed.
.
 
Error: (11/01/2014 03:58:41 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4
 
Error: (11/01/2014 03:58:39 AM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
 
Error: (10/31/2014 11:09:52 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
Error: (10/31/2014 10:50:38 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
Error: (10/31/2014 10:37:08 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
Error: (10/31/2014 10:28:48 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
 
System errors:
=============
Error: (11/01/2014 10:05:50 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000Microsoft .NET Framework NGEN v4.0.30319_X86
 
Error: (11/01/2014 10:03:20 AM) (Source: LSM) (EventID: 1048) (User: )
Description: Terminal Service start failed. The relevant status code was The configuration data for this product is corrupt. Contact your support personnel.
.
 
Error: (11/01/2014 10:03:19 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: SASKUTIL
 
Error: (11/01/2014 10:03:17 AM) (Source: LSM) (EventID: 1048) (User: )
Description: Terminal Service start failed. The relevant status code was The configuration data for this product is corrupt. Contact your support personnel.
.
 
Error: (11/01/2014 10:01:05 AM) (Source: LSM) (EventID: 1048) (User: )
Description: Terminal Service start failed. The relevant status code was The configuration data for this product is corrupt. Contact your support personnel.
.
 
Error: (11/01/2014 09:54:17 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: IPsec Policy AgentBase Filtering Engine%%1290
 
Error: (11/01/2014 09:54:17 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Base Filtering Engine%%1290
 
Error: (11/01/2014 09:54:08 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Security Center%%1314
 
Error: (11/01/2014 09:54:02 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Windows FirewallBase Filtering Engine%%1290
 
Error: (11/01/2014 09:54:02 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Base Filtering Engine%%1290
 
 
Microsoft Office Sessions:
=========================
Error: (11/01/2014 05:54:25 AM) (Source: .NET Runtime Optimization Service) (EventID: 1107) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to execute command from the offline queue: uninstall "Microsoft.Transactions.Bridge.Dtc, Version=3.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=x86".  The error returned was Error: The specified assembly is not installed.
.
 
Error: (11/01/2014 05:54:25 AM) (Source: .NET Runtime Optimization Service) (EventID: 1107) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to execute command from the offline queue: uninstall "Microsoft.Build.Tasks, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil" /NoDependencies .  The error returned was Error: The specified assembly is not installed.
.
 
Error: (11/01/2014 05:54:14 AM) (Source: .NET Runtime Optimization Service) (EventID: 1107) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to execute command from the offline queue: uninstall "AspNetMMCExt, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil" /NoDependencies .  The error returned was Error: The specified assembly is not installed.
.
 
Error: (11/01/2014 05:54:13 AM) (Source: .NET Runtime Optimization Service) (EventID: 1107) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to execute command from the offline queue: uninstall "System.Web.Mobile, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=b03f5f7f11d50a3a, processorArchitecture=msil" /NoDependencies .  The error returned was Error: The specified assembly is not installed.
.
 
Error: (11/01/2014 03:58:41 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4
 
Error: (11/01/2014 03:58:39 AM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4
 
Error: (10/31/2014 11:09:52 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
Error: (10/31/2014 10:50:38 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
Error: (10/31/2014 10:37:08 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
Error: (10/31/2014 10:28:48 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-11-01 15:30:23.015
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-01 15:30:22.574
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-01 15:30:21.999
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-01 15:30:21.468
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-01 15:29:38.383
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-01 15:29:37.930
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-01 15:29:37.477
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-01 15:29:37.028
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-01 15:29:35.775
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-11-01 15:29:35.336
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® D CPU 3.00GHz
Percentage of memory in use: 69%
Total physical RAM: 2045.21 MB
Available physical RAM: 628.52 MB
Total Pagefile: 4323.69 MB
Available Pagefile: 2023.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1881.93 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:138.96 GB) (Free:68.08 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:6.33 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149 GB) (Disk ID: 48000000)
Partition 1: (Not Active) - (Size=55 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=139 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

 

Next,

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Read the following link before we continue and run Combofix:

ComboFix usage, Questions, Help? - Look here

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.infospyware.net/antimalware/combofix/

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review



****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

*EXTRA NOTES*


  •    
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
       
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
       
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)



Post those logs in next reply please...

