Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Playing Random Audio (Sounds like radio commercials)


  • This topic is locked This topic is locked
28 replies to this topic

#1 pastorjames

pastorjames

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 11 April 2014 - 03:47 PM

Computer starting this yesterday afternoon.  I've read many posts and have tried, in Safe Mode, the following TDSSKill, RKill, Malware Bytes, SuperantiSpyware, ComboFix, HitmanPro, RogueKiller and the hoki poki and nothing has worked.  I believe it's to do with a malware called Rootkit.bot and it's corrupted my pcss.dll file.

 

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.7601.17514
Run by Administrator at 15:21:38 on 2014-04-11
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3241.2421 [GMT -5:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {5D349EF8-873B-C657-917F-F1D93E101A7C}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {E6557F1C-A101-C9D9-ABCF-CAAB459750C1}
FW: Trend Micro Personal Firewall *Enabled* {49A8346C-6900-54B6-B1B3-5F678736DDE9}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
mURLSearchHooks: {7e8a1050-cf67-4575-92df-dcc60e7d952d} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: ContributeBHO Class: {074C1DC5-9320-4A9A-947D-C042949C6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\program files\trend micro\officescan client\TmIEPlg.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
StartupFolder: c:\users\admini~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\smarts~1.lnk - c:\program files\dell\feature enhancement pack\SmartSettings.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: EnableVirtualization = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-System: DisableCAD = dword:1
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {B4FECE59-6D0A-4EE6-A07F-E6A94F846E55} - c:\program files\tomabo\youtube video downloader\YTVD_IE.dll/300
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: intuit.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
TCP: NameServer = 10.0.0.1
TCP: Interfaces\{007FB460-0AFC-4DA7-A539-484757FC7D96} : DHCPNameServer = 10.0.0.1
TCP: Interfaces\{A45D33E4-E853-47A5-BF67-91FFCF1C6FE3}\34963736F69353931353 : DHCPNameServer = 12.127.17.71 12.127.17.72 192.168.1.1
TCP: Interfaces\{A45D33E4-E853-47A5-BF67-91FFCF1C6FE3}\34F657274797162746D27457563747 : DHCPNameServer = 12.127.17.71 12.127.17.72
TCP: Interfaces\{A45D33E4-E853-47A5-BF67-91FFCF1C6FE3}\86F6D656737373 : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\officescan client\TmIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\917\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: spba - c:\program files\common files\spba\homefus2.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages =  msv1_0 wvauth
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\33.0.1750.154\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2013-11-4 15664]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2013-9-5 17648]
R1 TmLwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2012-6-21 146232]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2013-9-5 43888]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2013-9-5 350248]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2013-9-5 41088]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\NETwsn00.sys [2013-4-18 10375680]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2013-9-5 62440]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjw7.sys [2013-9-5 63976]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2013-9-5 81920]
S2 AMPAgent;Dell KACE Agent;c:\program files\dell\kace\AMPAgent.exe [2013-2-8 2848360]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2012-2-2 1787720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\dell\feature enhancement pack\DFEPService.exe [2012-5-8 1568792]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\displaylink core software\DisplayLinkManager.exe [2013-10-7 7676720]
S2 EmbassyService;EmbassyService;c:\program files\dell\dell data protection\access\advanced\wave\embassy client core\EmbassyServer.exe [2012-1-17 179592]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-7-25 162672]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2013-7-17 770432]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2013-1-31 62704]
S2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2013-4-16 263968]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2013-4-16 36128]
S2 tmWfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2012-6-21 282936]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\dell\dell data protection\access\advanced\wave\authentication manager\WaveAMService.exe [2012-1-5 1189376]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\intel\wifi\bin\ZeroConfigService.exe [2013-4-18 2532592]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\drivers\btwampfl.sys [2013-9-5 302120]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2013-9-5 33832]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2013-9-5 134144]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2013-9-5 147360]
S3 DisplayLinkUsbIo;DisplayLinkUsbIo;c:\windows\system32\drivers\DisplayLinkUsbIo_7.4.51572.0.sys [2013-10-8 38192]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2013-11-4 337200]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-3-8 62464]
S3 DSASvc;OfficeScan Data Protection Service;c:\windows\system32\dgagent\dsagent.exe [2014-3-26 4143664]
S3 esgiguard;esgiguard;c:\program files\enigma software group\spyhunter\esgiguard.sys [2011-5-6 13904]
S3 EsgScanner;EsgScanner;c:\windows\system32\drivers\EsgScanner.sys [2012-6-22 19984]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2013-12-2 49664]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2013-2-5 1512448]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2013-9-5 269824]
S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\o2mdfw7.sys [2013-9-5 60904]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\trend micro\officescan client\TmPfw.exe [2011-4-15 497272]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2012-12-6 689712]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-8 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2011-3-8 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-1-17 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WvPCR;WvPCR;c:\program files\dell\dell data protection\access\advanced\wave\common\WvPCR.exe [2012-1-16 145408]
.
=============== File Associations ===============
.
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs3\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2014-04-11 19:55:01 62576 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c4b247e1-149d-4dc3-b70e-ac2e3f5e0c62}\offreg.dll
2014-04-11 19:49:33 -------- d-----w- c:\users\administrator\appdata\local\CrashDumps
2014-04-11 19:17:49 -------- d-sh--w- C:\$RECYCLE.BIN
2014-04-11 19:17:45 -------- d-----w- c:\users\administrator\appdata\local\temp
2014-04-11 19:08:00 98816 ----a-w- c:\windows\sed.exe
2014-04-11 19:08:00 256000 ----a-w- c:\windows\PEV.exe
2014-04-11 19:08:00 208896 ----a-w- c:\windows\MBR.exe
2014-04-11 18:46:05 -------- d-----w- c:\users\administrator\appdata\roaming\SUPERAntiSpyware.com
2014-04-11 16:40:25 -------- d-----w- c:\program files\HitmanPro
2014-04-11 16:40:02 -------- d-----w- c:\programdata\HitmanPro
2014-04-11 15:58:18 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-11 15:58:18 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-11 15:58:17 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-11 15:58:17 -------- d-----w- c:\programdata\Malwarebytes
2014-04-11 15:58:17 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-04-11 02:38:05 -------- d-----w- C:\TDSSKiller_Quarantine
2014-04-10 22:42:05 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-03-26 20:25:12 140848 ----a-w- c:\windows\system32\ShowMix.dll
2014-03-26 20:25:10 66336 ----a-w- c:\windows\system32\drivers\sakfile.sys
2014-03-26 20:25:10 35104 ----a-w- c:\windows\system32\drivers\dlpnetfltr.sys
2014-03-26 20:25:10 341016 ----a-w- c:\windows\system32\dlpexaddin.x86.dll
2014-03-26 20:25:10 318000 ----a-w- c:\windows\system32\dlphook.x86.dll
2014-03-26 20:25:09 75312 ----a-w- c:\windows\system32\RemoveWorkingDirectory.exe
2014-03-26 20:25:09 428592 ----a-w- c:\windows\system32\ShowMsg.exe
2014-03-26 20:25:08 -------- d-----w- c:\windows\system32\dgagent
2014-03-14 19:46:40 46928 ----a-r- c:\windows\system32\AdobePDF.dll
2014-03-14 19:46:40 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2014-03-14 16:03:46 -------- d-----w- C:\Macromedia
.
==================== Find3M  ====================
.
2014-04-10 22:56:36 181272 ----a-w- c:\windows\RegBootClean.exe
.
============= FINISH: 15:21:52.61 ===============
 

Attached Files

  • Attached File  dds.txt   15.85KB   0 downloads


BC AdBot (Login to Remove)

 


m

#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 12 April 2014 - 05:48 PM


Hello pastorjames

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

How to tell > 32 or 64 bit

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64.exe or e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First Press the Scan button.
  • It will make a log (FRST.txt)
I want you to poste the FRST.txt report into your reply to me



I need to find out some more information about one of the files on the computer

Please run FRST like you did before but this time I would like you to

Type the following in the edit box after "Search:".

rpcss.dll

It then should look like:

Search: rpcss.dll

Click Search button and post the log (Search.txt) it makes to your reply.




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 pastorjames

pastorjames
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 14 April 2014 - 11:41 AM

Gringo,

 

Thank you for replying.

 

Unfortunately I need further help as, for some reason, I can't seem to get the frst program to run properly.

 

I was able to download and save to a thumb drive and enter into System recovery and go to the command prompt.  When I typed in 'F:\frst.exe' it just populated the notepad with a bunch of random characters.  Never asked me for a disclaimer or to hit the scan button.  I confirmed I downloaded the right 32 bit for my system. 

