Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransome ware removal and windows fix


  • Please log in to reply
4 replies to this topic

#1 jkjackson

jkjackson

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 10 November 2013 - 06:21 PM

Hi last week my system got infected by a strain of the Interpol ransom ware virus. From reading at this site it seems to have included "zero access" virus. I believe I removed the virus per your instructions. I am running windows 8. The operating system isn't functioning correctly, cant access store, photos, and many more of the tiles. windows defender wont start, get errors when trying to run PDF files, " invalid value for registry" attached is the ddst log

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 10.45.2
Run by Deborah at 14:45:58 on 2013-11-10
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3912.2502 [GMT -8:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\dwm.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BBSvc.exe
C:\Windows\system32\taskhostex.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\dashost.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Elantech\ETDService.exe
C:\Program Files (x86)\Launch Manager\LMutilps32.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SMEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler64.exe
C:\Windows\RfBtnSvc64.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Corel\Corel PDF Fusion\CorelCreatorClient.exe
C:\Program Files\Elantech\ETDCtrlHelper.exe
C:\Windows\system32\CorelCreatorMessages.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe
C:\Users\Deborah\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe
C:\Program Files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\CyberLink\MediaEspresso\DeviceDetector\DeviceDetector.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Nero\Update\NASvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
C:\Windows\System32\Taskmgr.exe
C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\SeaPort.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://acer13.msn.com
BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BingExt.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\coieplg.dll
TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BingExt.dll
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [Fitbit Connect] "C:\Program Files (x86)\Fitbit Connect\Fitbit Connect.exe" /autorun
uRun: [ALconnect] C:\Users\Deborah\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe
mRun: [LManager] <no file>
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\GATEWA~1.LNK - C:\Program Files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
TCP: NameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{5CAF1B3C-AB5B-4C31-970F-6B7E575C062D} : DHCPNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{5CAF1B3C-AB5B-4C31-970F-6B7E575C062D}\2375942554434313 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{5CAF1B3C-AB5B-4C31-970F-6B7E575C062D}\2375942554536383 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{5CAF1B3C-AB5B-4C31-970F-6B7E575C062D}\25D4 : DHCPNameServer = 66.75.164.89 66.75.164.90
TCP: Interfaces\{5CAF1B3C-AB5B-4C31-970F-6B7E575C062D}\34F657E64797C496262716279775966496 : DHCPNameServer = 10.48.146.81 10.48.146.16
TCP: Interfaces\{5CAF1B3C-AB5B-4C31-970F-6B7E575C062D}\960586F6E656 : DHCPNameServer = 66.1.61.7 68.29.1.7
TCP: Interfaces\{5CAF1B3C-AB5B-4C31-970F-6B7E575C062D}\A45627F6E6563702960786F6E656 : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{90F58013-5701-4859-A2FC-1E9E2779B9A7} : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{9D8332ED-FC23-4185-8C74-3510D04A2F43} : DHCPNameServer = 192.168.0.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [CorelCreatorClient] C:\Program Files (x86)\Corel\Corel PDF Fusion\CorelCreatorClient.exe
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 iaStorA;iaStorA;C:\Windows\System32\Drivers\iaStorA.sys [2012-9-27 645952]
R2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\BBSvc.EXE [2013-7-23 193696]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2012-9-4 348784]
R2 ETDService;Elan Service;C:\Program Files\Elantech\ETDService.exe [2012-9-4 28560]
R2 Fitbit Connect;Fitbit Connect Service;C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe [2013-2-25 1239584]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2012-9-27 2451456]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2012-9-27 165760]
R2 MSSQL$SMEXPRESS;SQL Server (SMEXPRESS);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SMEXPRESS\MSSQL\Binn\sqlservr.exe [2008-7-10 40999448]
R2 NAUpdate;Nero Update;C:\Program Files (x86)\Nero\Update\NASvc.exe [2011-11-25 687400]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\20.4.0.40\ccsvchst.exe [2013-6-14 144368]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe [2012-8-22 259136]
R2 RfButtonDriverService;Dritek RF Button Command Service;C:\Windows\RfBtnSvc64.exe [2012-9-27 93296]
R2 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-10-9 3275136]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-9-27 364416]
R2 ZAtheros Wlan Agent;ZAtheros Wlan Agent;C:\Program Files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe [2012-9-27 81536]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.2.241.0\SeaPort.EXE [2013-7-23 240288]
R3 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130116.013\BHDrvx64.sys [2013-1-15 1388120]
R3 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\System32\Drivers\NISx64\1404000.028\ccsetx64.sys [2013-6-14 169048]
R3 CorelCreatorMessages;CorelCreatorMessages;C:\Windows\System32\CorelCreatorMessages.exe [2011-12-13 105984]
R3 ePowerSvc;ePower Service;C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe [2012-8-22 658576]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-12-5 138912]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\System32\Drivers\ETD.sys [2012-9-4 318864]