Kevin
 

 

 

 

Fixlist.txt

Link to post
Share on other sites
rogetsh2

rogetsh2

Posted
  • Author
Posted

Dear Kevin,

 

I am unsure whether you are re-quoting the peer-to-peer warning because this computer has peer-to-peer programs, or just in case I missed it on the other page. I do not see any software I recognize as peer-to-peer in Control Panel>Add/Remove Programs. If you see that it does, I will gladly remove anything you indicate.

 

I have attached the fixlog.txt.

 

Before I run ComboFix, having read its warning page, I have a question. I am doing these fixes over remote desktop software, because my father lives five or six hours away. Can I run ComboFix by closing all programs EXCEPT Team Viewer, or do I need to stop Team Viewer and get someone who is physically there to run ComboFix?

 

It will be several hours before I can continue, as I have to go to work,

 

Thank you so much for your help,

LH

Fixlog.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

The P2P/Piracy warning is always present in my opening reply, the purpose is nothing sinister, is only to make any poster aware of forum protocol....

 

Before you run Combofix ensure all security is off, also all browsers. Regarding Team Viewer, i`m not really sure. I would not expect TV to have an impact on Combofix, it has no security impetus....

 

Thanks,

 

Kevin...

Link to post
Share on other sites
rogetsh2

rogetsh2

Posted
  • Author
Posted

Dear Kevin,

I was able to start ComboFix over TeamViewer, but could not see it, as after the blue screen popped up saying it was creating a restore point, it terminated the Teamviewer connection. On my end, TeamViewer indicated that TV was not running on his computer for about an hour, so I assume it was scanning and rebooting over that time. I am glad it worked with TV, at any rate. When I was able to reconnect to it, I was greeted by the ComboFix log.  

 

Please find ComboFix.txt attached.

 

Thank you so much,

Laura  

ComboFix.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for the log, we continue:

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.


Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button.
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.


Shut down your protection software now to avoid potential conflicts. (re-enable when done)
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.

 

(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART  Installer during the process)

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the following options are checked:
 
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
 
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Let me see those logs, also give an update on any remaining issues or concerns...

 

Thank you,

 

Kevin..

Link to post
Share on other sites
rogetsh2

rogetsh2

Posted
  • Author
Posted
Nothing detected by MBAM Threat scan /w rootkit scan. 

 

ADWCleaner log follows:

 

# AdwCleaner v4.100 - Report created 08/11/2014 at 

 

21:41:44

# DB v2014-11-07.1

# Updated 08/11/2014 by Xplode

# Operating System : Windows Vista Home Basic 

 

Service Pack 2 (32 bits)

# Username : Roger - ROGER-PC

# Running from : C:\Users\Roger\Desktop\AdwCleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\ProgramData\Viewpoint

Folder Deleted : C:\Program Files\Viewpoint

 

***** [ Scheduled Tasks ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Classes

 

\AxMetaStream.MetaStreamCtl

Key Deleted : HKLM\SOFTWARE\Classes

 

\AxMetaStream.MetaStreamCtl.1

Key Deleted : HKLM\SOFTWARE\Classes

 

\AxMetaStream.MetaStreamCtlSecondary

Key Deleted : HKLM\SOFTWARE\Classes

 

\AxMetaStream.MetaStreamCtlSecondary.1

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup

 

\Installed Components\{03F998B2-0E00-11D3-A498-

 

00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup

 

\Installed Components\{1B00725B-C455-4DE6-BFB6-

 

AD540AD427CD}

Key Deleted : HKLM\SOFTWARE\MozillaPlugins

 

\@viewpoint.com/VMP

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00

 

-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455

 

-4DE6-BFB6-AD540AD427CD}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{13086CD4-88B6

 

-45E3-9182-3BC2664199F7}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1FCD7139-C2A3

 

-49AD-8B9E-E82E48AE5DF6}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{319FCB76-1568

 

-4EFA-863B-B03A2B16EB5C}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4796719D-2B92

 

-47BC-920B-77BCDBDBCB6A}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{64A66B25-

 

A70F-4373-95EF-3A1DB6040B3A}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6FC5F7E0-

 

D65A-465C-B8EE-A5F8E008D6DF}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{731D436C-

 

464C-4F29-BFB2-DE9C458535AE}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7C89C8A6-

 

991C-4626-9E26-B12EB4D89C04}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEF00686-CAB8

 

-4885-9CCB-78FF483041AA}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FDA55C78-

 

736E-4E8A-996C-4A80FC0396FB}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer

 

\SearchScopes\{597b1823-7ff0-4cd3-8095-9d8cba514992}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer

 