 

I also tried the next step but didn't see an option anywhere for "Search" as you describe below.

 

Thought I was fairly tech savvy but this set me straight.

 

Any help would be greatly appreciated as I'm assuming I just am missing something.

 

Thanks

PJ



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 15 April 2014 - 07:16 AM

Hello

Go ahead and run them in normal mode and send me that report


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 pastorjames

pastorjames
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 15 April 2014 - 10:03 PM

Gringo, here's the items:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-04-2014
Ran by JSchulker (administrator) on B7770-24785 on 15-04-2014 21:57:15
Running from C:\Users\jschulker\Downloads
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(AuthenTec, Inc.) C:\Program Files\Fingerprint Sensor\AtService.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\STacSV.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\aestsrv.exe
(Dell Inc.) C:\Program Files\Dell\KACE\AMPAgent.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Cisco Systems, Inc.) C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
() C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
(O2Micro International) C:\Windows\system32\DRIVERS\o2flash.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\ssonsvr.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
(Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\concentr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
(Citrix Systems, Inc.) C:\Program Files\Citrix\ICA Client\WFCRUN32.EXE
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\BM\TMBMSRV.exe
(Trend Micro Inc.) C:\Windows\system32\dgagent\DSAGENT.exe
(Trend Micro Inc.) C:\Windows\system32\ShowMsg.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [OfficeScanNT Monitor] => C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe [1521360 2013-04-29] (Trend Micro Inc.)
HKLM\...\Run: [ConnectionCenter] => C:\Program Files\Citrix\ICA Client\concentr.exe [103768 2009-09-12] (Citrix Systems, Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\917\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKU\S-1-5-21-2130522478-15925988-980507067-29412\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [718720 2011-07-22] (Microsoft Corporation)
HKU\S-1-5-21-2130522478-15925988-980507067-29412\...\MountPoints2: {0f4d2a94-abc1-11e3-8e18-3859f9d90b65} - F:\VZW_Software_upgrade_assistant.exe
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\Users\help\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKLM - (No Name) - {7e8a1050-cf67-4575-92df-dcc60e7d952d} -  No File
SearchScopes: HKLM - DefaultScope {F26A36A5-8E4E-401B-8808-E0E2E114ECE8} URL = 
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = 
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (Adobe Systems Incorporated.)
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: TmIEPlugInBHO Class - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\OfficeScan Client\TmIEPlg.dll (Trend Micro Inc.)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (Adobe Systems Incorporated.)
Toolbar: HKCU - No Name - {7E8A1050-CF67-4575-92DF-DCC60E7D952D} -  No File
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\OfficeScan Client\TmIEPlg.dll (Trend Micro Inc.)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Hosts: 127.0.0.1 localhost
Tcpip\Parameters: [DhcpNameServer] 12.127.17.71 12.127.17.72
 
FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=16.4.3508.0205 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\jschulker\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2013-09-20]
FF HKLM\...\Firefox\Extensions: [{55A8EC97-6AF6-442c-877F-11C51DBD162D}] - C:\Program Files\Tomabo\YouTube Video Downloader\YTVD_FF.xpi
FF Extension: YouTube Video Downloader Extension - C:\Program Files\Tomabo\YouTube Video Downloader\YTVD_FF.xpi [2013-10-14]
FF HKLM\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\OfficeScan Client\FirefoxExtension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\OfficeScan Client\FirefoxExtension [2013-11-20]
FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2013-09-20]
 
Chrome: 
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\34.0.1847.116\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\34.0.1847.116\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\34.0.1847.116\pdf.dll ()
CHR Plugin: (Java Deployment Toolkit 6.0.250.6) - C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll (Sun Microsystems, Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 6 U25) - C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Citrix Online Web Deployment Plugin 1.0.0.104) - C:\Users\jschulker\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Extension: (Google Docs) - C:\Users\jschulker\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-09-19]
CHR Extension: (Google Drive) - C:\Users\jschulker\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-09-19]
CHR Extension: (YouTube) - C:\Users\jschulker\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-09-19]
CHR Extension: (Google Search) - C:\Users\jschulker\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-09-19]
CHR Extension: (Aqua Blue) - C:\Users\jschulker\AppData\Local\Google\Chrome\User Data\Default\Extensions\dmjepcknamjibigkhomapkdfgafhpbln [2013-10-21]
CHR Extension: (YouTube Video Downloader Extension) - C:\Users\jschulker\AppData\Local\Google\Chrome\User Data\Default\Extensions\igljnkmljjbhcellpnjppojkfdfmkjmp [2013-10-14]
CHR Extension: (Google Wallet) - C:\Users\jschulker\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-19]
CHR Extension: (Gmail) - C:\Users\jschulker\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-09-19]
CHR HKLM\...\Chrome\Extension: [banjjklfojcdbofbhbgiedekefohoaff] - C:\Users\jschulker\AppData\Local\CRE\banjjklfojcdbofbhbgiedekefohoaff.crx [2013-09-26]
CHR HKLM\...\Chrome\Extension: [igljnkmljjbhcellpnjppojkfdfmkjmp] - C:\Program Files\Tomabo\YouTube Video Downloader\YTVD_GC.crx [2013-10-14]
CHR HKLM\...\Chrome\Extension: [pcajpdcjfekhfnapaiphaecoajeollnc] - C:\Users\jschulker\AppData\Local\CRE\pcajpdcjfekhfnapaiphaecoajeollnc.crx [2013-10-14]
CHR HKCU\...\Chrome\Extension: [banjjklfojcdbofbhbgiedekefohoaff] - C:\Users\jschulker\AppData\Local\CRE\banjjklfojcdbofbhbgiedekefohoaff.crx [2013-09-26]
CHR HKCU\...\Chrome\Extension: [pcajpdcjfekhfnapaiphaecoajeollnc] - C:\Users\jschulker\AppData\Local\CRE\pcajpdcjfekhfnapaiphaecoajeollnc.crx [2013-09-26]
 
========================== Services (Whitelisted) =================
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [119056 2013-05-23] (SUPERAntiSpyware.com)
S3 Adobe Version Cue CS3; C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe [153792 2007-03-20] (Adobe Systems Incorporated)
R2 AMPAgent; C:\Program Files\Dell\KACE\AMPAgent.exe [2848360 2013-02-08] (Dell Inc.)
R2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1787720 2012-02-02] (AuthenTec, Inc.)
R2 CVPND; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1528616 2010-09-27] (Cisco Systems, Inc.)
R2 DFEPService; C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [1568792 2012-05-08] (Dell Inc.)
R2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [7676720 2013-10-07] (DisplayLink Corp.)
R3 DSASvc; C:\Windows\system32\dgagent\DSAGENT.exe [4143664 2014-03-26] (Trend Micro Inc.)
R2 EmbassyService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [179592 2012-01-17] ()
R2 ntrtscan; C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe [2127000 2013-04-26] (Trend Micro Inc.)
R2 O2FLASH; C:\Windows\system32\DRIVERS\o2flash.exe [72296 2010-02-10] (O2Micro International)
S3 SecureStorageService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe [1517448 2011-11-11] (Wave Systems Corp.)
R2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [274514 2011-01-25] (IDT, Inc.)
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1637888 2011-10-08] ()
R2 TdmService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe [2864496 2011-12-08] (Wave Systems Corp.)
R3 TMBMServer; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [345112 2013-10-23] (Trend Micro Inc.)
R2 tmlisten; C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe [2082968 2013-04-26] (Trend Micro Inc.)
R3 TmPfw; C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe [497272 2011-04-15] (Trend Micro Inc.)
R3 TmProxy; C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe [689712 2012-12-06] (Trend Micro Inc.)
R2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1189376 2012-01-05] (Wave Systems Corp.)
S3 WvPCR; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [145408 2012-01-16] (Wave Systems Corp.)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2532592 2013-04-18] (Intel® Corporation)
S2 SpyHunter 4 Service; C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [X]
 
