Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

regsvr32.exe is hijacking the system


  • This topic is locked This topic is locked
14 replies to this topic

#1 jeffh01

jeffh01

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 20 November 2013 - 09:48 PM

When windows 7 first boots up in standard mode, there are two instances of regsvr32.exe running in task 'Process' list.  When clicking on 1, and selecting 'end process', both instances dissapear.

 

Without killing the process, no apps will open from windows.

 

malwarebytes, and search&destroy (as well as others) are not detecting anything.

Thanks in advance for any help!

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 21 November 2013 - 07:56 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.

 

 

 

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.exe and save it to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 jeffh01

jeffh01
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 21 November 2013 - 09:22 AM

Thank you very much!  I have attached the requested files. 3 log files were created for TDS, so I attached all 3.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-11-2013
Ran by Sharon (administrator) on SHARON-PC on 22-11-2013 09:05:57
Running from C:\Users\Sharon\Desktop\install
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\system32\atiesrxx.exe
(Sensible Vision ) c:\Program Files (x86)\Sensible Vision\Fast Access\FAService.exe
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
(Carbonite, Inc. (www.carbonite.com)) C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
(Microsoft) C:\Program Files\Dell\OSD\DellOSDservice.exe
(Microsoft) C:\Program Files\Dell\OSD\DellOSD.exe
(Eastman Kodak Company) C:\Program Files (x86)\Kodak\AiO\Center\EKAiOHostService.exe
(Eastman Kodak Company) C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKPrinterSDK.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE
(Microsoft Corporation) C:\Windows\SYSTEM32\WISPTIS.EXE
() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Eastman Kodak Company) C:\WINDOWS\System32\spool\drivers\x64\3\EKIJ5000MUI.exe
(Advanced Micro Devices Inc.) c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Dell) C:\Users\Sharon\AppData\Local\Apps\2.0\7CECVEYO.E5C\4QMH7TEQ.68B\dell..tion_0f612f649c4a10af_0005.0003_bf82b4b798cbd02c\DellSystemDetect.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(SupportSoft, Inc.) C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(TeamViewer GmbH) c:\program files (x86)\teamviewer\version8\TeamViewer_Desktop.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10920552 2010-06-22] (Realtek Semiconductor)
HKLM\...\Run: [Broadcom Wireless Manager UI] - C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE [5712896 2010-02-02] (Dell Inc.)
HKLM\...\Run: [RunDLLEntry_THXCfg] - C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [RunDLLEntry_EptMon] - C:\Windows\system32\RunDLL32.exe C:\Windows\system32\EptMon64.dll,RunDLLEntry EptMon64
HKLM\...\Run: [DellStage] - C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj [483424 2012-02-01] ()
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [EKIJ5000StatusMonitor] - C:\WINDOWS\System32\spool\drivers\x64\3\EKIJ5000MUI.exe [3182080 2012-10-08] (Eastman Kodak Company)
HKLM-x32\...\RunOnce: [Launcher] - C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\Launcher.exe [163040 2010-08-11] (Softthinks)
HKLM-x32\...\RunOnce: [DSUpdateLauncher] - "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe" /NOCONSOLE /D="C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate" /RUNAS "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe" [161088 2010-07-21] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
HKCU\...\Run: [Unsmedia] - regsvr32.exe C:\Users\Sharon\AppData\Local\Unsmedia\usbimage.dll <===== ATTENTION
HKCU\...\Run: [DellSystemDetect] - C:\Users\Sharon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dell\Dell System Detect.appref-ms [370 2013-11-21] ()
HKCU\...\Run: [SUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6581488 2013-08-14] (SUPERAntiSpyware)
HKLM-x32\...\Run: [ShwiconXP6366] - C:\Program Files (x86)\Multimedia Card Reader(6366)\ShwiconXP6366.exe [237568 2009-07-16] (Alcor Micro Corp.)
HKLM-x32\...\Run: [StartCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-06-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Dell DataSafe Online] - C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe [1807680 2010-02-09] ()
HKLM-x32\...\Run: [FATrayAlert] - C:\Program Files (x86)\Sensible Vision\Fast Access\FATrayMon.exe [95560 2010-02-22] (Sensible Vision )
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe [498160 2009-10-15] ()
HKLM-x32\...\Run: [UCam_Menu] - C:\Program Files (x86)\Dell\Dell TouchCam\MUITransfer\MUIStartMenu.exe [218408 2009-02-25] (CyberLink Corp.)
HKLM-x32\...\Run: [THX Audio Control Panel] - C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe [963584 2009-12-01] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] - C:\WINDOWS\Updreg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [FAStartup] - [x]
HKLM-x32\...\Run: [DellSupportCenter] - C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe [206064 2009-05-21] (SupportSoft, Inc.)
HKLM-x32\...\Run: [AccuWeatherWidget] - C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\start.umj [2835443 2012-02-01] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [Conime] - %windir%\system32\conime.exe
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [EKStatusMonitor] - C:\Program Files (x86)\Kodak\AiO\StatusMonitor\EKStatusMonitor.exe [2844608 2012-10-15] (Eastman Kodak Company)
HKLM-x32\...\Run: [EKIJ5000StatusMonitor] - C:\WINDOWS\System32\spool\drivers\x64\3\EKIJ5000MUI.exe [3182080 2012-10-08] (Eastman Kodak Company)
HKLM-x32\...\Run: [Carbonite Backup] - C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1056264 2013-10-10] (Carbonite, Inc.)
HKLM-x32\...\Run: [SDTray] - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
Lsa: [Notification Packages] scecli FAPassSync