\SearchScopes\{B0858340-28FA-480A-BEB5-13A8B58D854B}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer

 

\SearchScopes\{597b1823-7ff0-4cd3-8095-9d8cba514992}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer

 

\SearchScopes\{9D4A53EC-0005-4263-BBA7-9DEF04D96ADA}

Key Deleted : HKLM\SOFTWARE\MetaStream

Key Deleted : HKLM\SOFTWARE\Viewpoint

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows

 

\CurrentVersion\Uninstall\ViewpointMediaPlayer

Key Deleted : HKCU\Software\Microsoft\Windows

 

\CurrentVersion\App Management\ARPCache

 

\ViewpointMediaPlayer

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT

 

\CurrentVersion\Image File Execution Options

 

\GoogleUpdate.exe

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v9.0.8112.16584

 

 

-\\ Google Chrome v38.0.2125.111

 

[C:\Users\Roger\AppData\Local\Google\Chrome\User Data

 

\Default\Web Data] - Deleted [search Provider] : 

 

hxxp://search.aol.com/aol/search?q={searchTerms}

[C:\Users\Roger\AppData\Local\Google\Chrome\User Data

 

\Default\Web Data] - Deleted [search Provider] : 

 

hxxp://www.ask.com/web?q={searchTerms}

 

*************************

 

AdwCleaner[R0].txt - [7281 octets] - [01/11/2014 

 

00:11:46]

AdwCleaner[R1].txt - [985 octets] - [01/11/2014 08:58:14]

AdwCleaner[R2].txt - [3678 octets] - [08/11/2014 

 

21:27:05]

AdwCleaner[s0].txt - [7495 octets] - [01/11/2014 

 

00:16:26]

AdwCleaner[s1].txt - [1040 octets] - [01/11/2014 

 

09:00:42]

AdwCleaner[s2].txt - [3656 octets] - [08/11/2014 

 

21:41:44]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [3716 

 

octets] ##########

 

 

On reboot after adwcleaner scan, a popup from viewpoint 

 

media player appeared. I did not click it. 

 

 

 

 

JRT deleted a few things, see log:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.3.7 (11.08.2014:1)

OS: Windows Vista Home Basic x86

Ran by Roger on Sat 11/08/2014 at 22:03:45.08

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

Successfully deleted: [Folder] "C:\ProgramData\fighters"

Successfully deleted: [Folder] "C:\Program Files

 

\produtools_manuals_2.1_b"

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~~

Scan was completed on Sat 11/08/2014 at 22:09:12.79

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~~

 

Then I realized I hadn't run JRT as admin, so i repeated 

 

it, as admin. Nothing found. 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~~

Junkware Removal Tool (JRT) by Thisisu

Version: 6.3.7 (11.08.2014:1)

OS: Windows Vista Home Basic x86

Ran by Roger on Sat 11/08/2014 at 22:12:57.02

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~~

 

 

 

 

~~~ Services

 

 

 

~~~ Registry Values

 

 

 

~~~ Registry Keys

 

 

 

~~~ Files

 

 

 

~~~ Folders

 

 

 

~~~ Event Viewer Logs were cleared

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~~

Scan was completed on Sat 11/08/2014 at 22:18:22.91

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~~

 

 

ESET Online found nothing. I did not scan archives, 

 

because your instructions did not say to check that box.

 

 

While re-enabling AV protection after ESET scan, I 

 

realized that MBAM's scan schedule had been cleared. I am 

 

unsure whether that is normal, but I recreated the 

 

scheduled scans and updates.  

 

I might add that my father's first complaint was that his Windows Gadgets had stopped working. The sidebar loaded but each gadget was empty and said only "Service Unavailable." According to task manager, the sidebar was using 400mb ram, which seems like a lot, so I disabled it. If I knew how, I would remove it completely. I've told him before they're not safe. Anyway, 400mb seems like a lot.

 

The machine seems to be fairly busily munching along on some instructions, though it is hard to gauge how it is 

doing over team viewer, because I can't hear it, and team viewer can be slow. Still, in task mgr, the cpu jumps 

wildly from 10-90% usage, ram 1.09 GB (out of 2), so I take it the computer is occupied, but I don't know why. I suspect bad magic. 

 

I do so thank you for your help,

Laura

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Run the following windows repair tool:

 

Download Portable Windows Repair (all in one) from one of the following:

http://www.tweaking.com/content/page/windows_repair_all_in_one.html
http://www.majorgeeks.com/Tweaking.com_-_Windows_Repair_Portable_d7222.html
http://www.bleepingcomputer.com/download/windows-repair-all-in-one-portable/

Unzip the contents into a newly created folder on your desktop.