R3 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130131.001\IDSviA64.sys [2013-1-31 513184]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\Drivers\IntcDAud.sys [2012-9-4 342528]
R3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;C:\Windows\System32\Drivers\L1C63x64.sys [2012-9-4 110744]
R3 Ps2Kb2Hid;PS/2 Keyboard to HID Driver;C:\Windows\System32\Drivers\aPs2Kb2Hid.sys [2012-9-27 26736]
R3 SymDS;Symantec Data Store;C:\Windows\System32\Drivers\NISx64\1404000.028\symds64.sys [2013-6-14 493656]
R3 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\Drivers\NISx64\1404000.028\symefa64.sys [2013-6-14 1139800]
R3 SymIRON;Symantec Iron Driver;C:\Windows\System32\Drivers\NISx64\1404000.028\ironx64.sys [2013-6-14 224416]
R3 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\Drivers\NISx64\1404000.028\symnets.sys [2013-6-14 433752]
R3 WUDFWpdMtp;WUDFWpdMtp;C:\Windows\System32\Drivers\WUDFRd.sys [2012-7-25 198656]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S3 DeviceFastLaneService;Device Fast-lane Service;C:\Program Files\Gateway\Gateway Device Fast-lane\DeviceFastLaneSvc.exe [2012-8-22 468624]
S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\System32\Drivers\netaapl64.sys [2013-7-25 23040]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\Drivers\RtsPStor.sys [2012-9-27 339600]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\System32\Drivers\rtwlane.sys [2012-6-29 1119232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\Drivers\usbaapl64.sys [2012-12-13 54784]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqladhlp.exe [2008-7-10 47128]
S4 SQLAgent$SMEXPRESS;SQL Server Agent (SMEXPRESS);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10.SMEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-7-10 369688]
S4 SymELAM;Symantec ELAM Driver;C:\Windows\System32\Drivers\NISx64\1404000.028\symelam.sys [2013-6-14 23448]
.
=============== Created Last 30 ================
.
2013-11-10 19:38:03 -------- d-----w- C:\Windows\LastGood.Tmp
2013-11-10 02:11:06 -------- dc-h--w- C:\Users\Deborah\AppData\Local\{41B0511B-5C0E-4DDF-9BB1-677E3DA47DCC}
2013-11-10 02:10:51 -------- d-----w- C:\Users\Deborah\AppData\Local\PackageAware
2013-11-05 11:02:05 -------- d-----w- C:\Windows\System32\catroot2
2013-11-05 07:17:22 342704 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10224.bin
2013-11-04 22:01:52 -------- d-----w- C:\Windows\softwaredistribution.bak1
2013-11-04 21:48:19 -------- d-----w- C:\Windows\System32\wbem\repository
2013-11-04 21:47:09 -------- d-----w- C:\Windows\SysWow64\wbem\Performance
2013-11-04 21:17:31 -------- d-----w- C:\Program Files (x86)\Tweaking.com
2013-11-03 23:56:17 -------- d-----w- C:\Program Files (x86)\FileHippo.com
2013-11-03 22:49:17 -------- d-----w- C:\ProgramData\Oracle
2013-11-03 22:49:10 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-11-03 22:20:50 -------- d-----w- C:\FRST
2013-11-03 02:51:59 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2013-11-03 01:23:15 -------- d-----w- C:\Users\Deborah\AppData\Local\5eI8FWUPx
2013-11-01 18:11:31 -------- d-----w- C:\Windows\ERUNT
2013-11-01 17:36:33 -------- d-----w- C:\AdwCleaner
2013-11-01 17:15:47 -------- d-----w- C:\Users\Deborah\AppData\Local\VPpwXSskEjH
2013-10-31 20:10:37 -------- d-----r- C:\Program Files (x86)\Skype
2013-10-20 16:56:55 1374208 ----a-w- C:\Windows\System32\wdc.dll
2013-10-20 16:55:58 785624 ----a-w- C:\Windows\System32\drivers\Wdf01000.sys
2013-10-13 17:33:18 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2013-10-13 17:33:18 -------- d-----w- C:\Program Files\iTunes
2013-10-13 17:33:18 -------- d-----w- C:\Program Files\iPod
2013-10-13 17:33:18 -------- d-----w- C:\Program Files (x86)\iTunes
.
==================== Find3M  ====================
.
2013-11-08 18:42:35 952 --s-a-w- C:\ProgramData\KGyGaAvL.sys
2013-10-02 01:38:13 78296 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-10-02 01:38:13 694232 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-09-22 23:28:06 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-09-22 23:27:49 2876928 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-09-22 22:55:10 2241024 ----a-w- C:\Windows\System32\wininet.dll
2013-09-22 22:54:51 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2013-08-23 05:11:57 4040192 ----a-w- C:\Windows\System32\win32k.sys
2013-08-16 05:41:13 58200 ----a-w- C:\Windows\System32\drivers\dam.sys
2013-08-16 05:39:26 2371728 ----a-w- C:\Windows\System32\WSService.dll
2013-08-16 05:32:48 209200 ----a-w- C:\Windows\System32\NotificationUI.exe
2013-08-16 05:22:22 40448 ----a-w- C:\Windows\System32\wuapp.exe
2013-08-16 05:22:11 4917760 ----a-w- C:\Windows\System32\sppsvc.exe
2013-08-16 05:20:30 105984 ----a-w- C:\Windows\System32\WinSetupUI.dll
2013-08-15 22:43:21 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2013-08-15 22:43:07 84992 ----a-w- C:\Windows\SysWow64\wudriver.dll
2013-08-15 22:43:07 126976 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2013-08-15 22:43:03 562688 ----a-w- C:\Windows\SysWow64\WSShared.dll
2013-08-15 22:43:03 159232 ----a-w- C:\Windows\SysWow64\WSSync.dll
2013-08-15 22:43:02 83968 ----a-w- C:\Windows\SysWow64\OEMLicense.dll
2013-08-15 22:43:02 167424 ----a-w- C:\Windows\SysWow64\WSClient.dll
2013-08-15 22:43:02 143872 ----a-w- C:\Windows\SysWow64\Windows.ApplicationModel.Store.dll
2013-08-15 22:43:02 124928 ----a-w- C:\Windows\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll
2013-08-15 22:42:52 76800 ----a-w- C:\Windows\SysWow64\setupcln.dll
2013-08-15 22:42:47 91648 ----a-w- C:\Windows\SysWow64\sppc.dll
.
============= FINISH: 14:47:04.71 ===============Attached File  DDTS file.txt   11.79KB   0 downloads
 