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/?mtmhp=hyplogusaolp00000015&tb_uuid=FB036E159C924157908AA0F050C1AD91
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.com/?mtmhp=hyplogusaolp00000004
SearchScopes: HKLM - DefaultScope {1D057433-6A8F-4345-B4C4-38490A32E547} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - DefaultScope {5A06E0AC-CD40-404D-A3A9-E4FA5C10E15B} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - DefaultScope {29CA9247-6329-4488-B76E-2FC817FB4E8C} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}&s_it=customie10-ie&s_qt=sb&tb_uuid=FB036E159C924157908AA0F050C1AD91&tb_oid=03-06-2013&tb_mrud=20-10-2013
SearchScopes: HKCU - {1D057433-6A8F-4345-B4C4-38490A32E547} URL = 
SearchScopes: HKCU - {29CA9247-6329-4488-B76E-2FC817FB4E8C} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}&s_it=customie10-ie&s_qt=sb&tb_uuid=FB036E159C924157908AA0F050C1AD91&tb_oid=03-06-2013&tb_mrud=20-10-2013
SearchScopes: HKCU - {5A06E0AC-CD40-404D-A3A9-E4FA5C10E15B} URL = 
BHO: AOL Toolbar Loader - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: AOL Toolbar Loader - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL Inc.)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: FAIESSOHelper Class - {A2F122DA-055F-4df7-8F24-7354DBDBA85B} - C:\Program Files (x86)\Sensible Vision\Fast Access\FAIESSO.dll (Sensible Vision )
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
Toolbar: HKLM-x32 - AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files (x86)\AOL Toolbar\aoltb.dll (AOL Inc.)
Toolbar: HKCU - AOL Toolbar - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 167.206.13.180 167.206.13.181

==================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [143120 2013-05-23] (SUPERAntiSpyware.com)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [3921880 2013-10-15] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1042272 2013-09-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171416 2013-09-13] (Safer-Networking Ltd.)
R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE [48128 2010-02-02] (Dell Inc.)