==================== Drivers (Whitelisted) ====================
 
R3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [43888 2010-12-13] (ST Microelectronics)
R3 BTWAMPFL; C:\Windows\System32\DRIVERS\btwampfl.sys [302120 2013-09-05] (Broadcom Corporation.)
S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
R2 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [308859 2010-09-27] (Cisco Systems, Inc.)
S3 DisplayLinkUsbIo; C:\Windows\System32\DRIVERS\DisplayLinkUsbIo_7.4.51572.0.sys [38192 2013-10-08] ()
R3 dlkmd; C:\Windows\system32\drivers\dlkmd.sys [337200 2013-10-07] (DisplayLink Corp.)
R0 dlkmdldr; C:\Windows\System32\drivers\dlkmdldr.sys [15664 2013-10-07] (DisplayLink Corp.)
R3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131984 2008-11-16] (Deterministic Networks, Inc.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [19984 2012-06-22] ()
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41088 2010-10-19] (Intel Corporation)
R3 NETwNs32; C:\Windows\System32\DRIVERS\NETwsn00.sys [10375680 2013-04-18] (Intel Corporation)
S3 O2MDFRDR; C:\Windows\system32\drivers\O2MDFw7.sys [60904 2011-01-04] (O2Micro )
R3 O2MDRRDR; C:\Windows\System32\DRIVERS\O2MDRw7.sys [62440 2011-01-04] (O2Micro )
R3 O2SDJRDR; C:\Windows\System32\DRIVERS\o2sdjw7.sys [63976 2011-03-23] (O2Micro )
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2011-07-12] (Dell Inc)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17648 2010-08-20] (ST Microelectronics)
R2 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [75600 2013-08-29] (Trend Micro Inc.)
R1 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [263072 2013-09-02] (Trend Micro Inc.)
R2 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [62704 2013-08-29] (Trend Micro Inc.)
R2 TmFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys [263968 2013-08-14] (Trend Micro Inc.)
R1 TmLwf; C:\Windows\System32\DRIVERS\tmlwf.sys [146232 2012-06-21] (Trend Micro Inc.)
R2 TmPreFilter; C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys [36128 2013-08-14] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [90448 2010-12-07] (Trend Micro Inc.)
R2 tmWfp; C:\Windows\System32\DRIVERS\tmwfp.sys [282936 2012-06-21] (Trend Micro Inc.)
R2 VSApiNt; C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys [1517600 2013-08-14] (Trend Micro Inc.)
S3 catchme; \??\C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 MFE_RR; \??\C:\Users\JSCHUL~1\AppData\Local\Temp\mfe_rr.sys [X]
U3 TrueSight; \??\C:\Windows\system32\TrueSight.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-04-15 21:57 - 2014-04-15 21:57 - 00021983 _____ () C:\Users\jschulker\Downloads\FRST.txt
2014-04-15 21:56 - 2014-04-15 21:57 - 00000000 ____D () C:\FRST
2014-04-15 21:56 - 2014-04-15 21:56 - 01042944 _____ (Farbar) C:\Users\jschulker\Downloads\FRST.exe
2014-04-15 08:43 - 2014-04-15 08:43 - 00001426 _____ () C:\Users\Public\Desktop\WZD.lnk
2014-04-15 08:43 - 2014-04-15 08:43 - 00000000 ____D () C:\WESNETzd
2014-04-15 08:43 - 2014-04-15 08:43 - 00000000 ____D () C:\Program Files\AppDeploy
2014-04-11 20:06 - 2014-04-11 20:06 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Tomabo
2014-04-11 15:54 - 2014-04-11 15:54 - 00001105 _____ () C:\Users\Administrator\Desktop\RKreport[0]_H_04112014_155407.txt
2014-04-11 15:53 - 2014-04-11 15:53 - 00054087 _____ () C:\Users\Administrator\Desktop\RKreport[0]_S_04112014_155349.txt
2014-04-11 15:49 - 2014-04-11 15:49 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Administrator\Desktop\rkill.exe
2014-04-11 15:22 - 2014-04-11 15:23 - 00050531 _____ () C:\Users\Administrator\Desktop\attach.txt
2014-04-11 15:22 - 2014-04-11 15:23 - 00016230 _____ () C:\Users\Administrator\Desktop\dds.txt
2014-04-11 15:20 - 2014-04-11 15:21 - 00688992 ____R (Swearware) C:\Users\Administrator\Desktop\dds.com
2014-04-11 15:11 - 2014-04-11 15:11 - 00018899 _____ () C:\Users\Administrator\Desktop\RKreport[0]_S_04112014_151118.txt
2014-04-11 15:11 - 2014-04-11 15:11 - 00018767 _____ () C:\Users\Administrator\Desktop\RKreport[0]_D_04112014_151131.txt
2014-04-11 15:11 - 2014-04-11 15:11 - 00001086 _____ () C:\Users\Administrator\Desktop\RKreport[0]_DN_04112014_151156.txt
2014-04-11 14:49 - 2014-04-11 15:50 - 00000000 ____D () C:\Users\Administrator\AppData\Local\CrashDumps
2014-04-11 14:47 - 2014-04-11 15:50 - 00002870 _____ () C:\Users\Administrator\Desktop\Rkill.txt
2014-04-11 14:42 - 2014-04-11 14:42 - 00031423 _____ () C:\Users\Administrator\Desktop\RKreport[0]_D_04112014_144241.txt
2014-04-11 14:40 - 2014-04-11 14:40 - 00031535 _____ () C:\Users\Administrator\Desktop\RKreport[0]_S_04112014_144021.txt
2014-04-11 14:33 - 2014-04-11 15:11 - 00000000 ____D () C:\Users\Administrator\Desktop\RK_Quarantine
2014-04-11 14:32 - 2014-04-11 14:33 - 03972608 _____ () C:\Users\Administrator\Desktop\RogueKiller.exe
2014-04-11 14:22 - 2014-04-11 14:22 - 00001453 _____ () C:\Users\Administrator\Desktop\iexplore - Shortcut.lnk
2014-04-11 14:08 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-04-11 14:08 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-04-11 14:08 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-04-11 14:08 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-04-11 14:08 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-04-11 14:08 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2014-04-11 14:08 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2014-04-11 14:08 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2014-04-11 14:07 - 2014-04-11 14:17 - 00000000 ____D () C:\Qoobox
2014-04-11 14:06 - 2014-04-11 14:16 - 00000000 ____D () C:\Windows\erdnt
2014-04-11 14:06 - 2014-04-11 14:06 - 05196025 ____R (Swearware) C:\Users\Administrator\Desktop\ComboFix.exe
2014-04-11 13:57 - 2014-04-11 13:57 - 00000000 ____S () C:\Windows\system32\hvhjzgl.axg
2014-04-11 13:46 - 2014-04-11 13:46 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2014-04-11 12:05 - 2014-04-14 20:50 - 00003664 _____ () C:\Users\jschulker\Rkill.txt
2014-04-11 11:57 - 2014-04-15 21:43 - 00000000 _____ () C:\KBSERVICE.SHUTDOWN
2014-04-11 11:40 - 2014-04-11 11:57 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-04-11 10:58 - 2014-04-11 10:58 - 00001066 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-11 10:58 - 2014-04-11 10:58 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-11 10:58 - 2014-04-11 10:58 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-11 10:58 - 2014-04-03 09:51 - 00073432 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-11 10:58 - 2014-04-03 09:51 - 00051416 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-11 10:58 - 2014-04-03 09:50 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-11 08:56 - 2014-04-11 11:26 - 04139360 _____ (Kaspersky Lab ZAO) C:\Users\jschulker\Desktop\iexplore.exe
2014-04-10 21:38 - 2014-04-14 21:07 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-04-10 17:45 - 2014-04-15 17:18 - 00000078 _____ () C:\Windows\system32\ljvpky.ldy
2014-04-10 17:42 - 2014-04-14 20:50 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-10 17:24 - 2014-04-10 17:24 - 00000064 _____ () C:\Windows\system32\dmupd.uxk
2014-04-10 17:24 - 2014-04-10 17:24 - 00000000 _____ () C:\Windows\system32\seog.qvg
2014-04-10 17:08 - 2014-04-10 17:08 - 00305834 ____S () C:\Windows\system32\twtj.lur
2014-03-31 11:03 - 2014-03-31 11:03 - 00001315 _____ () C:\Windows\IE9_main.log
2014-03-26 15:25 - 2014-04-15 21:48 - 00000000 ____D () C:\Windows\system32\dgagent
2014-03-26 15:25 - 2014-03-26 15:25 - 00428592 _____ (Trend Micro Inc.) C:\Windows\system32\ShowMsg.exe
2014-03-26 15:25 - 2014-03-26 15:25 - 00341016 _____ (Trend Micro Inc.) C:\Windows\system32\dlpexaddin.x86.dll
2014-03-26 15:25 - 2014-03-26 15:25 - 00318000 _____ (Trend Micro Inc.) C:\Windows\system32\dlphook.x86.dll
2014-03-26 15:25 - 2014-03-26 15:25 - 00140848 _____ (Trend Micro Inc.) C:\Windows\system32\ShowMix.dll
2014-03-26 15:25 - 2014-03-26 15:25 - 00075312 _____ (Trend Micro Inc.) C:\Windows\system32\RemoveWorkingDirectory.exe
2014-03-26 15:25 - 2014-03-26 15:25 - 00066336 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\sakfile.sys
2014-03-26 15:25 - 2014-03-26 15:25 - 00035104 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\dlpnetfltr.sys
2014-03-26 15:25 - 2014-03-26 15:25 - 00004432 _____ () C:\Windows\system32\ShowMsg.xml
2014-03-26 15:25 - 2014-03-26 15:25 - 00001651 _____ () C:\Windows\system32\ShowMix.xml
2014-03-26 15:25 - 2014-03-26 15:25 - 00000000 _____ () C:\Windows\system32\dsa.lic
2014-03-20 14:40 - 2014-03-20 16:04 - 00013388 _____ () C:\Users\jschulker\Desktop\One Wesco required reports.xlsx
 