BC AdBot (Login to Remove)

 


#2 jkjackson

jkjackson
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 10 November 2013 - 06:22 PM

Any help provided will be greatly appreciated!!



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:13 PM

Posted 12 November 2013 - 10:42 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.
Let me know what problem persists.

#4 jkjackson

jkjackson
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 12 November 2013 - 01:22 PM

Hi Thanks for helping. Here are the files per your request. I did not run a clean  in ADW as I was a little confused by instructions.

 

Rogue Killer

RogueKiller V8.7.7 _x64_ [Nov 11 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Deborah [Admin rights]
Mode : Remove -- Date : 11/12/2013 08:53:08
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] ALconnect.exe -- C:\Users\Deborah\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : ALconnect (C:\Users\Deborah\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe [7]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-986810558-1886413747-3722812129-1001\[...]\Run : ALconnect (C:\Users\Deborah\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe [7]) -> [0x2] The system cannot find the file specified.

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9500325AS +++++
--- User ---
[MBR] f0cc59c1319c6dd952d729672ab814e0
[BSP] 915c289b083490dd4842e053365ffcb2 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097152 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_11122013_085308.txt >>
RKreport[0]_S_11122013_085241.txt

 

 

ADW

 

# AdwCleaner v3.012 - Report created 12/11/2013 at 08:57:42
# Updated 11/11/2013 by Xplode
# Operating System : Windows 8  (64 bits)
# Username : Deborah - DEBORAHS
# Running from : C:\Users\Deborah\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NOU9OMV3\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found C:\Program Files (x86)\NCH Software
Folder Found C:\ProgramData\NCH Software
Folder Found C:\ProgramData\wincert
Folder Found C:\Users\Deborah\AppData\Local\PackageAware
Folder Found C:\Users\Deborah\AppData\Roaming\NCH Software

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\NCH Software
Key Found : [x64] HKCU\Software\NCH Software
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe
Key Found : HKLM\Software\NCH Software

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16537

-\\ Google Chrome v30.0.1599.101

[ File : C:\Users\Deborah\AppData\Local\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Users\haynes\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [5026 octets] - [01/11/2013 09:36:39]
AdwCleaner[R1].txt - [934 octets] - [02/11/2013 06:59:41]
AdwCleaner[R4].txt - [1683 octets] - [12/11/2013 08:57:42]
AdwCleaner[S0].txt - [4779 octets] - [01/11/2013 09:37:39]
AdwCleaner[S1].txt - [994 octets] - [02/11/2013 07:00:52]

########## EOF - C:\AdwCleaner\AdwCleaner[R4].txt - [1862 octets] ##########

 

 

JRT

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 8 x64
Ran by Deborah on Tue 11/12/2013 at  9:15:06.63
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Failed to delete: [Folder] "C:\ProgramData\wincert"