==================== Drivers (Whitelisted) ====================

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 cpuz134; \??\C:\Users\Sharon\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [x]
R4 RegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\regfilter.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-11-22 09:05 - 2013-11-22 09:05 - 00000000 ____D C:\FRST
2013-11-21 21:57 - 2013-11-22 02:00 - 00000512 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task ed26e8d1-5917-4bb8-abdf-4b34a88d5571.job
2013-11-21 21:57 - 2013-11-21 21:57 - 00003594 _____ C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task ed26e8d1-5917-4bb8-abdf-4b34a88d5571
2013-11-21 21:57 - 2013-11-21 21:57 - 00000000 ____D C:\Users\Sharon\AppData\Roaming\SUPERAntiSpyware.com
2013-11-21 21:56 - 2013-11-21 21:57 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-11-21 21:56 - 2013-11-21 21:56 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2013-11-21 21:51 - 2013-11-21 21:51 - 00450756 _____ C:\Windows\system32\Drivers\etc\hostsnew.txt
2013-11-21 19:49 - 2013-11-21 19:49 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2013-11-21 19:19 - 2013-11-21 19:19 - 00000000 ____D C:\ProgramData\CDB
2013-11-21 19:17 - 2013-11-21 19:20 - 00000162 _____ C:\Windows\Reimage.ini
2013-11-21 19:15 - 2013-11-21 19:15 - 00000000 ____D C:\Users\Sharon\AppData\Roaming\IObit
2013-11-21 19:15 - 2013-11-21 19:15 - 00000000 ____D C:\ProgramData\IObit
2013-11-21 19:15 - 2013-11-21 19:15 - 00000000 ____D C:\Program Files (x86)\IObit
2013-11-21 19:15 - 2012-08-23 08:13 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2013-11-21 19:15 - 2012-08-23 08:10 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpvideominiport.sys
2013-11-21 19:15 - 2012-08-23 08:07 - 00057856 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2013-11-21 19:15 - 2012-08-23 07:47 - 00046592 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll
2013-11-21 19:15 - 2012-08-23 07:46 - 00016896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll
2013-11-21 19:15 - 2012-08-23 07:41 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2013-11-21 19:15 - 2012-08-23 07:40 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2013-11-21 19:15 - 2012-08-23 07:24 - 00015360 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2013-11-21 19:15 - 2012-08-23 07:20 - 00054272 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2013-11-21 19:15 - 2012-08-23 07:18 - 00037376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2013-11-21 19:15 - 2012-08-23 07:17 - 00018432 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2013-11-21 19:15 - 2012-08-23 07:06 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2013-11-21 19:15 - 2012-08-23 06:52 - 00044032 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2013-11-21 19:15 - 2012-08-23 05:20 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2013-11-21 19:15 - 2012-08-23 05:15 - 00269312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\aaclient.dll
2013-11-21 19:15 - 2012-08-23 05:14 - 00384000 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2013-11-21 19:15 - 2012-08-23 05:12 - 00192000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdpendp_winip.dll
2013-11-21 19:15 - 2012-08-23 04:54 - 00322560 _____ (Microsoft Corporation) C:\Windows\system32\aaclient.dll
2013-11-21 19:15 - 2012-08-23 04:51 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\rdpendp_winip.dll
2013-11-21 19:15 - 2012-08-23 04:39 - 01048064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2013-11-21 19:15 - 2012-08-23 04:22 - 01123840 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2013-11-21 19:15 - 2012-08-23 03:51 - 03174912 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2013-11-21 19:15 - 2012-08-23 02:19 - 04916224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2013-11-21 19:15 - 2012-08-23 02:13 - 05773824 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2013-11-21 18:34 - 2013-11-21 18:38 - 00000000 ____D C:\Windows\system32\MRT
2013-11-21 18:34 - 2013-11-07 16:00 - 82896128 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-11-21 18:27 - 2013-11-21 19:31 - 00000000 ____D C:\Users\Sharon\AppData\Local\Deployment
2013-11-21 18:27 - 2013-11-21 18:27 - 00000000 ____D C:\Users\Sharon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dell
2013-11-21 18:27 - 2013-11-21 18:27 - 00000000 ____D C:\Users\Sharon\AppData\Local\Apps\2.0
2013-11-21 18:16 - 2013-11-21 18:16 - 00002986 _____ C:\Windows\System32\Tasks\{47B5FDB9-B438-44DE-84A6-1F447CE26977}
2013-11-21 18:16 - 2013-11-21 18:16 - 00002986 _____ C:\Windows\System32\Tasks\{2682C714-70F0-4B35-B48C-FC433AB75A0B}
2013-11-21 18:15 - 2013-11-21 18:15 - 00002986 _____ C:\Windows\System32\Tasks\{CE8AC0DB-C65B-4187-874D-3FF7BCD8111B}
2013-11-21 18:15 - 2013-11-21 18:15 - 00002986 _____ C:\Windows\System32\Tasks\{AB03DBDD-5310-4170-A719-7604F2BBE430}
2013-11-21 18:15 - 2013-11-21 18:15 - 00002986 _____ C:\Windows\System32\Tasks\{86044BFB-5C4D-46DA-9FD4-1851C73B4621}
2013-11-21 18:15 - 2013-11-21 18:15 - 00002986 _____ C:\Windows\System32\Tasks\{687616C3-32E8-41FE-8A07-4E202DFFB712}
2013-11-21 18:15 - 2013-11-21 18:15 - 00002986 _____ C:\Windows\System32\Tasks\{06091CEA-1BD6-4468-B545-B3F32D04A0D7}
2013-11-21 18:08 - 2009-06-10 15:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts.20131121-180818.backup
2013-11-21 17:28 - 2013-11-21 17:28 - 00000000 ____D C:\Users\Sharon\AppData\Roaming\QuickScan
2013-11-21 17:22 - 2013-11-21 18:10 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-11-21 17:22 - 2013-11-21 18:10 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-11-21 17:22 - 2013-11-21 17:22 - 00000656 _____ C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-11-21 17:22 - 2013-11-21 17:22 - 00000628 _____ C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-11-21 17:22 - 2013-11-21 17:22 - 00000458 _____ C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2013-11-21 17:22 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2013-11-17 15:12 - 2013-11-21 18:12 - 00000049 _____ C:\Users\Sharon\AppData\Roaming\mbam.context.scan