==================== One Month Modified Files and Folders =======
 
2014-04-15 21:57 - 2014-04-15 21:57 - 00021983 _____ () C:\Users\jschulker\Downloads\FRST.txt
2014-04-15 21:57 - 2014-04-15 21:56 - 00000000 ____D () C:\FRST
2014-04-15 21:56 - 2014-04-15 21:56 - 01042944 _____ (Farbar) C:\Users\jschulker\Downloads\FRST.exe
2014-04-15 21:55 - 2013-09-05 10:14 - 01771124 _____ () C:\Windows\WindowsUpdate.log
2014-04-15 21:54 - 2013-09-05 11:47 - 03922228 _____ () C:\Windows\system32\TmInstall.log
2014-04-15 21:54 - 2009-07-13 23:34 - 00024064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-15 21:54 - 2009-07-13 23:34 - 00024064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-15 21:48 - 2014-03-26 15:25 - 00000000 ____D () C:\Windows\system32\dgagent
2014-04-15 21:47 - 2013-09-13 10:16 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-15 21:47 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-15 21:47 - 2009-07-13 23:39 - 00047522 _____ () C:\Windows\setupact.log
2014-04-15 21:43 - 2014-04-11 11:57 - 00000000 _____ () C:\KBSERVICE.SHUTDOWN
2014-04-15 21:38 - 2013-09-12 11:54 - 00000000 ____D () C:\Users\jschulker\Outlook Files
2014-04-15 21:35 - 2013-09-13 10:16 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-15 21:33 - 2013-09-05 11:23 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-04-15 17:18 - 2014-04-10 17:45 - 00000078 _____ () C:\Windows\system32\ljvpky.ldy
2014-04-15 15:46 - 2013-09-05 10:12 - 00001920 _____ () C:\Windows\system32\config\netlogon.ftl
2014-04-15 13:31 - 2013-09-05 11:49 - 00009943 _____ () C:\Windows\cfgall.ini
2014-04-15 08:43 - 2014-04-15 08:43 - 00001426 _____ () C:\Users\Public\Desktop\WZD.lnk
2014-04-15 08:43 - 2014-04-15 08:43 - 00000000 ____D () C:\WESNETzd
2014-04-15 08:43 - 2014-04-15 08:43 - 00000000 ____D () C:\Program Files\AppDeploy
2014-04-14 22:08 - 2013-09-05 15:01 - 00000000 ____D () C:\Users\jschulker
2014-04-14 21:07 - 2014-04-10 21:38 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-04-14 20:50 - 2014-04-11 12:05 - 00003664 _____ () C:\Users\jschulker\Rkill.txt
2014-04-14 20:50 - 2014-04-10 17:42 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-04-14 11:33 - 2011-01-17 11:07 - 00745904 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-04-11 20:06 - 2014-04-11 20:06 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Tomabo
2014-04-11 20:03 - 2013-09-05 11:23 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Adobe
2014-04-11 20:02 - 2013-09-05 11:23 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe
2014-04-11 15:54 - 2014-04-11 15:54 - 00001105 _____ () C:\Users\Administrator\Desktop\RKreport[0]_H_04112014_155407.txt
2014-04-11 15:53 - 2014-04-11 15:53 - 00054087 _____ () C:\Users\Administrator\Desktop\RKreport[0]_S_04112014_155349.txt
2014-04-11 15:50 - 2014-04-11 14:49 - 00000000 ____D () C:\Users\Administrator\AppData\Local\CrashDumps
2014-04-11 15:50 - 2014-04-11 14:47 - 00002870 _____ () C:\Users\Administrator\Desktop\Rkill.txt
2014-04-11 15:49 - 2014-04-11 15:49 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Administrator\Desktop\rkill.exe
2014-04-11 15:23 - 2014-04-11 15:22 - 00050531 _____ () C:\Users\Administrator\Desktop\attach.txt
2014-04-11 15:23 - 2014-04-11 15:22 - 00016230 _____ () C:\Users\Administrator\Desktop\dds.txt
2014-04-11 15:21 - 2014-04-11 15:20 - 00688992 ____R (Swearware) C:\Users\Administrator\Desktop\dds.com
2014-04-11 15:11 - 2014-04-11 15:11 - 00018899 _____ () C:\Users\Administrator\Desktop\RKreport[0]_S_04112014_151118.txt
2014-04-11 15:11 - 2014-04-11 15:11 - 00018767 _____ () C:\Users\Administrator\Desktop\RKreport[0]_D_04112014_151131.txt
2014-04-11 15:11 - 2014-04-11 15:11 - 00001086 _____ () C:\Users\Administrator\Desktop\RKreport[0]_DN_04112014_151156.txt
2014-04-11 15:11 - 2014-04-11 14:33 - 00000000 ____D () C:\Users\Administrator\Desktop\RK_Quarantine
2014-04-11 14:42 - 2014-04-11 14:42 - 00031423 _____ () C:\Users\Administrator\Desktop\RKreport[0]_D_04112014_144241.txt
2014-04-11 14:40 - 2014-04-11 14:40 - 00031535 _____ () C:\Users\Administrator\Desktop\RKreport[0]_S_04112014_144021.txt
2014-04-11 14:33 - 2014-04-11 14:32 - 03972608 _____ () C:\Users\Administrator\Desktop\RogueKiller.exe
2014-04-11 14:22 - 2014-04-11 14:22 - 00001453 _____ () C:\Users\Administrator\Desktop\iexplore - Shortcut.lnk
2014-04-11 14:18 - 2011-03-03 09:07 - 00090746 _____ () C:\Windows\PFRO.log
2014-04-11 14:17 - 2014-04-11 14:07 - 00000000 ____D () C:\Qoobox
2014-04-11 14:17 - 2009-07-13 21:37 - 00000000 ___RD () C:\Users\Public
2014-04-11 14:16 - 2014-04-11 14:06 - 00000000 ____D () C:\Windows\erdnt
2014-04-11 14:16 - 2009-07-13 21:04 - 00000215 _____ () C:\Windows\system.ini
2014-04-11 14:15 - 2013-09-05 10:14 - 00000000 ____D () C:\Users\Administrator
2014-04-11 14:06 - 2014-04-11 14:06 - 05196025 ____R (Swearware) C:\Users\Administrator\Desktop\ComboFix.exe
2014-04-11 13:57 - 2014-04-11 13:57 - 00000000 ____S () C:\Windows\system32\hvhjzgl.axg
2014-04-11 13:56 - 2013-09-05 11:32 - 00112376 _____ () C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2014-04-11 13:55 - 2013-09-05 11:13 - 00001419 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-04-11 13:46 - 2014-04-11 13:46 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2014-04-11 11:57 - 2014-04-11 11:40 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-04-11 11:26 - 2014-04-11 08:56 - 04139360 _____ (Kaspersky Lab ZAO) C:\Users\jschulker\Desktop\iexplore.exe
2014-04-11 10:58 - 2014-04-11 10:58 - 00001066 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-04-11 10:58 - 2014-04-11 10:58 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-04-11 10:58 - 2014-04-11 10:58 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-04-11 10:40 - 2013-09-05 15:01 - 00059742 __RSH () C:\Users\jschulker\ntuser.pol
2014-04-11 08:38 - 2011-01-20 15:03 - 00000000 ____D () C:\Program Files\Citrix
2014-04-11 07:24 - 2013-09-13 10:54 - 00000000 ____D () C:\Users\jschulker\church
2014-04-10 21:53 - 2013-10-14 16:31 - 00000000 ____D () C:\Windows\Minidump
2014-04-10 21:52 - 2014-01-10 15:30 - 00000000 ____D () C:\Users\jschulker\AppData\Local\genienext
2014-04-10 17:56 - 2013-10-23 15:28 - 00181272 _____ () C:\Windows\RegBootClean.exe
2014-04-10 17:41 - 2013-09-13 10:12 - 00000000 ____D () C:\Users\jschulker\AppData\Roaming\Malwarebytes
2014-04-10 17:24 - 2014-04-10 17:24 - 00000064 _____ () C:\Windows\system32\dmupd.uxk
2014-04-10 17:24 - 2014-04-10 17:24 - 00000000 _____ () C:\Windows\system32\seog.qvg
2014-04-10 17:08 - 2014-04-10 17:08 - 00305834 ____S () C:\Windows\system32\twtj.lur
2014-04-10 08:57 - 2013-12-02 15:39 - 00000000 ____D () C:\Users\jschulker\AppData\Local\Windows Live
2014-04-07 13:25 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-04-04 14:25 - 2013-09-12 13:59 - 00000000 ____D () C:\Users\jschulker\AppData\Local\Deployment
2014-04-03 09:51 - 2014-04-11 10:58 - 00073432 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-04-03 09:51 - 2014-04-11 10:58 - 00051416 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-04-03 09:50 - 2014-04-11 10:58 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-04-02 10:55 - 2013-09-13 11:28 - 00000000 ____D () C:\Users\jschulker\One Wesco
2014-03-31 12:30 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2014-03-31 11:11 - 2013-09-05 15:01 - 00001419 _____ () C:\Users\jschulker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-03-31 11:03 - 2014-03-31 11:03 - 00001315 _____ () C:\Windows\IE9_main.log
2014-03-31 09:00 - 2013-09-13 11:29 - 00000000 ____D () C:\Users\jschulker\Youth discipleship
2014-03-28 11:50 - 2013-09-13 11:28 - 00000000 ____D () C:\Users\jschulker\Oracle
2014-03-28 11:49 - 2013-09-12 11:03 - 00000000 ____D () C:\Users\jschulker\website
2014-03-26 15:25 - 2014-03-26 15:25 - 00428592 _____ (Trend Micro Inc.) C:\Windows\system32\ShowMsg.exe
2014-03-26 15:25 - 2014-03-26 15:25 - 00341016 _____ (Trend Micro Inc.) C:\Windows\system32\dlpexaddin.x86.dll
2014-03-26 15:25 - 2014-03-26 15:25 - 00318000 _____ (Trend Micro Inc.) C:\Windows\system32\dlphook.x86.dll
2014-03-26 15:25 - 2014-03-26 15:25 - 00140848 _____ (Trend Micro Inc.) C:\Windows\system32\ShowMix.dll
2014-03-26 15:25 - 2014-03-26 15:25 - 00075312 _____ (Trend Micro Inc.) C:\Windows\system32\RemoveWorkingDirectory.exe
2014-03-26 15:25 - 2014-03-26 15:25 - 00066336 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\sakfile.sys
2014-03-26 15:25 - 2014-03-26 15:25 - 00035104 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\dlpnetfltr.sys
2014-03-26 15:25 - 2014-03-26 15:25 - 00004432 _____ () C:\Windows\system32\ShowMsg.xml
2014-03-26 15:25 - 2014-03-26 15:25 - 00001651 _____ () C:\Windows\system32\ShowMix.xml
2014-03-26 15:25 - 2014-03-26 15:25 - 00000000 _____ () C:\Windows\system32\dsa.lic
2014-03-25 09:09 - 2013-09-13 11:10 - 00000000 ____D () C:\Users\jschulker\MD
2014-03-24 14:37 - 2013-09-12 11:02 - 00000000 ____D () C:\Users\jschulker\Desktop\New Employee Manual
2014-03-20 16:27 - 2013-09-13 11:24 - 00000000 ____D () C:\Users\jschulker\My Scans
2014-03-20 16:04 - 2014-03-20 14:40 - 00013388 _____ () C:\Users\jschulker\Desktop\One Wesco required reports.xlsx
 