 

~~~ Chrome

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\aaaaabcbmongicmdegkmmfgdickgnnob
Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome\Extensions\aaaaabcbmongicmdegkmmfgdickgnnob

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 11/12/2013 at  9:19:34.56
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Combo Fix

ComboFix 13-11-11.01 - Deborah 11/12/2013   9:27.1.2 - x64
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.3912.2593 [GMT -8:00]
Running from: c:\users\Deborah\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\program files (x86)\Fitbit Connect\Fitbit Connect.exe
c:\users\Deborah\Desktop\Internet Security.lnk
c:\users\Deborah\Documents\~WRL2805.tmp
c:\windows\PFRO.log
c:\windows\SysWow64\FlashPlayerApp.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-12 to 2013-11-12  )))))))))))))))))))))))))))))))
.
.
2013-11-12 17:40 . 2013-11-12 17:40 -------- d-----w- c:\users\haynes\AppData\Local\temp
2013-11-12 17:40 . 2013-11-12 17:40 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-11-12 17:40 . 2013-11-12 17:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-10 19:38 . 2013-11-10 19:38 -------- d-----w- c:\windows\LastGood.Tmp
2013-11-10 02:11 . 2013-11-10 02:11 -------- dc-h--w- c:\users\Deborah\AppData\Local\{41B0511B-5C0E-4DDF-9BB1-677E3DA47DCC}
2013-11-10 02:10 . 2013-11-10 02:10 -------- d-----w- c:\users\Deborah\AppData\Local\PackageAware
2013-11-08 18:42 . 2013-11-08 18:42 -------- d-----w- c:\users\Guest\AppData\Local\CrashDumps
2013-11-08 18:42 . 2013-11-08 18:42 -------- d-----w- c:\users\Guest\AppData\Roaming\Corel
2013-11-05 11:02 . 2013-11-06 17:13 -------- d-----w- c:\windows\system32\catroot2
2013-11-05 07:17 . 2013-11-05 07:17 342704 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10224.bin
2013-11-04 22:01 . 2013-11-05 14:23 -------- d-----w- c:\windows\softwaredistribution.bak1
2013-11-04 21:48 . 2013-11-10 22:29 -------- d-----w- c:\windows\system32\wbem\repository
2013-11-04 21:47 . 2013-11-04 21:47 -------- d-----w- c:\windows\SysWow64\wbem\Performance
2013-11-04 21:45 . 2013-11-04 22:12 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-11-04 21:17 . 2013-11-04 21:17 -------- d-----w- c:\program files (x86)\Tweaking.com
2013-11-03 23:56 . 2013-11-03 23:56 -------- d-----w- c:\program files (x86)\FileHippo.com
2013-11-03 22:49 . 2013-11-03 22:49 -------- d-----w- c:\programdata\Oracle
2013-11-03 22:49 . 2013-11-03 22:49 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-11-03 22:49 . 2013-10-08 15:50 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-11-03 22:20 . 2013-11-03 22:20 -------- d-----w- C:\FRST
2013-11-03 02:51 . 2013-11-03 18:40 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-11-03 02:48 . 2013-11-03 02:48 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2013-11-03 01:23 . 2013-11-03 03:12 -------- d-----w- c:\users\Deborah\AppData\Local\5eI8FWUPx
2013-11-01 18:11 . 2013-11-01 18:11 -------- d-----w- c:\windows\ERUNT
2013-11-01 17:40 . 2013-11-01 17:42 -------- d-----w- c:\users\jj
2013-11-01 17:36 . 2013-11-12 16:58 -------- d-----w- C:\AdwCleaner
2013-11-01 17:19 . 2013-11-01 17:19 -------- d-----w- c:\windows\ServiceProfiles\LocalService\winhttp
2013-11-01 17:15 . 2013-11-02 05:27 -------- d-----w- c:\users\Deborah\AppData\Local\VPpwXSskEjH
2013-10-31 20:10 . 2013-11-08 23:45 -------- d-----w- c:\users\Deborah\AppData\Roaming\Skype
2013-10-31 20:10 . 2013-10-31 20:11 -------- d-----r- c:\program files (x86)\Skype
2013-10-31 20:10 . 2013-10-31 20:10 -------- d-----w- c:\program files (x86)\Common Files\Skype
2013-10-31 20:10 . 2013-10-31 20:11 -------- d-----w- c:\programdata\Skype
2013-10-20 16:56 . 2013-08-03 06:40 1374208 ----a-w- c:\windows\system32\wdc.dll
2013-10-20 16:55 . 2013-06-22 05:45 785624 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-08 18:42 . 2012-12-11 04:44 952 --s-a-w- c:\programdata\KGyGaAvL.sys