2013-11-17 12:29 - 2013-11-17 12:29 - 00002990 _____ C:\Windows\System32\Tasks\{FE4DD4DD-56B2-4706-815D-31A6FFB3B700}
2013-11-17 11:07 - 2013-11-17 11:07 - 00000000 ____D C:\Users\Sharon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
2013-11-17 10:45 - 2013-11-20 03:05 - 00000000 ____D C:\ProgramData\nsXDarn3
2013-11-17 10:45 - 2013-11-17 10:45 - 00000000 ____D C:\Users\Sharon\AppData\Local\Unsmedia
2013-11-15 03:04 - 2013-10-12 02:45 - 02241536 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-11-15 03:04 - 2013-10-12 02:45 - 01364992 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-11-15 03:04 - 2013-10-12 02:45 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-11-15 03:04 - 2013-10-12 02:43 - 19269632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-11-15 03:04 - 2013-10-12 02:43 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-11-15 03:04 - 2013-10-12 02:43 - 03959808 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-11-15 03:04 - 2013-10-12 02:43 - 02648576 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-11-15 03:04 - 2013-10-12 02:43 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-11-15 03:04 - 2013-10-12 02:43 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-11-15 03:04 - 2013-10-12 02:43 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-11-15 03:04 - 2013-10-12 02:43 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-11-15 03:04 - 2013-10-12 02:43 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-11-15 03:04 - 2013-10-12 02:43 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-11-15 03:04 - 2013-10-12 02:43 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-11-15 03:04 - 2013-10-12 01:03 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-11-15 03:04 - 2013-10-12 01:03 - 01138176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 14355968 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 02877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 02049024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-11-15 03:04 - 2013-10-12 01:02 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-11-15 03:04 - 2013-10-12 00:35 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-11-15 03:04 - 2013-10-12 00:08 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-11-15 03:04 - 2013-10-11 23:44 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-11-15 03:04 - 2013-10-11 23:15 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-11-14 03:15 - 2013-10-05 14:25 - 01474048 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-11-14 03:15 - 2013-10-05 13:57 - 01168384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-11-14 03:15 - 2013-10-03 20:28 - 00190464 _____ (Microsoft Corporation) C:\Windows\system32\SmartcardCredentialProvider.dll
2013-11-14 03:15 - 2013-10-03 20:25 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\credui.dll
2013-11-14 03:15 - 2013-10-03 20:24 - 01930752 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2013-11-14 03:15 - 2013-10-03 19:58 - 00152576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SmartcardCredentialProvider.dll
2013-11-14 03:15 - 2013-10-03 19:56 - 01796096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-11-14 03:15 - 2013-10-03 19:56 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credui.dll
2013-11-14 03:15 - 2013-09-27 19:09 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2013-11-14 03:15 - 2013-09-24 20:26 - 00154560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2013-11-14 03:15 - 2013-09-24 20:26 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2013-11-14 03:15 - 2013-09-24 20:23 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2013-11-14 03:15 - 2013-09-24 20:23 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2013-11-14 03:15 - 2013-09-24 20:23 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2013-11-14 03:15 - 2013-09-24 20:22 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2013-11-14 03:15 - 2013-09-24 20:21 - 01447936 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2013-11-14 03:15 - 2013-09-24 20:21 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2013-11-14 03:15 - 2013-09-24 19:58 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2013-11-14 03:15 - 2013-09-24 19:57 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2013-11-14 03:15 - 2013-09-24 19:57 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2013-11-14 03:15 - 2013-09-24 19:56 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2013-11-14 03:15 - 2013-09-24 19:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2013-11-14 03:15 - 2013-07-04 06:18 - 00458712 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2013-11-14 03:14 - 2013-10-11 20:30 - 00830464 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2013-11-14 03:14 - 2013-10-11 20:29 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2013-11-14 03:14 - 2013-10-11 20:29 - 00324096 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2013-11-14 03:14 - 2013-10-11 20:03 - 00656896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll
2013-11-14 03:14 - 2013-10-11 20:01 - 00216576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FWPUCLNT.DLL
2013-11-14 03:14 - 2013-10-02 20:23 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2013-11-14 03:14 - 2013-10-02 20:00 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2013-11-11 19:00 - 2013-11-11 19:01 - 00000086 _____ C:\Users\Public\Desktop\Carbonite Setup.log
2013-11-11 19:00 - 2013-11-11 19:00 - 00002134 _____ C:\Users\Public\Desktop\Carbonite InfoCenter.lnk