Some content of TEMP:
====================
C:\Users\Administrator\AppData\Local\temp\ntdll_dump.dll
C:\Users\jschulker\AppData\Local\temp\HitmanPro.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll
[2011-03-08 11:00] - [2010-11-20 04:21] - 0380928 ____A (Microsoft Corporation) A3A2D6DFAD278BCE6A14BD91F1739206
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-04-09 09:45
 
==================== End Of Log ============================
 
 
 
And here is the search function:
 
Farbar Recovery Scan Tool (x86) Version: 14-04-2014
Ran by JSchulker at 2014-04-15 22:01:00
Running from C:\Users\jschulker\Downloads
Boot Mode: Normal
 
================== Search: "rpcss.dll" ===================
 
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll
[2011-03-08 11:00] - [2010-11-20 04:21] - 0376832 ____A (Microsoft Corporation) 7660F01D3B38ACA1747E397D21D790AF
 
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll
[2009-07-13 18:45] - [2009-07-13 20:16] - 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F
 
C:\Windows\System32\rpcss.dll
[2011-03-08 11:00] - [2010-11-20 04:21] - 0380928 ____A (Microsoft Corporation) A3A2D6DFAD278BCE6A14BD91F1739206
 
=== End Of Search ===


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 16 April 2014 - 05:52 AM

Hello pastorjames



I need you to download this script I have made for you --> Attached File  fixlist.txt   517bytes   1 downloads

It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

Run FRST again but this time press the Fix button just once and wait.


When finished, it will make a log (fixlog.txt) next to FRST. Please copy and paste the content of this file to your reply.


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 pastorjames

pastorjames
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 16 April 2014 - 08:44 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 16-04-2014 01
Ran by JSchulker at 2014-04-16 08:19:02 Run:1
Running from C:\Users\jschulker\Downloads
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
Replace: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll  C:\Windows\System32\rpcss.dll
2014-04-10 17:45 - 2014-04-15 17:18 - 00000078 _____ () C:\Windows\system32\ljvpky.ldy
2014-04-10 17:24 - 2014-04-10 17:24 - 00000064 _____ () C:\Windows\system32\dmupd.uxk
2014-04-10 17:24 - 2014-04-10 17:24 - 00000000 _____ () C:\Windows\system32\seog.qvg
2014-04-10 17:08 - 2014-04-10 17:08 - 00305834 ____S () C:\Windows\system32\twtj.lur
 
 
 
 
*****************
 
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll  copied successfully to C:\Windows\System32\rpcss.dll
C:\Windows\system32\ljvpky.ldy => Moved successfully.
C:\Windows\system32\dmupd.uxk => Moved successfully.
Could not move "C:\Windows\system32\seog.qvg" => Scheduled to move on reboot.
Could not move "C:\Windows\system32\twtj.lur" => Scheduled to move on reboot.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-04-16 08:20:45)<=
 
C:\Windows\system32\seog.qvg => Is moved successfully.
C:\Windows\system32\twtj.lur => Is moved successfully.
 
==== End of Fixlog ====


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 16 April 2014 - 11:34 AM



Hello pastorjames

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 pastorjames

pastorjames
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 16 April 2014 - 08:55 PM

# AdwCleaner v3.023 - Report created 16/04/2014 at 17:52:44
# Updated 01/04/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : JSchulker - B7770-24785
# Running from : C:\Users\jschulker\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Conduit
Folder Deleted : C:\Windows\system32\ARFC
Folder Deleted : C:\Windows\system32\WNLT
Folder Deleted : C:\Users\jschulker\AppData\Local\genienext
Folder Deleted : C:\Users\jschulker\AppData\Local\PackageAware
Folder Deleted : C:\Users\jschulker\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\jschulker\AppData\LocalLow\PriceGong
File Deleted : C:\Windows\system32\ImhxxpComm.dll
File Deleted : C:\Windows\System32\Tasks\SpyHunter4Startup
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B30463C6-35E2-4870-907E-956C33F2DC05}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B30463C6-35E2-4870-907E-956C33F2DC05}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3299568
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3310511
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5E6C03E0-D368-4690-8168-9848D4C0F587}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7E8A1050-CF67-4575-92DF-DCC60E7D952D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7E8A1050-CF67-4575-92DF-DCC60E7D952D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5E6C03E0-D368-4690-8168-9848D4C0F587}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DA139639-5452-4C55-AA52-6CE1D4112BED}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{364775C8-39E3-4B3D-98B8-C6CD4ED63D64}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{7E8A1050-CF67-4575-92DF-DCC60E7D952D}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{7E8A1050-CF67-4575-92DF-DCC60E7D952D}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\SweetPacks
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\SweetPacks
Key Deleted : HKLM\Software\wnlt
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
 
-\\ Google Chrome v34.0.1847.116
 
[ File : C:\Users\jschulker\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
[ File : C:\Users\jschulker\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [4311 octets] - [16/04/2014 17:01:50]
AdwCleaner[S0].txt - [4172 octets] - [16/04/2014 17:52:44]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4232 octets] ##########
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Professional x86
Ran by JSchulker on Wed 04/16/2014 at 19:55:33.35
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\jschulker\Local Settings\Application Data\cre"
 