Open the folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator"


tweak1.jpg

From the main GUI do the following:


Select Tab 5 and Create System Restore Point


tweak4.jpg

Select Start Repairs tab => Click the Start


tweak5.jpg

The repairs window will open, Check all of the boxes as indicated, also the "Restart" option, then select Start...


tweak6.jpg

DON'T use the computer while each scan is in progress.

Post the log, to access select "settings" tab > "open log folder" tab, log will be named _Windows_Repair_Log


tweak7.jpg


Let me see that log, also give an update on any remaining issues or concerns...

 

Kevin

Link to post
Share on other sites
rogetsh2

rogetsh2

Posted
  • Author
Posted
Dear Kevin,

When I first ran the Windows Repair Tool, it stopped on #19, saying that it tried to start 4 times and was unable to run. I tried to run it again, and Kaspersky piped up about a trojan w32 (I think), by which I think it meant Windows Repair Tool, and then Kaspersky started deleting stuff, so I stopped the repairs. After disabling Kaspersky, I unchecked 1-18 and ran tasks 19+, so I have a bit of a mess as far as logs. I hope that doesn't mean it didn't do what it needed to do, but if so, I can run it again. Please find the logs attached in 2 parts (I have omitted the log from the scan that I stopped, but I still have it).

 

 

On reboot after Windows Repair Tool scan, mbam did not start with windows, though that setting was still checked in mbam. This boot took a very long time, maybe 10-15 minutes before I could reconnect with Team Viewer. Also on that same boot, windows security center said, and continues to say, that there is no av running, though kaspersky was running (started with windows) and all protections are enabled. Security center used to say that Kaspersky was doing antivirus. I hope that doesn't mean Kaspersky isn't working.  

I rebooted again to see if mbam would start with windows, and mbam did, but Kaspersky didn't that time. When I started Kaspersky manually, I got a message from UAC asking whether I wanted to allow it. It usually doesn't do that. I was unable to reboot it again to see if it would start on its own, because my Dad needed to use the computer. 

 

The computer seems to be running a little better, but it is hard to tell since I'm not sitting in front of it. I do not know how to know that more empirically than what I see in task manager.  

 

Do I need to run the Windows Repair again, start to finish, or do you have what you need?

 

Thank you ever so much,

Laura  

_Windows_Repair_Log.txt

_Windows_Repair_Log.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Windows repair logs look good to me, even though in two parts. The start up time is concerning, i`d like to see another scan done with FRST, see if I have missed anything.

 

Open FRST, make sure all entries are checkmarked (ticked) under "White List" and only "Addition.txt" is checkmarked under "Optional Scan" Select scan, two logs should be produced, post to next reply....

 

Kevin...

Link to post
Share on other sites
rogetsh2

rogetsh2

Posted
  • Author
Posted

Dear Kevin,

Please find the logs you requested attached.

Weirdly, as I was staring off into space, waiting for FRST, wondering about the first person to ever decide to raid a beehive, the computer we are trying to fix skipped one minute, twice, but is still 30 seconds behind my computer, more or less. It stayed on a certain time for more than one minute, and then skipped a minute to catch up, but didn't quite make it. Both computers are syncing with the same time server. Maybe it was just because FRST was scanning, but thought you should know. Hope the logs are full of good news.  

Thank you,

Laura

Addition.txt

FRST.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for the logs, nothing overly malicious shown in those logs. Run the following please:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

We still need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin.

 

(To run ESET Online Scanner in a browser other than Internet Explorer, you'll need to download ESET SMART  Installer during the process)

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the following options are checked:
 
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
 
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Let me se those logs, also give an update on any remaining issues or concerns.........

 

Kevin...

 

Fixlist.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hiya Laura,

 

I`d like to run a couple of dedicated rootkit scanners to eliminate that possibility, all other latest scans are good.... If the rootkit scans are also clean we can look at other reasons why the system is slow to boot....

 

Please download Gmer from Here by clicking on the "Download EXE" Button.

 

  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
     
            Sections
            IAT/EAT
            Show All ( should be unchecked by default )
     
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.

 

Please post the content of the ark.txt here.

 

 

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

 

**If GMER crashes** Follow the instructions here and disable your security temporarily…

 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
Post back the report which should also be located here:

 

C:\Programdata\RogueKiller\Logs <-------- W7/8

 

If these logs are clean can progress and run Windows in a Clean Boot mode, see if we make progress...

