Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zero Access and cannot download


  • Please log in to reply
13 replies to this topic

#1 gjw

gjw

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 05 December 2013 - 05:19 PM

History of problem:

1. PC has been slow, with intermittent white-out screen and "not responding" messages for various applications (IE, Excel, Word, Outlook etc.).

2. The big problem started a few days ago with McAfee 'real time scan' turning on and off'.

3. I ran a malwarebytes scan and picked up the following quarantines:

Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\etadpug (Spyware.Fareit) -> Delete on reboot.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Google Update (Spyware.Fareit) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Ron\AppData\Local\Google\Desktop\Install\{c539c59a-9931-6716-b512-22ffa3899385}\❤≸⋙\Ⱒ☠⍨\ﯹ๛\{c539c59a-9931-6716-b512-22ffa3899385}\GoogleUpdate.exe (Spyware.Fareit) -> Quarantined and deleted successfully.
c:\program files\google\desktop\install\{c539c59a-9931-6716-b512-22ffa3899385}\   \...\ﯹ๛\{c539c59a-9931-6716-b512-22ffa3899385}\googleupdate.exe (Spyware.Fareit) -> Quarantined and deleted successfully.

(end)

 

4. I then noticed that I could not download from the internet. To get DDS to my desktop I had to use another pc and flash drive.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.19483  BrowserJavaVersion: 10.4.1
Run by Ron at 14:47:51 on 2013-12-05
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2045.572 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\VPDAgent.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\OfficeGuardianV2N35\UACProxy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\mfevtps.exe
C:\Program Files\Neat\exec\NeatStartupService.exe
C:\pvsw\bin\psql_svc.exe
C:\Windows\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\ProgramData\OfficeGuardianV2N35\Reminder\SacNetAgent.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Sage Software\Peachtree\peachw.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Microsoft\BingBar\7.2.241.0\SeaPort.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Program Files\McAfee\VirusScan\mcods.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.foxnews.com/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = Preserve
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070306
BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120624024507.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [olasds] "c:\windows\system32\rundll32.exe" "c:\users\ron\appdata\roaming\olasds.dll",warning
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: intuit.com
Trusted Zone: phoenix.edu
Trusted Zone: turbotax.com
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=1007
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{B4709CFD-42E3-4636-A8DC-D17D8B839932} : DHCPNameServer = 192.168.0.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program files\mcafee\siteadvisor\McIEPlg.dll
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: Neat ADF Scanner 2008 - reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f
mASetup: Send To Neat - reg copy "HKLM\Software\The Neat Company\Send To Neat" "HKCU\Software\The Neat Company\Send To Neat" /s /f
.
============= SERVICES / DRIVERS ===============
.
R? ?etadpug;Google Update Service (gupdate)
R? BBSvc;BingBar Service
R? HipShieldK;McAfee Inc. HipShieldK
R? klqjgqs;klqjgqs
R? LMIRfsClientNP;LMIRfsClientNP
R? mfebopk;McAfee Inc. mfebopk
R? mferkdet;McAfee Inc. mferkdet
R? mferkdk;McAfee Inc. mferkdk
R? mfesmfk;McAfee Inc. mfesmfk
R? nosGetPlusHelper;getPlus® Helper 3004
R? sxuptp;SXUPTP Driver
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service
S? Agent;VPDAgent
S? AMD External Events Utility;AMD External Events Utility
S? BBUpdate;BBUpdate
S? CFUACProxy_officeguardianv2n35;CFUACProxy_officeguardianv2n35
S? cfwids;McAfee Inc. cfwids
S? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
S? FontCache;Windows Font Cache Service
S? LMIGuardianSvc;LMIGuardianSvc
S? LMIInfo;LogMeIn Kernel Information Provider
S? LMIRfsDriver;LogMeIn Remote File System Driver
S? MBAMProtector;MBAMProtector
S? MBAMScheduler;MBAMScheduler
S? MBAMService;MBAMService
S? MBAMSwissArmy;MBAMSwissArmy
S? McAfee SiteAdvisor Service;McAfee SiteAdvisor Service
S? McMPFSvc;McAfee Personal Firewall Service
S? McNaiAnn;McAfee VirusScan Announcer
S? McProxy;McAfee Proxy Service
S? McShield;McAfee McShield
S? mfeavfk;McAfee Inc. mfeavfk
S? mfefire;McAfee Firewall Core Service
S? mfefirek;McAfee Inc. mfefirek
S? mfehidk;McAfee Inc. mfehidk
S? mfevtp;McAfee Validation Trust Protection Service
S? mfewfpk;McAfee Inc. mfewfpk
S? Neat Startup Service;Neat Startup Service
S? Pervasive Cache Engine;Pervasive Cache Engine
S? Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine
S? SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53
.
=============== File Associations ===============
.
ShellExec: ymp.exe: open="c:\program files\yahoo!\yahoo! music jukebox\YahooMusicEngine.exe" -play "%1"
ShellExec: ymp.exe: play="c:\program files\yahoo!\yahoo! music jukebox\YahooMusicEngine.exe" -play "%1"
.
=============== Created Last 30 ================
.
2013-12-05 20:07:11 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-12-04 20:22:58 9728 ----a-w- c:\windows\system32\Wdfres.dll
2013-12-04 20:22:39 66560 ----a-w- c:\windows\system32\drivers\WUDFPf.sys
2013-12-04 20:22:39 155136 ----a-w- c:\windows\system32\drivers\WUDFRd.sys
2013-12-04 20:22:38 16896 ----a-w- c:\windows\system32\winusb.dll
2013-12-04 20:22:37 73216 ----a-w- c:\windows\system32\WUDFSvc.dll