 
 
~~~ Chrome
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\banjjklfojcdbofbhbgiedekefohoaff
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\banjjklfojcdbofbhbgiedekefohoaff
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/16/2014 at 20:01:53.90
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 17 April 2014 - 07:52 AM


Hello pastorjames

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 pastorjames

pastorjames
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 17 April 2014 - 10:05 AM

Gringo,

 

So far so good.  I've had my speakers unmuted for hours without any random sounds.  Also not receiving any Trend Virus warnings and the system seems to be running quicker.

 

I hate to say success, without knocking on wood, but we may have it fixed.

 

ComboFix 14-04-12.01 - JSchulker 04/17/2014   9:50.2.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3241.1857 [GMT -5:00]
Running from: c:\users\jschulker\Downloads\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {5D349EF8-873B-C657-917F-F1D93E101A7C}
FW: Trend Micro Personal Firewall *Enabled* {49A8346C-6900-54B6-B1B3-5F678736DDE9}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {E6557F1C-A101-C9D9-ABCF-CAAB459750C1}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-17 to 2014-04-17  )))))))))))))))))))))))))))))))
.
.
2014-04-17 14:59 . 2014-04-17 14:59 -------- d-----w- c:\users\help\AppData\Local\temp
2014-04-17 14:59 . 2014-04-17 14:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-11 18:46 . 2014-04-11 18:46 -------- d-----w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2014-04-11 16:40 . 2014-04-11 16:57 -------- d-----w- c:\programdata\HitmanPro
2014-04-11 15:58 . 2014-04-03 14:51 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-11 15:58 . 2014-04-03 14:51 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-11 15:58 . 2014-04-11 15:58 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-04-11 15:58 . 2014-04-11 15:58 -------- d-----w- c:\programdata\Malwarebytes
2014-04-11 15:58 . 2014-04-03 14:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-11 02:38 . 2014-04-15 02:07 -------- d-----w- C:\TDSSKiller_Quarantine
2014-04-10 22:42 . 2014-04-15 01:50 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-03-26 20:25 . 2014-03-26 20:25 140848 ----a-w- c:\windows\system32\ShowMix.dll
2014-03-26 20:25 . 2014-03-26 20:25 66336 ----a-w- c:\windows\system32\drivers\sakfile.sys
2014-03-26 20:25 . 2014-03-26 20:25 35104 ----a-w- c:\windows\system32\drivers\dlpnetfltr.sys
2014-03-26 20:25 . 2014-03-26 20:25 341016 ----a-w- c:\windows\system32\dlpexaddin.x86.dll
2014-03-26 20:25 . 2014-03-26 20:25 318000 ----a-w- c:\windows\system32\dlphook.x86.dll
2014-03-26 20:25 . 2014-03-26 20:25 428592 ----a-w- c:\windows\system32\ShowMsg.exe
2014-03-26 20:25 . 2014-03-26 20:25 75312 ----a-w- c:\windows\system32\RemoveWorkingDirectory.exe
2014-03-26 20:25 . 2014-04-16 22:56 -------- d-----w- c:\windows\system32\dgagent
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-10 22:56 . 2013-10-23 20:28 181272 ----a-w- c:\windows\RegBootClean.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2011-12-08 14:38 121208 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2011-12-08 14:38 121208 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2013-04-29 1521360]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
.
c:\users\help\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-5-8 506904]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-5-8 506904]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-5-8 506904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2014-04-11 13:32 309080 ----a-w- c:\program files\Citrix\GoToAssist\917\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2010-09-15 15:11 1971536 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ   msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2130522478-15925988-980507067-29412\Scripts\Logon\0\0]
"Script"=\\wescodist.com\SysVol\wescodist.com\Policies\{39A50EB0-28F4-4015-A9C7-BBD2A516869C}\User\Scripts\Logon\computer_description.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2130522478-15925988-980507067-29412\Scripts\Logon\1\0]
"Script"=\\wescodist.com\NETLOGON\Login.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WESCO IM.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WESCO IM.lnk
backup=c:\windows\pss\WESCO IM.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 04:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 09:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-12-21 06:04 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALconnect]
2013-06-10 13:42 715880 ----a-w- c:\users\jschulker\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2011-01-04 21:48 488816 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 02:43 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2009-09-13 03:09 103768 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Webcam Central]
2011-12-16 19:17 462974 ------w- c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DFEPApplication]
2012-05-08 14:06 6307864 ----a-w- c:\program files\Dell\Feature Enhancement Pack\DFEPApplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2013-12-04 16:03 40304 ----a-w- c:\users\jschulker\AppData\Local\Citrix\GoToMeeting\1259\g2mstart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-03-31 01:14 177176 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 21:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-03-31 01:14 143384 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelPROSet]
2013-04-18 22:12 3444976 ----a-w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-08-16 14:07 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Download Assistant]
2012-09-20 22:02 1425208 ----a-w- c:\windows\System32\LogiLDA.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
2013-04-29 18:24 1521360 ----a-w- c:\program files\Trend Micro\OfficeScan Client\PccNTMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 05:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-03-31 01:14 178200 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScrewDrivers RDP Plugin]
2011-04-28 20:24 45384 ----a-w- c:\program files\triCerat\Simplify Printing\ScrewDrivers Client v4\install_rdp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-07-25 14:15 20681584 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2014-01-27 14:17 5625624 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2011-01-25 05:57 536668 ----a-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TdmNotify]
2011-12-08 14:37 323952 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-07-25 162672]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [x]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 DisplayLinkUsbIo;DisplayLinkUsbIo;c:\windows\system32\DRIVERS\DisplayLinkUsbIo_7.4.51572.0.sys [2013-10-08 38192]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys [2012-06-22 19984]
R3 MFE_RR;MFE_RR;c:\users\JSCHUL~1\AppData\Local\Temp\mfe_rr.sys [x]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\O2MDFw7.sys [2011-01-04 60904]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-17 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WvPCR;WvPCR;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [2012-01-16 145408]
S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2013-10-07 15664]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 17648]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 TmLwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2012-06-21 146232]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-05-23 119056]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-03 81920]
S2 AMPAgent;Dell KACE Agent;c:\program files\Dell\KACE\AMPAgent.exe [2013-02-09 2848360]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2012-02-02 1787720]
S2 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\Dell\Feature Enhancement Pack\DFEPService.exe [2012-05-08 1568792]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2013-10-07 7676720]
S2 EmbassyService;EmbassyService;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [2012-01-17 179592]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2013-08-29 62704]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2013-08-14 263968]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2013-08-14 36128]
S2 tmWfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2012-06-21 282936]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2012-01-05 1189376]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2013-04-18 2532592]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-12-13 43888]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2013-09-05 302120]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2013-09-05 33832]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2010-09-10 147360]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2013-10-07 337200]
S3 DSASvc;OfficeScan Data Protection Service;c:\windows\system32\dgagent\DSAGENT.exe [2014-03-26 4143664]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwsn00.sys [2013-04-18 10375680]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [2011-01-04 62440]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-03-23 63976]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [2011-04-15 497272]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2012-12-06 689712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ   HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-12 00:14 1077576 ----a-w- c:\program files\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-05 16:24]
.
2014-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-13 15:15]
.
2014-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-13 15:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: {{B4FECE59-6D0A-4EE6-A07F-E6A94F846E55} - res://c:\program files\Tomabo\YouTube Video Downloader\YTVD_IE.dll/300
Trusted Zone: intuit.com
Trusted Zone: wescodist.com\bas
Trusted Zone: intuit.com
Trusted Zone: wescodist.com\bas
TCP: DhcpNameServer = 10.4.44.1 10.4.44.2 207.152.233.199 207.152.236.2 207.152.233.151 207.152.233.22
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Wdf01000.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\wvauth.DLL
.
- - - - - - - > 'Explorer.exe'(7928)
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
Completion time: 2014-04-17  10:01:22
ComboFix-quarantined-files.txt  2014-04-17 15:01
.
Pre-Run: 162,165,866,496 bytes free
Post-Run: 162,191,196,160 bytes free
.
- - End Of File - - DF6224B8CE594FF0FB4E3CE5DE322C20
A36C5E4F47E84449FF07ED3517B43A31
 



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 18 April 2014 - 06:24 AM