==================== One Month Modified Files and Folders =======

2013-11-22 09:05 - 2013-11-22 09:05 - 00000000 ____D C:\FRST
2013-11-22 09:05 - 2013-05-09 08:37 - 00000000 ____D C:\Users\Sharon\Desktop\install
2013-11-22 08:52 - 2013-05-09 09:40 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-11-22 08:52 - 2009-07-13 23:10 - 01596389 _____ C:\Windows\WindowsUpdate.log
2013-11-22 07:10 - 2013-05-09 09:32 - 00000000 ____D C:\ProgramData\Kodak
2013-11-22 02:00 - 2013-11-21 21:57 - 00000512 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task ed26e8d1-5917-4bb8-abdf-4b34a88d5571.job
2013-11-22 00:50 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\rescache
2013-11-21 22:41 - 2013-05-08 11:20 - 00112432 _____ C:\Users\Sharon\AppData\Local\GDIPFONTCACHEV1.DAT
2013-11-21 21:57 - 2013-11-21 21:57 - 00003594 _____ C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task ed26e8d1-5917-4bb8-abdf-4b34a88d5571
2013-11-21 21:57 - 2013-11-21 21:57 - 00000000 ____D C:\Users\Sharon\AppData\Roaming\SUPERAntiSpyware.com
2013-11-21 21:57 - 2013-11-21 21:56 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-11-21 21:56 - 2013-11-21 21:56 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2013-11-21 21:51 - 2013-11-21 21:51 - 00450756 _____ C:\Windows\system32\Drivers\etc\hostsnew.txt
2013-11-21 19:49 - 2013-11-21 19:49 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2013-11-21 19:37 - 2009-07-13 22:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-11-21 19:37 - 2009-07-13 22:45 - 00014240 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-11-21 19:36 - 2009-07-13 23:13 - 00730408 _____ C:\Windows\system32\PerfStringBackup.INI
2013-11-21 19:31 - 2013-11-21 18:27 - 00000000 ____D C:\Users\Sharon\AppData\Local\Deployment
2013-11-21 19:30 - 2013-05-08 11:23 - 00000000 ____D C:\Users\Sharon\AppData\Local\SoftThinks
2013-11-21 19:30 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-11-21 19:29 - 2009-07-13 22:51 - 00022184 _____ C:\Windows\setupact.log
2013-11-21 19:28 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-11-21 19:20 - 2013-11-21 19:17 - 00000162 _____ C:\Windows\Reimage.ini
2013-11-21 19:19 - 2013-11-21 19:19 - 00000000 ____D C:\ProgramData\CDB
2013-11-21 19:15 - 2013-11-21 19:15 - 00000000 ____D C:\Users\Sharon\AppData\Roaming\IObit
2013-11-21 19:15 - 2013-11-21 19:15 - 00000000 ____D C:\ProgramData\IObit
2013-11-21 19:15 - 2013-11-21 19:15 - 00000000 ____D C:\Program Files (x86)\IObit
2013-11-21 18:38 - 2013-11-21 18:34 - 00000000 ____D C:\Windows\system32\MRT
2013-11-21 18:27 - 2013-11-21 18:27 - 00000000 ____D C:\Users\Sharon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dell
2013-11-21 18:27 - 2013-11-21 18:27 - 00000000 ____D C:\Users\Sharon\AppData\Local\Apps\2.0
2013-11-21 18:16 - 2013-11-21 18:16 - 00002986 _____ C:\Windows\System32\Tasks\{47B5FDB9-B438-44DE-84A6-1F447CE26977}
2013-11-21 18:16 - 2013-11-21 18:16 - 00002986 _____ C:\Windows\System32\Tasks\{2682C714-70F0-4B35-B48C-FC433AB75A0B}