2013-10-02 01:38 . 2012-07-26 08:14 78296 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-09-29 20:42 . 2012-12-07 17:13 50784 ----a-w- c:\programdata\Microsoft\windowsfiltering\Sqm\Manifest\Sqm3.bin
2013-09-26 09:46 . 2012-12-16 22:00 80541720 ----a-w- c:\windows\system32\MRT.exe
2013-08-16 05:41 . 2013-09-11 15:56 58200 ----a-w- c:\windows\system32\drivers\dam.sys
2013-08-16 05:39 . 2013-09-11 15:56 2371728 ----a-w- c:\windows\system32\WSService.dll
2013-08-16 05:39 . 2013-09-11 15:56 59416 ----a-w- c:\windows\system32\wuauclt.exe
2013-08-16 05:32 . 2013-09-11 15:56 209200 ----a-w- c:\windows\system32\NotificationUI.exe
2013-08-16 05:22 . 2013-09-11 15:56 40448 ----a-w- c:\windows\system32\wuapp.exe
2013-08-16 05:22 . 2013-09-11 15:56 4917760 ----a-w- c:\windows\system32\sppsvc.exe
2013-08-16 05:21 . 2013-09-11 15:56 3275776 ----a-w- c:\windows\system32\wuaueng.dll
2013-08-16 05:21 . 2013-09-11 15:56 49664 ----a-w- c:\windows\system32\wups.dll
2013-08-16 05:21 . 2013-09-11 15:56 49152 ----a-w- c:\windows\system32\wups2.dll
2013-08-16 05:21 . 2013-09-11 15:56 252416 ----a-w- c:\windows\system32\WUSettingsProvider.dll
2013-08-16 05:21 . 2013-09-11 15:56 1621504 ----a-w- c:\windows\system32\wucltux.dll
2013-08-16 05:21 . 2013-09-11 15:56 99328 ----a-w- c:\windows\system32\wudriver.dll
2013-08-16 05:21 . 2013-09-11 15:56 142848 ----a-w- c:\windows\system32\wuwebv.dll
2013-08-16 05:21 . 2013-09-11 15:56 773120 ----a-w- c:\windows\system32\wuapi.dll
2013-08-16 05:21 . 2013-09-11 15:56 688640 ----a-w- c:\windows\system32\WSShared.dll
2013-08-16 05:21 . 2013-09-11 15:56 183808 ----a-w- c:\windows\system32\WSSync.dll
2013-08-16 05:21 . 2013-09-11 15:56 204800 ----a-w- c:\windows\system32\WSClient.dll
2013-08-16 05:21 . 2013-09-11 15:56 198656 ----a-w- c:\windows\system32\Windows.ApplicationModel.Store.dll
2013-08-16 05:21 . 2013-09-11 15:56 163840 ----a-w- c:\windows\system32\Windows.ApplicationModel.Store.TestingFramework.dll
2013-08-16 05:21 . 2013-09-11 15:56 174592 ----a-w- c:\windows\system32\storewuauth.dll
2013-08-16 05:21 . 2013-09-11 15:56 1164288 ----a-w- c:\windows\system32\sppobjs.dll
2013-08-16 05:21 . 2013-09-11 15:56 368640 ----a-w- c:\windows\system32\sppwinob.dll
2013-08-16 05:21 . 2013-09-11 15:56 81408 ----a-w- c:\windows\system32\setupcln.dll
2013-08-16 05:21 . 2013-09-11 15:56 120320 ----a-w- c:\windows\system32\sppc.dll
2013-08-16 05:20 . 2013-09-11 15:56 105984 ----a-w- c:\windows\system32\WinSetupUI.dll
2013-08-15 22:43 . 2013-09-11 15:56 35328 ----a-w- c:\windows\SysWow64\wuapp.exe
2013-08-15 22:43 . 2013-09-11 15:56 628736 ----a-w- c:\windows\SysWow64\wuapi.dll
2013-08-15 22:43 . 2013-09-11 15:56 84992 ----a-w- c:\windows\SysWow64\wudriver.dll
2013-08-15 22:43 . 2013-09-11 15:56 20992 ----a-w- c:\windows\SysWow64\wups.dll
2013-08-15 22:43 . 2013-09-11 15:56 126976 ----a-w- c:\windows\SysWow64\wuwebv.dll
2013-08-15 22:43 . 2013-09-11 15:56 562688 ----a-w- c:\windows\SysWow64\WSShared.dll
2013-08-15 22:43 . 2013-09-11 15:56 159232 ----a-w- c:\windows\SysWow64\WSSync.dll
2013-08-15 22:43 . 2013-09-11 15:56 143872 ----a-w- c:\windows\SysWow64\Windows.ApplicationModel.Store.dll
2013-08-15 22:43 . 2013-09-11 15:56 167424 ----a-w- c:\windows\SysWow64\WSClient.dll
2013-08-15 22:43 . 2013-09-11 15:56 124928 ----a-w- c:\windows\SysWow64\Windows.ApplicationModel.Store.TestingFramework.dll
2013-08-15 22:43 . 2013-09-11 15:56 83968 ----a-w- c:\windows\SysWow64\OEMLicense.dll
2013-08-15 22:42 . 2013-09-11 15:55 76800 ----a-w- c:\windows\SysWow64\setupcln.dll
2013-08-15 22:42 . 2013-09-11 15:56 91648 ----a-w- c:\windows\SysWow64\sppc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{1dad3af3-ef2f-4f64-ac4b-11789189fcb6}]
2013-07-23 09:46 1451680 ----a-w- c:\program files (x86)\Microsoft\BingBar\7.2.241.0\BingExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-09-14 59720]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-09-15 59720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-10-01 152392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\StartUp\