Hello pastorjames

Ok lets see if we can find a replacement for the infected file

Boot back into the recovery Environment and run FRST like you did before

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

Gringo


Hello XXX

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 pastorjames

pastorjames
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 18 April 2014 - 09:01 AM

Gringo, here are the next steps.  Computer is running great.  I worked with it all day yesterday with the sound on and no random commercials and no crazy errors or virus warning.  You're a rock star in my book

 

Farbar Recovery Scan Tool (x86) Version: 14-04-2014
Ran by JSchulker at 2014-04-15 22:01:00
Running from C:\Users\jschulker\Downloads
Boot Mode: Normal
 
================== Search: "rpcss.dll" ===================
 
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll
[2011-03-08 11:00] - [2010-11-20 04:21] - 0376832 ____A (Microsoft Corporation) 7660F01D3B38ACA1747E397D21D790AF
 
C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll
[2009-07-13 18:45] - [2009-07-13 20:16] - 0376320 ____A (Microsoft Corporation) B82CD39E336973359D7C9BF911E8E84F
 
C:\Windows\System32\rpcss.dll
[2011-03-08 11:00] - [2010-11-20 04:21] - 0380928 ____A (Microsoft Corporation) A3A2D6DFAD278BCE6A14BD91F1739206
 
=== End Of Search ===
 
 
 
 
ComboFix 14-04-17.01 - JSchulker 04/18/2014   8:47.3.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3241.1828 [GMT -5:00]
Running from: c:\users\jschulker\Downloads\ComboFix.exe
Command switches used :: c:\users\jschulker\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {5D349EF8-873B-C657-917F-F1D93E101A7C}
FW: Trend Micro Personal Firewall *Enabled* {49A8346C-6900-54B6-B1B3-5F678736DDE9}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {E6557F1C-A101-C9D9-ABCF-CAAB459750C1}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-18 to 2014-04-18  )))))))))))))))))))))))))))))))
.
.
2014-04-18 13:55 . 2014-04-18 13:55 -------- d-----w- c:\users\help\AppData\Local\temp
2014-04-18 13:55 . 2014-04-18 13:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-11 18:46 . 2014-04-11 18:46 -------- d-----w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2014-04-11 16:40 . 2014-04-11 16:57 -------- d-----w- c:\programdata\HitmanPro
2014-04-11 15:58 . 2014-04-03 14:51 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-11 15:58 . 2014-04-03 14:51 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-11 15:58 . 2014-04-11 15:58 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-04-11 15:58 . 2014-04-11 15:58 -------- d-----w- c:\programdata\Malwarebytes
2014-04-11 15:58 . 2014-04-03 14:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-11 02:38 . 2014-04-15 02:07 -------- d-----w- C:\TDSSKiller_Quarantine
2014-04-10 22:42 . 2014-04-15 01:50 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-03-26 20:25 . 2014-03-26 20:25 140848 ----a-w- c:\windows\system32\ShowMix.dll
2014-03-26 20:25 . 2014-03-26 20:25 66336 ----a-w- c:\windows\system32\drivers\sakfile.sys
2014-03-26 20:25 . 2014-03-26 20:25 35104 ----a-w- c:\windows\system32\drivers\dlpnetfltr.sys
2014-03-26 20:25 . 2014-03-26 20:25 341016 ----a-w- c:\windows\system32\dlpexaddin.x86.dll
2014-03-26 20:25 . 2014-03-26 20:25 318000 ----a-w- c:\windows\system32\dlphook.x86.dll
2014-03-26 20:25 . 2014-03-26 20:25 428592 ----a-w- c:\windows\system32\ShowMsg.exe
2014-03-26 20:25 . 2014-03-26 20:25 75312 ----a-w- c:\windows\system32\RemoveWorkingDirectory.exe
2014-03-26 20:25 . 2014-04-18 13:42 -------- d-----w- c:\windows\system32\dgagent
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-10 22:56 . 2013-10-23 20:28 181272 ----a-w- c:\windows\RegBootClean.exe
2014-03-31 14:35 . 2011-01-17 16:16 231584 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2011-12-08 14:38 121208 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2011-12-08 14:38 121208 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2013-04-29 1521360]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
.
c:\users\help\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-5-8 506904]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-5-8 506904]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-5-8 506904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2014-04-11 13:32 309080 ----a-w- c:\program files\Citrix\GoToAssist\917\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2010-09-15 15:11 1971536 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ   msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2130522478-15925988-980507067-29412\Scripts\Logon\0\0]
"Script"=\\wescodist.com\SysVol\wescodist.com\Policies\{39A50EB0-28F4-4015-A9C7-BBD2A516869C}\User\Scripts\Logon\computer_description.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2130522478-15925988-980507067-29412\Scripts\Logon\1\0]
"Script"=\\wescodist.com\NETLOGON\Login.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WESCO IM.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WESCO IM.lnk
backup=c:\windows\pss\WESCO IM.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 04:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 09:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-12-21 06:04 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALconnect]
2013-06-10 13:42 715880 ----a-w- c:\users\jschulker\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2011-01-04 21:48 488816 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 02:43 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2009-09-13 03:09 103768 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Webcam Central]
2011-12-16 19:17 462974 ------w- c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DFEPApplication]
2012-05-08 14:06 6307864 ----a-w- c:\program files\Dell\Feature Enhancement Pack\DFEPApplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2013-12-04 16:03 40304 ----a-w- c:\users\jschulker\AppData\Local\Citrix\GoToMeeting\1259\g2mstart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-03-31 01:14 177176 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 21:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-03-31 01:14 143384 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelPROSet]
2013-04-18 22:12 3444976 ----a-w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-08-16 14:07 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Download Assistant]
2012-09-20 22:02 1425208 ----a-w- c:\windows\System32\LogiLDA.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
2013-04-29 18:24 1521360 ----a-w- c:\program files\Trend Micro\OfficeScan Client\PccNTMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 05:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-03-31 01:14 178200 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScrewDrivers RDP Plugin]
2011-04-28 20:24 45384 ----a-w- c:\program files\triCerat\Simplify Printing\ScrewDrivers Client v4\install_rdp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-07-25 14:15 20681584 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2014-01-27 14:17 5625624 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2011-01-25 05:57 536668 ----a-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TdmNotify]
2011-12-08 14:37 323952 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-07-25 162672]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [x]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 DisplayLinkUsbIo;DisplayLinkUsbIo;c:\windows\system32\DRIVERS\DisplayLinkUsbIo_7.4.51572.0.sys [2013-10-08 38192]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys [2012-06-22 19984]
R3 MFE_RR;MFE_RR;c:\users\JSCHUL~1\AppData\Local\Temp\mfe_rr.sys [x]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\O2MDFw7.sys [2011-01-04 60904]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-17 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WvPCR;WvPCR;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [2012-01-16 145408]
S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2013-10-07 15664]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 17648]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 TmLwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2012-06-21 146232]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-05-23 119056]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-03 81920]
S2 AMPAgent;Dell KACE Agent;c:\program files\Dell\KACE\AMPAgent.exe [2013-02-09 2848360]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2012-02-02 1787720]
S2 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\Dell\Feature Enhancement Pack\DFEPService.exe [2012-05-08 1568792]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2013-10-07 7676720]
S2 EmbassyService;EmbassyService;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [2012-01-17 179592]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2013-08-29 62704]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2013-08-14 263968]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2013-08-14 36128]
S2 tmWfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2012-06-21 282936]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2012-01-05 1189376]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2013-04-18 2532592]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-12-13 43888]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2013-09-05 302120]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2013-09-05 33832]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2010-09-10 147360]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2013-10-07 337200]
S3 DSASvc;OfficeScan Data Protection Service;c:\windows\system32\dgagent\DSAGENT.exe [2014-03-26 4143664]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwsn00.sys [2013-04-18 10375680]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [2011-01-04 62440]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-03-23 63976]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [2011-04-15 497272]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2012-12-06 689712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ   HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-12 00:14 1077576 ----a-w- c:\program files\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-05 16:24]
.
2014-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-13 15:15]
.
2014-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-13 15:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: {{B4FECE59-6D0A-4EE6-A07F-E6A94F846E55} - res://c:\program files\Tomabo\YouTube Video Downloader\YTVD_IE.dll/300
Trusted Zone: intuit.com
Trusted Zone: wescodist.com\bas