2013-12-04 20:22:36 172032 ----a-w- c:\windows\system32\WUDFPlatform.dll
2013-12-04 20:22:35 47720 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2013-12-04 20:22:30 38912 ----a-w- c:\windows\system32\WUDFCoinstaller.dll
2013-12-04 20:22:29 613888 ----a-w- c:\windows\system32\WUDFx.dll
2013-12-04 20:22:29 196608 ----a-w- c:\windows\system32\WUDFHost.exe
2013-12-04 19:08:41 812544 ----a-w- c:\windows\system32\certutil.exe
2013-12-04 19:08:40 41984 ----a-w- c:\windows\system32\certenc.dll
2013-12-04 19:07:51 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-12-04 19:07:00 129536 ----a-w- c:\program files\internet explorer\sqmapi.dll
2013-12-04 19:02:14 638400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2013-12-04 19:02:14 37376 ----a-w- c:\windows\system32\cdd.dll
2013-12-04 19:02:11 197632 ----a-w- c:\windows\system32\drivers\usbhub.sys
2013-12-04 19:02:10 73216 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2013-12-04 19:02:10 6016 ----a-w- c:\windows\system32\drivers\usbd.sys
2013-12-04 19:02:09 39936 ----a-w- c:\windows\system32\drivers\usbehci.sys
2013-12-04 19:02:09 23552 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2013-12-04 19:02:09 226304 ----a-w- c:\windows\system32\drivers\usbport.sys
2013-12-04 19:02:06 527064 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2013-12-04 19:02:01 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-12-04 19:01:56 2050048 ----a-w- c:\windows\system32\win32k.sys
2013-12-04 19:01:54 783360 ----a-w- c:\windows\system32\rpcrt4.dll
2013-12-04 19:01:49 224640 ----a-w- c:\windows\system32\drivers\volsnap.sys
2013-12-04 19:01:45 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-12-04 19:01:38 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-12-04 19:01:37 1205168 ----a-w- c:\windows\system32\ntdll.dll
2013-12-04 19:01:36 64000 ----a-w- c:\windows\system32\smss.exe
2013-12-04 19:01:36 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-12-04 19:01:09 2048 ----a-w- c:\windows\system32\tzres.dll
2013-12-04 19:00:06 24576 ----a-w- c:\windows\system32\cryptdlg.dll
2013-12-04 18:59:23 1314816 ----a-w- c:\windows\system32\quartz.dll
2013-12-04 18:59:12 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys
2013-12-04 18:59:12 15872 ----a-w- c:\windows\system32\icaapi.dll
2013-12-04 18:59:07 75776 ----a-w- c:\windows\system32\synceng.dll
2013-12-04 18:59:02 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-12-04 18:58:55 444928 ----a-w- c:\windows\system32\IKEEXT.DLL
2013-12-04 18:58:54 596480 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2013-12-04 18:58:32 376320 ----a-w- c:\windows\system32\dpnet.dll
2013-12-04 18:58:32 23040 ----a-w- c:\windows\system32\dpnsvr.exe
2013-12-04 18:58:30 297984 ----a-w- c:\windows\system32\gdi32.dll
2013-12-04 18:58:29 204288 ----a-w- c:\windows\system32\ncrypt.dll
2013-12-04 18:58:26 68608 ----a-w- c:\windows\system32\drivers\usbcir.sys
2013-12-04 18:58:24 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-12-04 18:58:17 993792 ----a-w- c:\windows\system32\crypt32.dll
2013-12-04 18:57:45 443904 ----a-w- c:\windows\system32\win32spl.dll
2013-12-04 18:57:44 37376 ----a-w- c:\windows\system32\printcom.dll
2013-12-04 18:57:41 293376 ----a-w- c:\windows\system32\atmfd.dll
2013-12-04 18:57:40 34304 ----a-w- c:\windows\system32\atmlib.dll
2013-12-04 18:57:35 505344 ----a-w- c:\windows\system32\qedit.dll
2013-12-04 18:57:31 615936 ----a-w- c:\windows\system32\themeui.dll
2013-12-04 18:57:29 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-12-04 18:57:23 532480 ----a-w- c:\windows\system32\comctl32.dll
2013-12-04 18:57:19 1400832 ----a-w- c:\windows\system32\msxml6.dll
2013-12-04 18:57:11 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-12-04 18:57:06 35328 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-12-04 18:57:05 25472 ----a-w- c:\windows\system32\drivers\hidparse.sys
2013-12-04 18:25:51 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-12-04 18:25:48 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2013-12-04 18:25:47 1218048 ----a-w- c:\program files\windows journal\NBDoc.DLL
2013-12-04 18:25:46 983552 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2013-12-04 18:25:46 964608 ----a-w- c:\program files\windows journal\JNWDRV.dll
2013-12-04 18:25:17 172544 ----a-w- c:\windows\system32\wintrust.dll
2013-12-04 18:25:16 98304 ----a-w- c:\windows\system32\cryptnet.dll
2013-12-04 18:25:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2013-12-03 16:38:44 -------- d-----w- c:\users\ron\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2013-12-03 00:39:19 -------- d-----w- c:\windows\system32\MRT
2013-11-16 21:09:56 -------- d-----w- C:\Ruth
.
==================== Find3M  ====================
.
2013-10-13 11:55:47 916992 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 11:50:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-10-13 11:49:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-10-13 11:49:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2013-10-13 11:49:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2013-10-13 11:47:48 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 10:09:15 385024 ----a-w- c:\windows\system32\html.iec
2013-10-13 08:28:01 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2013-10-13 08:25:30 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2013-10-09 14:38:13 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-09 14:38:13 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-12 19:11:10 157622424 ----a-w- c:\users\ron\Neat_v5.2.2.3_UPGRADE.sfx.exe
.
============= FINISH: 14:50:57.99 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:05 AM

Posted 05 December 2013 - 06:52 PM

:welcome:

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

If unable to download directly into the computer, use another computer and download the file to a flash drive. Run the application on the ailing computer from the flash drive.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 gjw

gjw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 06 December 2013 - 11:25 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-12-2013
Ran by Ron (administrator) on RON-PC on 05-12-2013 17:41:28
Running from C:\Users\Ron\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(Two Pilots) C:\Windows\VPDAgent.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(ABBYY) C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Storage Appliance Corp.) C:\ProgramData\OfficeGuardianV2N35\UACProxy.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\ramaint.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
() C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(The Neat Company) C:\Program Files\Neat\exec\NeatStartupService.exe
() C:\pvsw\bin\psql_svc.exe
() C:\Windows\System32\srvany.exe
() C:\pvsw\bin\w3dbsmgr.exe
(Sonic Solutions) C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
(Storage Appliance Corporation) C:\ProgramData\OfficeGuardianV2N35\Reminder\SacNetAgent.exe
(SupportSoft, Inc.) C:\Program Files\Dell Support Center\bin\sprtsvc.exe
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(Microsoft Corporation) C:\Windows\ehome\ehsched.exe
(Microsoft Corporation) C:\Windows\ehome\ehrecvr.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
(McAfee, Inc.) C:\Program Files\McAfee.com\Agent\mcagent.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Sage Software SB, Inc.) C:\Program Files\Sage Software\Peachtree\peachw.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Apple Inc.) C:\Program Files\QuickTime\QTTask.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corporation.) C:\Program Files\Microsoft\BingBar\7.2.241.0\SeaPort.EXE
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Program Files\Windows Mail\WinMail.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\Core\mchost.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmplayer.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [1278064 2013-03-13] (McAfee, Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\hpwuschd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [] - [x]
HKLM\...\runonceex: [] - [x]
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKCU\...\Run: [ehTray.exe] - C:\Windows\ehome\ehtray.exe [125952 2008-01-19] (Microsoft Corporation)
HKCU\...\Run: [olasds] - "C:\Windows\System32\rundll32.exe" "C:\Users\Ron\AppData\Roaming\olasds.dll",warning <===== ATTENTION
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe -update activex [829832 2013-10-09] (Adobe Systems Incorporated)
MountPoints2: E - E:\autoRcd.exe
MountPoints2: K - K:\LaunchU3.exe -a
MountPoints2: {0b514963-c6a9-11dc-991c-0019d1316c14} - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ClASSRoOm.Exe
MountPoints2: {4c86de7b-3235-11e1-9a66-0019d1316c14} - N:\LaunchU3.exe -a
MountPoints2: {a7a41fdd-f5ba-11e0-8aa5-0019d1316c14} - M:\StartClickFreeBackup.exe
MountPoints2: {b2fbc511-597f-11e1-9b10-0019d1316c14} - N:\LaunchU3.exe -a
MountPoints2: {c263e456-cb42-11db-a227-806e6f6e6963} - F:\autorun.exe
MountPoints2: {c39adb45-9c49-11e1-8e38-0019d1316c14} - K:\StartClickFreeBackup.exe
MountPoints2: {c39adb53-9c49-11e1-8e38-0019d1316c14} - N:\StartClickFreeBackup.exe
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2006-11-12] (Gteko Ltd.)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2006-11-12] (Gteko Ltd.)
HKU\LogMeInRemoteUser\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\LogMeInRemoteUser\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2006-11-12] (Gteko Ltd.)
HKU\Test\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Test\...\Run: [DellSupport] - C:\Program Files\DellSupport\DSAgnt.exe [ 2006-11-12] (Gteko Ltd.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5070306
BHO: Bing Bar Helper - {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - C:\Program Files\Microsoft\BingBar\7.2.241.0\BingExt.dll (Microsoft Corporation.)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120624024507.dll (McAfee, Inc.)
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
Toolbar: HKLM - Bing Bar - {eec0f710-38b5-4aba-99bf-ec87564a4e13} - C:\Program Files\Microsoft\BingBar\7.2.241.0\BingExt.dll (Microsoft Corporation.)
Toolbar: HKCU - No Name - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} -  No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} http://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=1007
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

========================== Services (Whitelisted) =================

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 Agent; C:\Windows\VPDAgent.exe [192512 2013-06-25] (Two Pilots)
R2 CFUACProxy_officeguardianv2n35; C:\ProgramData\OfficeGuardianV2N35\UACProxy.exe [83792 2011-07-19] (Storage Appliance Corp.)
S3 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [70656 2006-11-07] ()
S3 getPlus® Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [33752 2008-12-01] (NOS Microsystems Ltd.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [210216 2009-02-11] ()
R2 McMPFSvc; C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 mcmscsvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 McNASvc; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [279048 2012-11-16] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [167784 2012-08-31] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [203840 2013-02-19] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [169320 2013-02-19] (McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [172416 2013-02-19] (McAfee, Inc.)
R2 Neat Startup Service; C:\Program Files\Neat\exec\NeatStartupService.exe [5632 2013-06-26] (The Neat Company)
R2 Pervasive Cache Engine; C:\pvsw\bin\psql_svc.exe [73728 2007-01-12] ()
R2 Pervasive.SQL Workgroup Engine; C:\Windows\system32\srvany.exe [13864 2007-05-16] ()
R2 SacNetAgentService_C57C4F854F53; C:\ProgramData\OfficeGuardianV2N35\Reminder\SacNetAgent.exe [163664 2011-07-19] (Storage Appliance Corporation)
R2 sprtsvc_dellsupportcenter; C:\Program Files\Dell Support Center\bin\sprtsvc.exe [201968 2008-08-13] (SupportSoft, Inc.)
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{c539c59a-9931-6716-b512-22ffa3899385}\   \...\???\{c539c59a-9931-6716-b512-22ffa3899385}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