2013-11-21 18:15 - 2013-11-21 18:15 - 00002986 _____ C:\Windows\System32\Tasks\{CE8AC0DB-C65B-4187-874D-3FF7BCD8111B}
2013-11-21 18:15 - 2013-11-21 18:15 - 00002986 _____ C:\Windows\System32\Tasks\{AB03DBDD-5310-4170-A719-7604F2BBE430}
2013-11-21 18:15 - 2013-11-21 18:15 - 00002986 _____ C:\Windows\System32\Tasks\{86044BFB-5C4D-46DA-9FD4-1851C73B4621}
2013-11-21 18:15 - 2013-11-21 18:15 - 00002986 _____ C:\Windows\System32\Tasks\{687616C3-32E8-41FE-8A07-4E202DFFB712}
2013-11-21 18:15 - 2013-11-21 18:15 - 00002986 _____ C:\Windows\System32\Tasks\{06091CEA-1BD6-4468-B545-B3F32D04A0D7}
2013-11-21 18:12 - 2013-11-17 15:12 - 00000049 _____ C:\Users\Sharon\AppData\Roaming\mbam.context.scan
2013-11-21 18:10 - 2013-11-21 17:22 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2013-11-21 18:10 - 2013-11-21 17:22 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2013-11-21 17:28 - 2013-11-21 17:28 - 00000000 ____D C:\Users\Sharon\AppData\Roaming\QuickScan
2013-11-21 17:22 - 2013-11-21 17:22 - 00000656 _____ C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2013-11-21 17:22 - 2013-11-21 17:22 - 00000628 _____ C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2013-11-21 17:22 - 2013-11-21 17:22 - 00000458 _____ C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2013-11-20 03:05 - 2013-11-17 10:45 - 00000000 ____D C:\ProgramData\nsXDarn3
2013-11-20 03:01 - 2013-05-09 08:47 - 00001945 _____ C:\Windows\epplauncher.mif
2013-11-20 03:01 - 2013-05-09 08:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-11-20 03:01 - 2013-05-09 08:42 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-11-19 04:21 - 2013-05-09 08:53 - 00267936 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2013-11-17 12:29 - 2013-11-17 12:29 - 00002990 _____ C:\Windows\System32\Tasks\{FE4DD4DD-56B2-4706-815D-31A6FFB3B700}
2013-11-17 12:25 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\NDF
2013-11-17 11:22 - 2013-05-08 11:23 - 00000074 _____ C:\Windows\SysWOW64\ToasterLauncherLog.log
2013-11-17 11:07 - 2013-11-17 11:07 - 00000000 ____D C:\Users\Sharon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
2013-11-17 10:45 - 2013-11-17 10:45 - 00000000 ____D C:\Users\Sharon\AppData\Local\Unsmedia
2013-11-15 03:25 - 2010-12-20 07:31 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-11-15 03:23 - 2010-12-20 08:57 - 00067420 _____ C:\Windows\PFRO.log
2013-11-15 03:06 - 2013-05-09 08:54 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-11-14 03:07 - 2009-07-13 20:34 - 00000478 _____ C:\Windows\win.ini
2013-11-11 19:01 - 2013-11-11 19:00 - 00000086 _____ C:\Users\Public\Desktop\Carbonite Setup.log
2013-11-11 19:00 - 2013-11-11 19:00 - 00002134 _____ C:\Users\Public\Desktop\Carbonite InfoCenter.lnk
2013-11-11 19:00 - 2013-05-09 09:01 - 00004148 _____ C:\Windows\System32\Tasks\{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4}
2013-11-07 16:00 - 2013-11-21 18:34 - 82896128 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-10-25 14:14 - 2009-07-13 23:32 - 00000000 ____D C:\Windows\system32\FxsTmp