 

Kevin

Link to post
Share on other sites
rogetsh2

rogetsh2

Posted
  • Author
Posted

Dear Kevin,

Please find the GMER log attached. 

 

When Rogue Killer scan finished, it loaded a website about removing trojan zeroaccess Sirefef variant with Rogue Killer, but I did not do what it said to do. I do not know if I can post urls, but I will try, in case it could give you some insight. http://www.adlice.com/zeroaccess-removal-with-roguekiller/

 

Please find the text of Rogue Killer log below:

 
RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Roger [Administrator]
Mode : Scan -- Date : 11/16/2014  12:58:49
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 17 ¤¤¤
[Hj.RegVal] HKEY_LOCAL_MACHINE\RK_Software_ON_D_1CB6\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe  -> Found
[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\uglorpow (\??\C:\Users\Roger\AppData\Local\Temp\uglorpow.sys) -> Found
[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uglorpow (\??\C:\Users\Roger\AppData\Local\Temp\uglorpow.sys) -> Found
[ZeroAccess] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\?etadpug ("C:\Program Files\Google\Desktop\Install\{c39078c0-a917-82ef-3e50-f6c6256a5159}\   \...\?ﯹ๛\{c39078c0-a917-82ef-3e50-f6c6256a5159}\GoogleUpdate.exe" <) -> Found
[ZeroAccess] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\?etadpug ("C:\Program Files\Google\Desktop\Install\{c39078c0-a917-82ef-3e50-f6c6256a5159}\   \...\?ﯹ๛\{c39078c0-a917-82ef-3e50-f6c6256a5159}\GoogleUpdate.exe" <) -> Found
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-192517801-774707061-2340149944-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.aol.com  -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Found
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-192517801-774707061-2340149944-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-192517801-774707061-2340149944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_D_1CB6\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_D_1CB6\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-192517801-774707061-2340149944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found
 
¤¤¤ Tasks : 1 ¤¤¤
[suspicious.Path] \\Carbonite Upgrade Check -- "C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe" /silent -> Found
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3160812AS +++++
--- User ---
[MBR] 1399b4f86eee5621dcbc6604b7b7784b
[bSP] 12363dafc8b1110c9583683a9ba0f769 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 112640 | Size: 10240 MB
2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 21084160 | Size: 142291 MB
User = LL1 ... OK
User = LL2 ... OK
 
I hope your weekend has been pleasant.
Thank you,
Laura

ark.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello Laura,

 

yes weekend was good, hope yours the same?.....

 

RK log identifies the reason for the slow boot etc... Ok continue please:

 

Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)

Wait until "initializing" is finished, press the Scan button.

When the scan completes select the Registry tab and locate these detections:

 

[Hj.RegVal] HKEY_LOCAL_MACHINE\RK_Software_ON_D_1CB6\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe  -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\uglorpow (\??\C:\Users\Roger\AppData\Local\Temp\uglorpow.sys) -> Found

[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uglorpow (\??\C:\Users\Roger\AppData\Local\Temp\uglorpow.sys) -> Found

[ZeroAccess] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\?etadpug ("C:\Program Files\Google\Desktop\Install\{c39078c0-a917-82ef-3e50-f6c6256a5159}\   \...\???\{c39078c0-a917-82ef-3e50-f6c6256a5159}\GoogleUpdate.exe" <) -> Found

[ZeroAccess] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\?etadpug ("C:\Program Files\Google\Desktop\Install\{c39078c0-a917-82ef-3e50-f6c6256a5159}\   \...\???\{c39078c0-a917-82ef-3e50-f6c6256a5159}\GoogleUpdate.exe" <) -> Found

[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-192517801-774707061-2340149944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Found

 

Place a checkmark against those items only All other entries must be left clear…..

 

Now press the Delete button.

 

When complete select "Report" copy and paste that to your reply…

 

Next,

 

Open Malwarebytes Anti-Malware, from the Dashboard please Check for Updates by clicking the Update Now... link

When the update completes select > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

 

 

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

 

When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

 

 

In most cases, a restart will be required.

 

 

Wait for the prompt to restart the computer to appear, then click on Yes.

 

 

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en'>https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

 

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

 

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

 

notepad c:\windows\debug\mrt.log

 

let me see those logs in your next reply, also give an update on any remaining issues or concerns....