R3 ATIAVPCI; C:\Windows\System32\DRIVERS\atinavrr.sys [383488 2007-01-24] (ATI Technologies Inc.)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [60920 2013-02-19] (McAfee, Inc.)
R2 dsunidrv; C:\Program Files\DellSupport\Drivers\dsunidrv.sys [7424 2006-08-17] (Gteko Ltd.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [146872 2012-04-20] (McAfee, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-12-05] (Malwarebytes Corporation)
R2 MCSTRM; C:\Windows\System32\Drivers\MCSTRM.sys [8413 2007-04-29] (RealNetworks, Inc.)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [133416 2013-02-19] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [235264 2013-02-19] (McAfee, Inc.)
S3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [65928 2013-02-19] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [363080 2013-02-19] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [565888 2013-02-19] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [92632 2013-02-19] (McAfee, Inc.)
S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [34248 2009-09-16] (McAfee, Inc.)
S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [40552 2009-11-04] (McAfee, Inc.)
R1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [210608 2013-02-19] (McAfee, Inc.)
R3 STHDA; C:\Windows\System32\drivers\stwrt.sys [647680 2006-11-22] (SigmaTel, Inc.)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S0 klqjgqs; System32\drivers\yofplojv.sys [x]
S4 LMIRfsClientNP; No ImagePath
U3 mfeavfk01; No ImagePath
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 sxuptp; system32\DRIVERS\sxuptp.sys [x]
U3 mbr; \??\C:\Users\Ron\AppData\Local\Temp\mbr.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-12-05 17:41 - 2013-12-05 17:42 - 00014239 _____ C:\Users\Ron\Desktop\FRST.txt
2013-12-05 17:41 - 2013-12-05 17:41 - 00000000 ____D C:\FRST
2013-12-05 17:37 - 2013-12-05 09:10 - 01405939 _____ (Farbar) C:\Users\Ron\Desktop\FRST.exe
2013-12-05 13:07 - 2013-12-05 13:07 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2013-12-05 11:32 - 2013-12-05 11:32 - 00000000 ____D C:\Users\Test\AppData\Roaming\Adobe
2013-12-05 11:31 - 2013-12-05 11:31 - 00000000 ____D C:\Users\Test\AppData\Roaming\Apple Computer
2013-12-05 11:30 - 2013-12-05 11:30 - 00000997 _____ C:\Users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-12-05 11:30 - 2013-12-05 11:30 - 00000992 _____ C:\Users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2013-12-05 11:30 - 2013-12-05 11:30 - 00000000 ___HD C:\Users\Test\AppData\Roaming\GTek
2013-12-05 11:29 - 2013-12-05 11:29 - 00000963 _____ C:\Users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
2013-12-05 11:29 - 2013-12-05 11:29 - 00000000 ____D C:\Users\Test\AppData\Local\VirtualStore
2013-12-05 11:28 - 2013-12-05 11:30 - 00000000 ____D C:\Users\Test
2013-12-05 11:28 - 2013-12-05 11:28 - 00000020 ___SH C:\Users\Test\ntuser.ini
2013-12-05 11:28 - 2009-07-30 14:50 - 00000000 ___RD C:\Users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-12-05 11:28 - 2009-07-30 14:50 - 00000000 ___RD C:\Users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-04 13:23 - 2012-06-02 07:57 - 00000003 _____ C:\Windows\system32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2013-12-04 13:22 - 2012-07-25 20:39 - 00047720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdfLdr.sys
2013-12-04 13:22 - 2012-07-25 20:21 - 00196608 _____ (Microsoft Corporation) C:\Windows\system32\WUDFHost.exe
2013-12-04 13:22 - 2012-07-25 20:20 - 00613888 _____ (Microsoft Corporation) C:\Windows\system32\WUDFx.dll
2013-12-04 13:22 - 2012-07-25 20:20 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\WUDFPlatform.dll
2013-12-04 13:22 - 2012-07-25 20:20 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\WUDFSvc.dll
2013-12-04 13:22 - 2012-07-25 20:20 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\WUDFCoinstaller.dll
2013-12-04 13:22 - 2012-07-25 19:46 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\Wdfres.dll
2013-12-04 13:22 - 2012-07-25 19:33 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WUDFPf.sys
2013-12-04 13:22 - 2012-07-25 19:32 - 00155136 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WUDFRd.sys
2013-12-04 13:22 - 2009-07-14 05:12 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\winusb.dll
2013-12-04 12:08 - 2013-04-23 21:00 - 00041984 _____ (Microsoft Corporation) C:\Windows\system32\certenc.dll
2013-12-04 12:08 - 2013-04-23 18:46 - 00812544 _____ (Microsoft Corporation) C:\Windows\system32\certutil.exe
2013-12-04 12:07 - 2013-10-13 04:55 - 01212928 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-12-04 12:07 - 2013-10-13 04:51 - 00055296 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2013-12-04 12:07 - 2013-10-13 04:50 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-12-04 12:07 - 2013-10-13 04:49 - 00387584 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2013-12-04 12:07 - 2013-10-13 04:49 - 00055808 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-12-04 12:07 - 2013-07-20 03:44 - 00102608 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2013-12-04 12:06 - 2013-10-13 04:55 - 00916992 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-12-04 12:06 - 2013-10-13 04:55 - 00105984 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-12-04 12:06 - 2013-10-13 04:53 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2013-12-04 12:06 - 2013-10-13 04:51 - 06018048 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-12-04 12:06 - 2013-10-13 04:51 - 00630272 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-12-04 12:06 - 2013-10-13 04:51 - 00611840 _____ (Microsoft Corporation) C:\Windows\system32\mstime.dll
2013-12-04 12:06 - 2013-10-13 04:51 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-12-04 12:06 - 2013-10-13 04:50 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
2013-12-04 12:06 - 2013-10-13 04:49 - 11111936 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-12-04 12:06 - 2013-10-13 04:49 - 02005504 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-12-04 12:06 - 2013-10-13 04:49 - 01469440 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-12-04 12:06 - 2013-10-13 04:49 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2013-12-04 12:06 - 2013-10-13 04:49 - 00164352 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-12-04 12:06 - 2013-10-13 04:49 - 00109056 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-12-04 12:06 - 2013-10-13 04:49 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-12-04 12:06 - 2013-10-13 04:47 - 00018944 _____ (Microsoft Corporation) C:\Windows\system32\corpol.dll