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2013-11-20 03:00

==================== End Of Log ============================

Attached Files


Edited by TB-Psychotic, 21 November 2013 - 09:25 AM.


#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 21 November 2013 - 09:30 AM

IObit software products are installed on your system!

The company behind this product was found to be stealing our database. Personally I would not trust installing any software from a company that resorts to stealing someone's technology to sell their product.

Please see the following links and make up your own mind if you want to keep this on your system. If needed I can help you remove it.

 

 

 

Fix with FRST (normal mode)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    HKCU\...\Run: [Unsmedia] - regsvr32.exe C:\Users\Sharon\AppData\Local\Unsmedia\usbimage.dll <===== ATTENTION
    
    C:\Users\Sharon\AppData\Local\Unsmedia
    C:\Windows\system32\Drivers\etc\hostsnew.txt
    C:\ProgramData\nsXDarn3
    C:\Users\Sharon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 25 November 2013 - 05:22 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:09:05 PM

Posted 29 November 2013 - 12:47 PM

This topic has been re-opened at the request of the person who originally posted.

#7 jeffh01

jeffh01
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 29 November 2013 - 02:27 PM

With the holidays -- it has been difficult to get this bleeping computer fixed....

Here are the results of what you requested I complete.

Thanks again!

 

Attached Files



#8 jeffh01

jeffh01
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 29 November 2013 - 02:29 PM

Also, ran a Spybot search after everything else and here are the results:

Attached Files



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 02 December 2013 - 03:39 AM

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 jeffh01

jeffh01
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 02 December 2013 - 02:43 PM

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe    a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe    a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\UpdateWorkingDirectory\DSL\hstart.exe    a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\UpdateWorkingDirectory\DSL\Components\DSUpdate\hstart.exe    a variant of Win32/HiddenStart.A application
 



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 03 December 2013 - 03:35 AM

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 jeffh01

jeffh01
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 03 December 2013 - 09:44 AM

# AdwCleaner v3.014 - Report created 03/12/2013 at 06:41:45
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Sharon - SHARON-PC
# Running from : C:\Users\Sharon\Desktop\install\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AOL Toolbar
Folder Deleted : C:\Program Files (x86)\AOL Toolbar
Folder Deleted : C:\Program Files (x86)\Common Files\Software Update Utility
Folder Deleted : C:\Program Files\AOL Toolbar
Folder Deleted : C:\Users\Sharon\AppData\Local\AOL Toolbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\Software\firstsearch
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


*************************

AdwCleaner[R0].txt - [2579 octets] - [03/12/2013 06:39:48]
AdwCleaner[S0].txt - [2556 octets] - [03/12/2013 06:41:45]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2616 octets] ##########
 



#13 jeffh01

jeffh01
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:05 PM

Posted 03 December 2013 - 09:47 AM

 Results of screen317's Security Check version 0.99.77  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File  
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 7 Update 21  
 Java version out of Date!
 Adobe Reader XI  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 



#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 05 December 2013 - 07:05 AM

Your system is clean now! :)

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.

After the reboot
  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  • In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  • In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  • In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process
  • If there is still something left please delete it manualy.

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

  • Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

  • Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system.
  • Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help you if aren´t careful enough.
    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 10 February 2014 - 08:17 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users