Gateway MyBackup Tray.lnk - c:\program files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe -h -k [2012-8-22 533568]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2011-4-29 276328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.2.241.0\BBSvc.exe;c:\program files (x86)\Microsoft\BingBar\7.2.241.0\BBSvc.exe [x]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 DeviceFastLaneService;Device Fast-lane Service;c:\program files\Gateway\Gateway Device Fast-lane\DeviceFastLaneSvc.exe;c:\program files\Gateway\Gateway Device Fast-lane\DeviceFastLaneSvc.exe [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsPStor.sys [x]
R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtwlane.sys;c:\windows\SYSNATIVE\DRIVERS\rtwlane.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\System32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys;c:\windows\SYSNATIVE\DRIVERS\WUDFRd.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE;c:\program files (x86)\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 SQLAgent$SMEXPRESS;SQL Server Agent (SMEXPRESS);c:\program files (x86)\Microsoft SQL Server\MSSQL10.SMEXPRESS\MSSQL\Binn\SQLAGENT.EXE;c:\program files (x86)\Microsoft SQL Server\MSSQL10.SMEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
R4 SymELAM;Symantec ELAM Driver;c:\windows\system32\drivers\NISx64\1404000.028\SymELAM.sys;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SymELAM.sys [x]
S0 iaStorA;iaStorA;c:\windows\System32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ETDService;Elan Service;c:\program files\Elantech\ETDService.exe;c:\program files\Elantech\ETDService.exe [x]
S2 Fitbit Connect;Fitbit Connect Service;c:\program files (x86)\Fitbit Connect\FitbitConnectService.exe;c:\program files (x86)\Fitbit Connect\FitbitConnectService.exe [x]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 MSSQL$SMEXPRESS;SQL Server (SMEXPRESS);c:\program files (x86)\Microsoft SQL Server\MSSQL10.SMEXPRESS\MSSQL\Binn\sqlservr.exe;c:\program files (x86)\Microsoft SQL Server\MSSQL10.SMEXPRESS\MSSQL\Binn\sqlservr.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe;c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe [x]
S2 RfButtonDriverService;Dritek RF Button Command Service;c:\windows\RfBtnSvc64.exe;c:\windows\RfBtnSvc64.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 ZAtheros Wlan Agent;ZAtheros Wlan Agent;c:\program files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe;c:\program files (x86)\Qualcomm Atheros\Ath_WlanAgent.exe [x]
S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.2.241.0\SeaPort.exe;c:\program files (x86)\Microsoft\BingBar\7.2.241.0\SeaPort.exe [x]
S3 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130116.013\BHDrvx64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130116.013\BHDrvx64.sys [x]
S3 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NISx64\1404000.028\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\ccSetx64.sys [x]
S3 CorelCreatorMessages;CorelCreatorMessages;c:\windows\system32\CorelCreatorMessages.exe;c:\windows\SYSNATIVE\CorelCreatorMessages.exe [x]
S3 ePowerSvc;ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
S3 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130131.001\IDSvia64.sys;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130131.001\IDSvia64.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C63x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C63x64.sys [x]
S3 Ps2Kb2Hid;PS/2 Keyboard to HID Driver;c:\windows\System32\drivers\aPs2Kb2Hid.sys;c:\windows\SYSNATIVE\drivers\aPs2Kb2Hid.sys [x]
S3 SymDS;Symantec Data Store;c:\windows\system32\drivers\NISx64\1404000.028\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMDS64.SYS [x]
S3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NISx64\1404000.028\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\SYMEFA64.SYS [x]
S3 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NISx64\1404000.028\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\NISx64\1404000.028\Ironx64.SYS [x]