2013-12-04 12:06 - 2013-10-13 03:09 - 00385024 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2013-12-04 12:06 - 2013-10-13 01:28 - 00133632 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-12-04 12:06 - 2013-10-13 01:27 - 00174080 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-12-04 12:06 - 2013-10-13 01:26 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2013-12-04 12:06 - 2013-10-13 01:25 - 01638912 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-12-04 12:06 - 2013-08-26 19:47 - 01029120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2013-12-04 12:06 - 2013-08-26 19:47 - 00219648 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2013-12-04 12:06 - 2013-08-26 19:47 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2013-12-04 12:06 - 2013-08-26 19:47 - 00160768 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2013-12-04 12:06 - 2013-08-26 18:52 - 01172480 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2013-12-04 12:06 - 2013-08-26 18:50 - 00486400 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2013-12-04 12:06 - 2013-08-26 18:32 - 00683008 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2013-12-04 12:06 - 2013-08-26 18:28 - 01069056 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2013-12-04 12:06 - 2013-08-26 18:28 - 00798208 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2013-12-04 12:02 - 2013-07-31 20:16 - 00638400 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2013-12-04 12:02 - 2013-07-31 19:49 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2013-12-04 12:02 - 2013-06-28 19:07 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2013-12-04 12:02 - 2013-06-28 19:07 - 00197632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2013-12-04 12:02 - 2013-06-28 19:07 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2013-12-04 12:02 - 2013-06-28 19:06 - 00006016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2013-12-04 12:02 - 2013-06-26 16:01 - 00527064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys
2013-12-04 12:02 - 2013-03-03 12:07 - 01082232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2013-12-04 12:02 - 2011-05-05 06:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2013-12-04 12:02 - 2011-05-05 06:54 - 00023552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2013-12-04 12:01 - 2013-08-29 00:36 - 02050048 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-12-04 12:01 - 2013-07-17 12:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2013-12-04 12:01 - 2013-07-10 02:47 - 00783360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2013-12-04 12:01 - 2013-07-09 05:10 - 01205168 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-12-04 12:01 - 2013-07-07 21:55 - 03603904 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2013-12-04 12:01 - 2013-07-07 21:55 - 03551680 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-12-04 12:01 - 2013-03-08 20:45 - 00049152 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2013-12-04 12:01 - 2013-03-08 18:28 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2013-12-04 12:01 - 2012-09-28 09:11 - 00892928 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2013-12-04 12:01 - 2012-08-21 04:47 - 00224640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\volsnap.sys
2013-12-04 12:00 - 2013-04-17 05:30 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\cryptdlg.dll
2013-12-04 11:59 - 2013-07-04 21:53 - 00905664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2013-12-04 11:59 - 2013-06-15 06:22 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll
2013-12-04 11:59 - 2013-06-15 04:23 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2013-12-04 11:59 - 2012-11-07 20:48 - 01314816 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2013-12-04 11:59 - 2012-09-25 09:19 - 00075776 _____ (Microsoft Corporation) C:\Windows\system32\synceng.dll
2013-12-04 11:58 - 2013-10-10 19:08 - 00444928 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2013-12-04 11:58 - 2013-10-10 19:07 - 00596480 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2013-12-04 11:58 - 2013-10-10 17:39 - 00218228 _____ C:\Windows\system32\WFP.TMF
2013-12-04 11:58 - 2013-10-03 05:45 - 00993792 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-12-04 11:58 - 2013-10-03 05:45 - 00297984 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2013-12-04 11:58 - 2013-08-01 21:09 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2013-12-04 11:58 - 2013-07-12 02:04 - 00068608 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbcir.sys
2013-12-04 11:58 - 2012-11-21 20:54 - 00353280 _____ (Microsoft Corporation) C:\Windows\system32\shlwapi.dll
2013-12-04 11:58 - 2012-11-19 21:22 - 00204288 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2013-12-04 11:58 - 2012-11-02 03:18 - 00376320 _____ (Microsoft Corporation) C:\Windows\system32\dpnet.dll
2013-12-04 11:58 - 2012-11-02 01:26 - 00023040 _____ (Microsoft Corporation) C:\Windows\system32\dpnsvr.exe
2013-12-04 11:57 - 2013-07-15 21:35 - 00615936 _____ (Microsoft Corporation) C:\Windows\system32\themeui.dll
2013-12-04 11:57 - 2013-07-03 21:21 - 00532480 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2013-12-04 11:57 - 2013-07-02 19:33 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbscan.sys
2013-12-04 11:57 - 2013-07-02 19:10 - 00025472 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidparse.sys
2013-12-04 11:57 - 2013-06-03 21:16 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2013-12-04 11:57 - 2013-06-03 18:49 - 00293376 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2013-12-04 11:57 - 2013-05-31 21:06 - 00505344 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2013-12-04 11:57 - 2013-05-01 21:04 - 00443904 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2013-12-04 11:57 - 2013-05-01 21:03 - 00037376 _____ (Microsoft Corporation) C:\Windows\system32\printcom.dll
2013-12-04 11:57 - 2013-03-07 20:53 - 00376320 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2013-12-04 11:57 - 2013-03-07 20:52 - 02067968 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2013-12-04 11:57 - 2012-11-02 03:19 - 01400832 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2013-12-04 11:25 - 2013-07-07 21:20 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2013-12-04 11:25 - 2013-07-07 21:16 - 00133120 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2013-12-04 11:25 - 2013-07-07 21:16 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2013-12-04 11:25 - 2013-02-11 18:57 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usb8023.sys
2013-12-03 12:26 - 2013-12-03 12:26 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Apple Computer
2013-12-03 12:26 - 2013-12-03 12:26 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Adobe
2013-12-03 09:38 - 2013-12-03 09:38 - 00000000 ____D C:\Users\Ron\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2013-12-02 17:39 - 2013-12-04 12:40 - 00000000 ____D C:\Windows\system32\MRT
2013-12-02 12:09 - 2013-12-02 12:09 - 03089958 _____ C:\Users\Ron\Desktop\PDF reader, PDF viewer  Adobe Reader XI.mht
2013-11-27 12:41 - 2013-11-27 13:02 - 3225681858 _____ C:\avenger.txt
2013-11-27 12:41 - 2013-11-27 12:41 - 00000000 ____D C:\Avenger
2013-11-25 12:50 - 2013-12-05 09:30 - 00001372 _____ C:\Windows\pvsw.log
2013-11-25 12:42 - 2013-12-05 09:22 - 00009218 _____ C:\Windows\PFRO.log
2013-11-16 14:09 - 2013-11-16 15:17 - 00000000 ____D C:\Ruth
2013-11-05 11:33 - 2013-11-05 11:33 - 00315663 _____ C:\Windows\system32\sdtn