 

Thanks,

 

Kevin

Link to post
Share on other sites
rogetsh2

rogetsh2

Posted
  • Author
Posted

Dear Kevin,

Yes, my weekend has been great, thank you. I am quite blessed.

 

Thank you so much for all the time and care you have devoted to this mess. My dad gets a LOT of malware, and I am really hoping that Premium MBAM will prevent this is the future, as I have been using it for years and have never had an issue, but I also haven't clicked every link on the internet. He only had the free version until lately.

 

On my computer, in MBAM, if I go to History, I can sort the application logs by date/type/etc. I tried to do the same on his computer, under Quarantine, to see the most recent ones, but when I click the column header, it doesn't do anything. I do not have anything under Quarantine on my computer, so I can't try it, but it seems like it should sort them. That is kind of annoying me, but maybe that is just the way it is.  

 

The last reboot took three minutes. YAY, as you predicted! I think that is pretty good for his computer, since it is kind of old. In Task Manager, his cpu is down to 3-5%, and RAM 800MB, from ( cpu 30-100%, RAM 1-1.5 GB).  Maybe the boogers are nearly cleaned out? Do we not care about the other things in Rogue Killer? I guess it is crying wolf?

 

Please find the logs below:

 

RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Roger [Administrator]
Mode : Delete -- Date : 11/16/2014  14:44:56
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 17 ¤¤¤
[Hj.RegVal] HKEY_LOCAL_MACHINE\RK_Software_ON_D_1CB6\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe  -> Replaced (explorer.exe)
[suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\uglorpow -> Deleted
[suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\uglorpow -> Deleted
[ZeroAccess] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\?etadpug -> Deleted
[ZeroAccess] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\?etadpug -> Deleted
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Not selected
[PUM.HomePage] HKEY_USERS\S-1-5-21-192517801-774707061-2340149944-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.aol.com  -> Not selected
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome  -> Not selected
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-21-192517801-774707061-2340149944-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch  -> Not selected
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-192517801-774707061-2340149944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_D_1CB6\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\RK_Software_ON_D_1CB6\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-192517801-774707061-2340149944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {645FF040-5081-101B-9F08-00AA002F954E} : 1  -> Replaced (0)
 
¤¤¤ Tasks : 1 ¤¤¤
[suspicious.Path] \\Carbonite Upgrade Check -- "C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe" /silent -> Deleted
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3160812AS +++++
--- User ---
[MBR] 1399b4f86eee5621dcbc6604b7b7784b
[bSP] 12363dafc8b1110c9583683a9ba0f769 : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 112640 | Size: 10240 MB
2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 21084160 | Size: 142291 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
============================================
RKreport_SCN_11162014_125849.log
 
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/16/2014
Scan Time: 2:49:24 PM
Logfile: mbam.txt
Administrator: Yes
 
Version: 2.00.3.1025
Malware Database: v2014.11.16.05
Rootkit Database: v2014.11.12.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled
 
OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Roger
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 319007
Time Elapsed: 21 min, 44 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.17, October 2014 (build 5.17.10700.0)
Started On Sat Nov 01 03:53:23 2014
 
Engine: 1.1.11005.0
Signatures: 1.185.2035.0
 
Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Sat Nov 01 03:59:07 2014
 
 
Return code: 0 (0x0)
 
---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.18, November 2014 (build 5.18.10802.0)
Started On Sun Nov 16 15:49:18 2014
 
Engine: 1.1.11104.0
Signatures: 1.187.1116.0
 
Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Sun Nov 16 15:55:53 2014
 
 
Return code: 0 (0x0)
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for the logs, yep I believe we have finally cleaned out all infections. As you susspect the rest of the entries in the RK log are harmless. All we need to do now is clean up....

 

Download and run this:

http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE

That will remove Combofix and associated folders...
 

Next,

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


    Activate UAC
    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

Any remnant files/logs from tools we have used can be deleted…

 

Finally,

 

Read the following link to fully understand PC security and best practices, your father may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if any further help/advice is needed, or if we can close out...

 

Thank you,

 

Kevin....

Link to post
Share on other sites
rogetsh2

rogetsh2

Posted
  • Author
Posted

Dear Kevin,

I have done the steps above and the computer seems to be working great! The bleeping computer link came right up, with very little delay. It has just been miserably slow until now, in every respect. I will print out that page and go over it with him. I set his MBAM to Threat Scan every day. I thank you so much for your help. Case closed!

Sincerely,

Laura

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.