S3 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NISx64\1404000.028\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\NISx64\1404000.028\SYMNETS.SYS [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-18 03:00 1185744 ----a-w- c:\program files (x86)\Google\Chrome\Application\30.0.1599.101\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-08 01:34]
.
2013-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-08 01:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-08-07 170304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-08-07 398656]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-08-07 440640]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2012-07-27 12937872]
"CorelCreatorClient"="c:\program files (x86)\Corel\Corel PDF Fusion\CorelCreatorClient.exe" [2011-12-14 779776]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
Wow6432Node-HKCU-Run-Fitbit Connect - c:\program files (x86)\Fitbit Connect\Fitbit Connect.exe
Wow6432Node-HKLM-Run-LManager - (no file)
Wow6432Node-HKLM-Run-Fitbit Connect - c:\program files (x86)\Fitbit Connect\Fitbit Connect.exe
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
AddRemove-&{PRODUCT_NAME} - c:\program files (x86)\My Real Estate Letters\uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*ˆÛÅu`^ñmÍm¯”]
"0"=hex:86,00,36,00,00,00,00,00,00,00,00,00,80,00,67,00,73,00,75,00,67,00,72,
   00,65,00,65,00,6e,00,2e,00,6a,70,67,00,88,db,c5,75,60,5e,f1,6d,cd,6d,af,94,\
"MRUListEx"=hex:02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff
"1"=hex:4a,00,31,00,00,00,00,00,f2,42,22,8d,10,00,63,61,6b,65,00,00,36,00,08,
   00,04,00,ef,be,f2,42,22,8d,f2,42,22,8d,2a,00,00,00,aa,71,03,00,00,00,06,00,\
"2"=hex:4a,00,31,00,00,00,00,00,f2,42,84,8d,10,00,63,61,6b,65,00,00,36,00,08,
   00,04,00,ef,be,f2,42,22,8d,f2,42,84,8d,2a,00,00,00,aa,71,03,00,00,00,06,00,\
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*ˆÛÅu`^–nuŒ`]
"0"=hex:14,00,1f,50,e0,4f,d0,20,ea,3a,69,10,a2,d8,08,00,2b,30,30,9d,19,00,2f,
   45,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,8e,00,36,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*þÿÿÿˆÛÅuˆÛÅu`^ñm5“¯”œŒ@*Ô¹@*(ˆ@*]
"0"=hex:14,00,1f,42,25,48,1e,03,94,7b,c3,4d,b1,31,e9,46,b4,4c,8d,d5,74,00,00,
   00,1a,00,ee,bb,fe,23,00,00,10,00,9f,ae,90,a9,3b,a0,80,4e,94,bc,99,12,d7,50,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*þÿÿÿˆÛÅuˆÛÅu`^VnÁµmn]
"0"=hex:9e,00,36,00,00,00,00,00,00,00,00,00,80,00,65,00,72,00,69,00,6e,00,32,
   00,30,00,30,00,64,00,70,00,69,00,2e,00,6a,70,67,00,fe,ff,ff,ff,88,db,c5,75,\
"MRUListEx"=hex:02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff
"1"=hex:9a,00,36,00,00,00,00,00,00,00,00,00,80,00,6b,00,61,00,6e,00,32,00,30,
   00,30,00,64,00,70,00,31,00,2e,00,6a,70,67,00,fe,ff,ff,ff,88,db,c5,75,88,db,\
"2"=hex:96,00,36,00,00,00,00,00,00,00,00,00,80,00,65,00,72,00,69,00,6e,00,31,
   00,35,00,30,00,6b,00,2e,00,6a,70,67,00,fe,ff,ff,ff,88,db,c5,75,88,db,c5,75,\
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*þÿÿÿˆÛÅuˆÛÅu`^en˜Xn¬]
"0"=hex:4a,00,31,00,00,00,00,00,f2,42,93,90,10,00,63,61,6b,65,00,00,36,00,08,
   00,04,00,ef,be,f2,42,22,8d,f2,42,93,90,2a,00,00,00,aa,71,03,00,00,00,06,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*þÿÿÿˆÛÅuˆÛÅu`^en(§n¬]
"0"=hex:4a,00,31,00,00,00,00,00,f3,42,b6,ad,10,00,63,61,6b,65,00,00,36,00,08,
   00,04,00,ef,be,f2,42,22,8d,f3,42,b6,ad,2a,00,00,00,aa,71,03,00,00,00,06,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\jpg*þÿÿÿˆÛÅuˆÛÅu`^n%_£]
"0"=hex:4a,00,31,00,00,00,00,00,f3,42,ad,b3,10,00,63,61,6b,65,00,00,36,00,08,