==================== One Month Modified Files and Folders =======

2013-12-05 17:42 - 2013-12-05 17:41 - 00014239 _____ C:\Users\Ron\Desktop\FRST.txt
2013-12-05 17:41 - 2013-12-05 17:41 - 00000000 ____D C:\FRST
2013-12-05 17:38 - 2012-10-21 14:44 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-12-05 17:30 - 2006-11-02 05:47 - 00003696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-05 17:30 - 2006-11-02 05:47 - 00003696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-05 16:18 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-12-05 14:29 - 2007-03-05 11:02 - 02039270 _____ C:\Windows\WindowsUpdate.log
2013-12-05 14:01 - 2006-11-02 03:33 - 00704940 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-05 13:07 - 2013-12-05 13:07 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2013-12-05 11:32 - 2013-12-05 11:32 - 00000000 ____D C:\Users\Test\AppData\Roaming\Adobe
2013-12-05 11:31 - 2013-12-05 11:31 - 00000000 ____D C:\Users\Test\AppData\Roaming\Apple Computer
2013-12-05 11:30 - 2013-12-05 11:30 - 00000997 _____ C:\Users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2013-12-05 11:30 - 2013-12-05 11:30 - 00000992 _____ C:\Users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2013-12-05 11:30 - 2013-12-05 11:30 - 00000000 ___HD C:\Users\Test\AppData\Roaming\GTek
2013-12-05 11:30 - 2013-12-05 11:28 - 00000000 ____D C:\Users\Test
2013-12-05 11:29 - 2013-12-05 11:29 - 00000963 _____ C:\Users\Test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk
2013-12-05 11:29 - 2013-12-05 11:29 - 00000000 ____D C:\Users\Test\AppData\Local\VirtualStore
2013-12-05 11:28 - 2013-12-05 11:28 - 00000020 ___SH C:\Users\Test\ntuser.ini
2013-12-05 09:51 - 2010-12-06 13:48 - 00002633 _____ C:\Users\Ron\Desktop\Outlook 2003.lnk
2013-12-05 09:49 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\rescache
2013-12-05 09:33 - 2006-11-02 05:37 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-12-05 09:32 - 2012-12-13 01:20 - 00262144 _____ C:\Windows\system32\config\ELAM
2013-12-05 09:30 - 2013-11-25 12:50 - 00001372 _____ C:\Windows\pvsw.log
2013-12-05 09:30 - 2006-11-02 06:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-12-05 09:28 - 2006-11-02 05:47 - 00439536 _____ C:\Windows\system32\FNTCACHE.DAT
2013-12-05 09:22 - 2013-11-25 12:42 - 00009218 _____ C:\Windows\PFRO.log
2013-12-05 09:22 - 2011-09-25 16:43 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2013-12-05 09:19 - 2011-04-20 13:04 - 00000000 ____D C:\ProgramData\LogMeIn
2013-12-05 09:19 - 2006-11-02 06:01 - 00032564 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-12-05 09:17 - 2006-11-02 05:37 - 00000000 ____D C:\Windows\system32\XPSViewer
2013-12-05 09:17 - 2006-11-02 05:37 - 00000000 ____D C:\Program Files\Windows Journal
2013-12-05 09:10 - 2013-12-05 17:37 - 01405939 _____ (Farbar) C:\Users\Ron\Desktop\FRST.exe
2013-12-04 17:51 - 2006-11-02 03:23 - 00000240 _____ C:\Windows\win.ini
2013-12-04 12:40 - 2013-12-02 17:39 - 00000000 ____D C:\Windows\system32\MRT
2013-12-03 14:12 - 2011-10-14 08:49 - 00000000 ____D C:\Users\Guest
2013-12-03 14:12 - 2006-11-02 03:22 - 63176704 _____ C:\Windows\system32\config\software_previous
2013-12-03 14:11 - 2010-12-09 10:29 - 00000000 ____D C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PayRight5
2013-12-03 14:11 - 2009-10-28 09:39 - 00000000 ____D C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\English CWE Toolbar
2013-12-03 14:11 - 2008-09-18 18:25 - 00000000 ____D C:\Users\Ron\AppData\Local\MicroVision Applications
2013-12-03 14:11 - 2007-03-18 17:57 - 00000000 ____D C:\Users\Ron\AppData\Roaming\5400 Series
2013-12-03 14:11 - 2007-03-17 09:21 - 00000000 ____D C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TurboTax ItsDeductible
2013-12-03 14:11 - 2007-03-16 16:55 - 00000000 ___RD C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2013-12-03 14:11 - 2007-03-16 16:55 - 00000000 ___RD C:\Users\Ron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-12-03 14:11 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\system32\spool
2013-12-03 14:11 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\system32\Msdtc
2013-12-03 14:09 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\registration
2013-12-03 14:09 - 2006-11-02 03:22 - 26738688 _____ C:\Windows\system32\config\system_previous
2013-12-03 13:55 - 2006-11-02 03:22 - 46137344 _____ C:\Windows\system32\config\components_previous
2013-12-03 13:55 - 2006-11-02 03:22 - 00262144 _____ C:\Windows\system32\config\sam_previous
2013-12-03 13:23 - 2007-03-16 16:55 - 00000000 ____D C:\Users\Ron
2013-12-03 12:32 - 2006-11-02 03:22 - 01048576 _____ C:\Windows\system32\config\default_previous
2013-12-03 12:32 - 2006-11-02 03:22 - 00262144 _____ C:\Windows\system32\config\security_previous
2013-12-03 12:27 - 2011-10-14 08:52 - 00000000 ___HD C:\Users\Guest\AppData\Roaming\GTek
2013-12-03 12:26 - 2013-12-03 12:26 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Apple Computer
2013-12-03 12:26 - 2013-12-03 12:26 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Adobe
2013-12-03 09:40 - 2008-12-06 08:52 - 00000000 ____D C:\ProgramData\Adobe
2013-12-03 09:38 - 2013-12-03 09:38 - 00000000 ____D C:\Users\Ron\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2013-12-02 15:47 - 2007-12-22 16:42 - 00000000 ____D C:\Home
2013-12-02 15:39 - 2010-12-27 17:53 - 00000000 ____D C:\Program Files\Common Files\Adobe
2013-12-02 15:39 - 2007-04-09 14:21 - 00000000 ____D C:\Users\Ron\AppData\Local\Adobe
2013-12-02 12:09 - 2013-12-02 12:09 - 03089958 _____ C:\Users\Ron\Desktop\PDF reader, PDF viewer  Adobe Reader XI.mht
2013-11-29 13:45 - 2010-06-13 14:41 - 00001356 _____ C:\Users\Ron\AppData\Local\d3d9caps.dat
2013-11-28 13:42 - 2010-12-06 13:48 - 00002609 _____ C:\Users\Ron\Desktop\Word 2003.lnk
2013-11-27 13:02 - 2013-11-27 12:41 - 3225681858 _____ C:\avenger.txt
2013-11-27 12:41 - 2013-11-27 12:41 - 00000000 ____D C:\Avenger
2013-11-27 12:34 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\security
2013-11-25 11:43 - 2007-03-05 11:18 - 00000000 ____D C:\Program Files\Google
2013-11-25 11:36 - 2010-12-06 13:46 - 00002607 _____ C:\Users\Ron\Desktop\Excel 2003.lnk
2013-11-25 10:37 - 2010-12-03 18:23 - 00000000 ____D C:\PayRght5
2013-11-20 14:10 - 2010-11-22 17:38 - 00000000 ____D C:\Users\Public\Documents\Neat ADF Scanner
2013-11-16 15:17 - 2013-11-16 14:09 - 00000000 ____D C:\Ruth
2013-11-16 15:17 - 2008-12-20 12:43 - 00000000 ____D C:\Folks
2013-11-08 11:38 - 2013-09-12 14:07 - 00000000 ____D C:\ProgramData\boost_interprocess
2013-11-07 15:50 - 2006-11-02 03:24 - 80340640 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-11-05 11:33 - 2013-11-05 11:33 - 00315663 _____ C:\Windows\system32\sdtn

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3375002478-1975807548-1840314736-1001\$c539c59a99316716b51222ffa3899385

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$c539c59a99316716b51222ffa3899385
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Files to move or delete:
====================
C:\Users\Ron\FileFormatConverters.exe
C:\Users\Ron\gotomypc_540.exe
C:\Users\Ron\gotomypc_626.exe
C:\Users\Ron\Neat_v5.2.2.3_UPGRADE.sfx.exe

Some content of TEMP:
====================
C:\Users\Ron\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Ron\AppData\Local\Temp\MSN4B6B.exe
C:\Users\Ron\AppData\Local\Temp\_is7FB5.exe
C:\Users\Ron\AppData\Local\Temp\_isCC63.exe
C:\Users\Ron\AppData\Local\Temp\_isD511.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

LastRegBack: 2013-12-05 09:35

==================== End Of Log ============================

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:05 AM

Posted 06 December 2013 - 12:22 PM

Download the enclosed file.

Save it in the same location FRST is.

Run FRST and click on the Fix button. Wait until finished.

The tool will make a log in the location FRST is, (Fixlog.txt). Please post it to your reply.

Restart the computer and test. How is it feeling?


Edited by JSntgRvr, 06 December 2013 - 12:29 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 gjw

gjw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 06 December 2013 - 02:43 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-12-2013
Ran by Ron at 2013-12-06 11:01:29 Run:1
Running from C:\Users\Ron\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
Start
HKLM\...\runonceex: [] - [x]
HKCU\...\Run: [olasds] - "C:\Windows\System32\rundll32.exe" "C:\Users\Ron\AppData\Roaming\olasds.dll",warning <===== ATTENTION
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
C:\Users\Ron\AppData\Roaming\olasds.dll
Toolbar: HKCU - No Name - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} -  No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{c539c59a-9931-6716-b512-22ffa3899385}\   \...\???\{c539c59a-9931-6716-b512-22ffa3899385}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
S0 klqjgqs; System32\drivers\yofplojv.sys [x]
C:\$Recycle.Bin\S-1-5-21-3375002478-1975807548-1840314736-1001\$c539c59a99316716b51222ffa3899385
C:\Program Files\Google\Desktop\Install
C:\Users\Ron\FileFormatConverters.exe
C:\Users\Ron\gotomypc_540.exe
C:\Users\Ron\gotomypc_626.exe
C:\Users\Ron\Neat_v5.2.2.3_UPGRADE.sfx.exe
C:\Users\Ron\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Ron\AppData\Local\Temp\MSN4B6B.exe
C:\Users\Ron\AppData\Local\Temp\_is7FB5.exe
C:\Users\Ron\AppData\Local\Temp\_isCC63.exe
C:\Users\Ron\AppData\Local\Temp\_isD511.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
End
*****************
 
I am now able to download. Thank you so much. My PC still gets the intermittent white screen & says "not responding" on different applications, but I am just thankful to now be able to download. Thanks again


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:05 AM

Posted 06 December 2013 - 07:38 PM

The Fixlog.txt appears to be incomplete. It only shows the contents of the Fixlist.txt, but not the results. Please recheck and post the complete Fixlog.txt produced.

Lets scan:

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Download : ADWCleaner to your desktop.