   00,04,00,ef,be,f2,42,22,8d,f3,42,ad,b3,2a,00,00,00,aa,71,03,00,00,00,06,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*ˆÛÅu`^ñmÍm¯”]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*ˆÛÅu`^ñmÍm¯”\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*ˆÛÅu`^–nuŒ`]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*ˆÛÅu`^–nuŒ`\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^ñm5“¯”œŒ@*Ô¹@*(ˆ@*]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^ñm5“¯”œŒ@*Ô¹@*(ˆ@*\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^VnÁµmn]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^VnÁµmn\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^en˜Xn¬]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^en˜Xn¬\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^en(§n¬]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^en(§n¬\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^n%_£]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^n%_£\OpenWithList]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*ˆÛÅu`^ñmÍm¯”]
"0"=hex:67,00,73,00,75,00,67,00,72,00,65,00,65,00,6e,00,2e,00,6a,70,67,00,88,
   db,c5,75,60,5e,f1,6d,cd,6d,af,94,10,01,00,00,96,00,36,00,00,00,00,00,00,00,\
"MRUListEx"=hex:02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff
"1"=hex:68,00,6f,00,77,00,61,00,72,00,64,00,67,00,72,00,65,00,65,00,6e,00,2e,
   00,6a,70,67,00,88,db,c5,75,60,5e,f1,6d,cd,6d,af,94,10,01,00,00,a2,00,36,00,\
"2"=hex:63,00,61,00,6b,00,65,00,70,00,69,00,63,00,66,00,69,00,6e,00,61,00,6c,
   00,65,00,2e,00,6a,70,67,00,88,db,c5,75,60,5e,f1,6d,cd,6d,af,94,10,01,00,00,\
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*ˆÛÅu`^–nuŒ`]
"0"=hex:62,00,61,00,6e,00,6e,00,65,00,72,00,72,00,65,00,76,00,63,00,2e,00,6a,
   70,67,00,88,db,c5,75,60,5e,96,6e,75,8c,0e,60,10,01,00,00,9e,00,36,00,00,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^ñm5“¯”œŒ@*Ô¹@*(ˆ@*]
"0"=hex:63,00,61,00,6b,00,65,00,20,00,70,00,68,00,6f,00,74,00,6f,00,2e,00,6a,
   70,67,00,fe,ff,ff,ff,88,db,c5,75,88,db,c5,75,60,5e,f1,6d,35,93,af,94,9c,8c,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^VnÁµmn]
"0"=hex:65,00,72,00,69,00,6e,00,32,00,30,00,30,00,64,00,70,00,69,00,2e,00,6a,
   70,67,00,fe,ff,ff,ff,88,db,c5,75,88,db,c5,75,60,5e,56,6e,c1,b5,6d,6e,10,01,\
"MRUListEx"=hex:02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff
"1"=hex:6b,00,61,00,6e,00,32,00,30,00,30,00,64,00,70,00,31,00,2e,00,6a,70,67,
   00,fe,ff,ff,ff,88,db,c5,75,88,db,c5,75,60,5e,56,6e,c1,b5,6d,6e,10,01,00,00,\
"2"=hex:65,00,72,00,69,00,6e,00,31,00,35,00,30,00,6b,00,2e,00,6a,70,67,00,fe,
   ff,ff,ff,88,db,c5,75,88,db,c5,75,60,5e,56,6e,c1,b5,6d,6e,10,01,00,00,a6,00,\
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^en˜Xn¬]
"0"=hex:62,00,61,00,6e,00,6e,00,65,00,72,00,2e,00,6a,70,67,00,fe,ff,ff,ff,88,
   db,c5,75,88,db,c5,75,60,5e,65,6e,98,58,6e,ac,10,01,00,00,9e,00,36,00,00,00,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^en(§n¬]
"0"=hex:63,00,61,00,6b,00,65,00,66,00,69,00,6e,00,61,00,6c,00,65,00,32,00,2e,
   00,6a,70,67,00,fe,ff,ff,ff,88,db,c5,75,88,db,c5,75,60,5e,65,6e,28,a7,6e,ac,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_USERS\S-1-5-21-986810558-1886413747-3722812129-1001CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.*jpg*þÿÿÿˆÛÅuˆÛÅu`^n%_£]
"0"=hex:62,00,61,00,6e,00,6e,00,65,00,72,00,72,00,65,00,76,00,63,00,2e,00,6a,
   70,67,00,fe,ff,ff,ff,88,db,c5,75,88,db,c5,75,60,5e,9d,6e,25,5f,15,a3,10,01,\
"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2013-11-12  10:02:10
ComboFix-quarantined-files.txt  2013-11-12 18:02
.
Pre-Run: 427,386,843,136 bytes free
Post-Run: 427,234,488,320 bytes free
.
- - End Of File - - 049EF58A13775A55AF3EAF9569F428BA

 

I can now access store. But seems to be no other improvements. Several Tiles still don't work, seems like windows integrated programs are not working. IE reader and photo view.
 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:13 PM

Posted 12 November 2013 - 02:20 PM

There was no ZeroAccess found on your logs.

As for the other problems with this computer I suggest you start a new topic in the Windows 8 Forum
http://www.bleepingcomputer.com/forums/f/209/windows-8/

Some experts with this System can possibly help your further as this is no longer my forte.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users