NOTE: If using Internet Explorer and get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs and click on the AdwCleaner icon.

scan-results.jpg

Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder. as AdwCleaner[S0].txt
  • Launch and update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  • Click the green ESET Online Scanner box
  • Tick the box next to YES, I accept the Terms of Use
    then click on: Start
  • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, make sure you copy the logfile first!
  • Then click on: Finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 gjw

gjw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 07 December 2013 - 03:00 PM

here's the complete fixlog.txt. i will run AdwCleaner as described in your last post. One other thing. My Neat scanner isn't working properly now.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 06-12-2013
Ran by Ron at 2013-12-06 11:01:29 Run:1
Running from C:\Users\Ron\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
Start
HKLM\...\runonceex: [] - [x]
HKCU\...\Run: [olasds] - "C:\Windows\System32\rundll32.exe" "C:\Users\Ron\AppData\Roaming\olasds.dll",warning <===== ATTENTION
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
C:\Users\Ron\AppData\Roaming\olasds.dll
Toolbar: HKCU - No Name - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} -  No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{c539c59a-9931-6716-b512-22ffa3899385}\   \...\???\{c539c59a-9931-6716-b512-22ffa3899385}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
S0 klqjgqs; System32\drivers\yofplojv.sys [x]
C:\$Recycle.Bin\S-1-5-21-3375002478-1975807548-1840314736-1001\$c539c59a99316716b51222ffa3899385
C:\Program Files\Google\Desktop\Install
C:\Users\Ron\FileFormatConverters.exe
C:\Users\Ron\gotomypc_540.exe
C:\Users\Ron\gotomypc_626.exe
C:\Users\Ron\Neat_v5.2.2.3_UPGRADE.sfx.exe
C:\Users\Ron\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Ron\AppData\Local\Temp\MSN4B6B.exe
C:\Users\Ron\AppData\Local\Temp\_is7FB5.exe
C:\Users\Ron\AppData\Local\Temp\_isCC63.exe
C:\Users\Ron\AppData\Local\Temp\_isD511.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
End
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\runonceex\\ => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\olasds => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
"C:\Users\Ron\AppData\Roaming\olasds.dll" => File/Directory not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1017A80C-6F09-4548-A84D-EDD6AC9525F0} => Value deleted successfully.
HKCR\CLSID\{1017A80C-6F09-4548-A84D-EDD6AC9525F0} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} => Value deleted successfully.
HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found.
*etadpug => Service deleted successfully.
klqjgqs => Service deleted successfully.
C:\$Recycle.Bin\S-1-5-21-3375002478-1975807548-1840314736-1001\$c539c59a99316716b51222ffa3899385 => Directory moved successfully.
 
"C:\Program Files\Google\Desktop\Install" directory move:
 
Could not move "C:\Program Files\Google\Desktop\Install" directory. => Scheduled to move on reboot.
 
C:\Users\Ron\FileFormatConverters.exe => Moved successfully.
C:\Users\Ron\gotomypc_540.exe => Moved successfully.
C:\Users\Ron\gotomypc_626.exe => Moved successfully.
C:\Users\Ron\Neat_v5.2.2.3_UPGRADE.sfx.exe => Moved successfully.
C:\Users\Ron\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.
C:\Users\Ron\AppData\Local\Temp\MSN4B6B.exe => Moved successfully.
C:\Users\Ron\AppData\Local\Temp\_is7FB5.exe => Moved successfully.
C:\Users\Ron\AppData\Local\Temp\_isCC63.exe => Moved successfully.
C:\Users\Ron\AppData\Local\Temp\_isD511.exe => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtMon.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtPlug.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSigDwn.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSoftEx.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2013-12-06 12:00:35)<=
 
C:\Program Files\Google\Desktop\Install => Is moved successfully.
 
==== End of Fixlog ====


#8 gjw

gjw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 07 December 2013 - 03:16 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows Vista ™ Home Premium x86
Ran by Ron on Sat 12/07/2013 at 13:05:22.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\yahoopartnertoolbar

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 12/07/2013 at 13:08:33.05
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#9 gjw

gjw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 07 December 2013 - 04:07 PM

# AdwCleaner v3.014 - Report created 07/12/2013 at 13:26:43
# Updated 01/12/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Ron - RON-PC
# Running from : C:\Users\Ron\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.19483

-\\ Google Chrome v31.0.1650.63

[ File : C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [879 octets] - [07/12/2013 13:21:33]
AdwCleaner[S0].txt - [803 octets] - [07/12/2013 13:26:43]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [862 octets] ##########



#10 gjw

gjw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 07 December 2013 - 04:41 PM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.07.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19483
Ron :: RON-PC [administrator]

12/7/2013 1:49:58 PM
mbam-log-2013-12-07 (13-49-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 306746
Time elapsed: 43 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:05 AM

Posted 07 December 2013 - 07:38 PM

How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 gjw

gjw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 08 December 2013 - 11:36 AM

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=e6b107bf85d53246a166953ff49b8c20
# engine=16181
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-12-08 01:40:29
# local_time=2013-12-07 06:40:29 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5122 16777213 100 100 22927838 134299025 0 0
# compatibility_mode=5892 16776638 66 100 32810799 223074357 0 0
# scanned=379428
# found=1
# cleaned=1
# scan_time=13448
sh=431C20E25E682822AEC6AC36AC655478B0E6F246 ft=1 fh=bb8f14a66d1701b3 vn="multiple threats (cleaned by deleting - quarantined)" ac=C fn="C:\RW EXCEL DATA\Computers\RegtaskTool_Installer.exe"
 



#13 gjw

gjw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:05 PM

Posted 08 December 2013 - 12:28 PM

I haven't done too much testing on it yet, I am trying to get my neat scanner working. PC sees the scanner, but won't scan. It was okay before we started. I guess I may have to reload the software...dk.....



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,311 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:05 AM

Posted 08 December 2013 - 12:36 PM

I haven't done too much testing on it yet, I am trying to get my neat scanner working. PC sees the scanner, but won't scan. It was okay before we started. I guess I may have to reload the software...dk.....

Reloading the software may do. Will wait for your feedback.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users