Trusted Zone: intuit.com
Trusted Zone: wescodist.com\bas
TCP: DhcpNameServer = 10.0.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(596)
c:\windows\system32\wvauth.DLL
.
- - - - - - - > 'Explorer.exe'(5392)
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
Completion time: 2014-04-18  08:56:58
ComboFix-quarantined-files.txt  2014-04-18 13:56
ComboFix2.txt  2014-04-17 15:01
.
Pre-Run: 162,149,220,352 bytes free
Post-Run: 162,079,219,712 bytes free
.
- - End Of File - - 35DA248A452C2A7CEA4BD98740CD5759
A36C5E4F47E84449FF07ED3517B43A31
 


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:37 AM

Posted 18 April 2014 - 02:44 PM


Hello pastorjames

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 pastorjames

pastorjames
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:37 AM

Posted 19 April 2014 - 11:37 AM

Hello Gringo.  Still no further issues found.

 

ComboFix 14-04-17.01 - JSchulker 04/19/2014  11:25:13.4.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3241.1990 [GMT -5:00]
Running from: c:\users\jschulker\Downloads\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {5D349EF8-873B-C657-917F-F1D93E101A7C}
FW: Trend Micro Personal Firewall *Enabled* {49A8346C-6900-54B6-B1B3-5F678736DDE9}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {E6557F1C-A101-C9D9-ABCF-CAAB459750C1}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-19 to 2014-04-19  )))))))))))))))))))))))))))))))
.
.
2014-04-19 16:33 . 2014-04-19 16:33 -------- d-----w- c:\users\help\AppData\Local\temp
2014-04-19 16:33 . 2014-04-19 16:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-19 16:33 . 2014-04-19 16:33 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2014-04-18 14:10 . 2014-04-18 14:10 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{87927071-0FF8-4576-AB72-5AF486E2147B}\offreg.dll
2014-04-17 17:10 . 2014-03-20 13:52 7969936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{87927071-0FF8-4576-AB72-5AF486E2147B}\mpengine.dll
2014-04-17 00:55 . 2014-04-17 00:55 -------- d-----w- c:\windows\ERUNT
2014-04-16 22:00 . 2014-04-16 22:52 -------- d-----w- C:\AdwCleaner
2014-04-16 03:29 . 2014-04-16 03:29 -------- d-----w- c:\users\jschulker\Adobe
2014-04-16 02:56 . 2014-04-18 16:34 -------- d-----w- C:\FRST
2014-04-15 13:43 . 2014-04-15 13:43 -------- d-----w- c:\program files\AppDeploy
2014-04-15 13:43 . 2014-04-15 13:43 -------- d-----w- C:\WESNETzd
2014-04-12 01:06 . 2014-04-12 01:06 -------- d-----w- c:\users\Administrator\AppData\Roaming\Tomabo
2014-04-11 23:55 . 2014-04-11 23:55 -------- d-----w- c:\users\Administrator\AppData\Roaming\HPAppData
2014-04-11 19:49 . 2014-04-11 20:50 -------- d-----w- c:\users\Administrator\AppData\Local\CrashDumps
2014-04-11 19:17 . 2014-04-19 16:33 -------- d-----w- c:\users\jschulker\AppData\Local\temp
2014-04-11 18:46 . 2014-04-11 18:46 -------- d-----w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2014-04-11 16:40 . 2014-04-11 16:57 -------- d-----w- c:\programdata\HitmanPro
2014-04-11 15:58 . 2014-04-03 14:51 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-11 15:58 . 2014-04-03 14:51 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-11 15:58 . 2014-04-11 15:58 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-04-11 15:58 . 2014-04-11 15:58 -------- d-----w- c:\programdata\Malwarebytes
2014-04-11 15:58 . 2014-04-03 14:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-11 02:38 . 2014-04-15 02:07 -------- d-----w- C:\TDSSKiller_Quarantine
2014-04-10 22:42 . 2014-04-15 01:50 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-03-26 20:25 . 2014-03-26 20:25 140848 ----a-w- c:\windows\system32\ShowMix.dll
2014-03-26 20:25 . 2014-03-26 20:25 66336 ----a-w- c:\windows\system32\drivers\sakfile.sys
2014-03-26 20:25 . 2014-03-26 20:25 35104 ----a-w- c:\windows\system32\drivers\dlpnetfltr.sys
2014-03-26 20:25 . 2014-03-26 20:25 341016 ----a-w- c:\windows\system32\dlpexaddin.x86.dll
2014-03-26 20:25 . 2014-03-26 20:25 318000 ----a-w- c:\windows\system32\dlphook.x86.dll
2014-03-26 20:25 . 2014-03-26 20:25 428592 ----a-w- c:\windows\system32\ShowMsg.exe
2014-03-26 20:25 . 2014-03-26 20:25 75312 ----a-w- c:\windows\system32\RemoveWorkingDirectory.exe
2014-03-26 20:25 . 2014-04-18 13:42 -------- d-----w- c:\windows\system32\dgagent
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-10 22:56 . 2013-10-23 20:28 181272 ----a-w- c:\windows\RegBootClean.exe
2014-03-31 14:35 . 2011-01-17 16:16 231584 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2011-12-08 14:38 121208 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2011-12-08 14:38 121208 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2013-04-29 1521360]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
.
c:\users\help\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-5-8 506904]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-5-8 506904]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-5-8 506904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableVirtualization"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2014-04-11 13:32 309080 ----a-w- c:\program files\Citrix\GoToAssist\917\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\spba]
2010-09-15 15:11 1971536 ----a-w- c:\program files\Common Files\SPBA\homefus2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ   msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2130522478-15925988-980507067-29412\Scripts\Logon\0\0]
"Script"=\\wescodist.com\SysVol\wescodist.com\Policies\{39A50EB0-28F4-4015-A9C7-BBD2A516869C}\User\Scripts\Logon\computer_description.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2130522478-15925988-980507067-29412\Scripts\Logon\1\0]
"Script"=\\wescodist.com\NETLOGON\Login.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WESCO IM.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WESCO IM.lnk
backup=c:\windows\pss\WESCO IM.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 04:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 09:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-12-21 06:04 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALconnect]
2013-06-10 13:42 715880 ----a-w- c:\users\jschulker\AppData\Roaming\DirectLife\ALconnect\ALconnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2011-01-04 21:48 488816 ----a-w- c:\program files\DellTPad\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 02:43 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 18:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConnectionCenter]
2009-09-13 03:09 103768 ----a-w- c:\program files\Citrix\ICA Client\concentr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Webcam Central]
2011-12-16 19:17 462974 ------w- c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DFEPApplication]
2012-05-08 14:06 6307864 ----a-w- c:\program files\Dell\Feature Enhancement Pack\DFEPApplication.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2013-12-04 16:03 40304 ----a-w- c:\users\jschulker\AppData\Local\Citrix\GoToMeeting\1259\g2mstart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2011-03-31 01:14 177176 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 21:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2011-03-31 01:14 143384 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelPROSet]
2013-04-18 22:12 3444976 ----a-w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2013-08-16 14:07 152392 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Download Assistant]
2012-09-20 22:02 1425208 ----a-w- c:\windows\System32\LogiLDA.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeScanNT Monitor]
2013-04-29 18:24 1521360 ----a-w- c:\program files\Trend Micro\OfficeScan Client\PccNTMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-22 05:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2011-03-31 01:14 178200 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ScrewDrivers RDP Plugin]
2011-04-28 20:24 45384 ----a-w- c:\program files\triCerat\Simplify Printing\ScrewDrivers Client v4\install_rdp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-07-25 14:15 20681584 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2014-01-27 14:17 5625624 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysTrayApp]
2011-01-25 05:57 536668 ----a-w- c:\program files\IDT\WDM\sttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TdmNotify]
2011-12-08 14:37 323952 ----a-w- c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-07-25 162672]
R2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [x]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 DisplayLinkUsbIo;DisplayLinkUsbIo;c:\windows\system32\DRIVERS\DisplayLinkUsbIo_7.4.51572.0.sys [2013-10-08 38192]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys [2012-06-22 19984]
R3 MFE_RR;MFE_RR;c:\users\JSCHUL~1\AppData\Local\Temp\mfe_rr.sys [x]
R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\O2MDFw7.sys [2011-01-04 60904]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-01-17 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WvPCR;WvPCR;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Common\WvPCR.exe [2012-01-16 145408]
S0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2013-10-07 15664]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2010-08-20 17648]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2009-09-08 65584]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 TmLwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2012-06-21 146232]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2013-05-23 119056]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-03 81920]
S2 AMPAgent;Dell KACE Agent;c:\program files\Dell\KACE\AMPAgent.exe [2013-02-09 2848360]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2012-02-02 1787720]
S2 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\Dell\Feature Enhancement Pack\DFEPService.exe [2012-05-08 1568792]
S2 DisplayLinkService;DisplayLinkManager;c:\program files\DisplayLink Core Software\DisplayLinkManager.exe [2013-10-07 7676720]
S2 EmbassyService;EmbassyService;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\EMBASSY Client Core\EmbassyServer.exe [2012-01-17 179592]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2013-08-29 62704]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [2013-08-14 263968]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreFlt.sys [2013-08-14 36128]
S2 tmWfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2012-06-21 282936]
S2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [2012-01-05 1189376]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2013-04-18 2532592]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-12-13 43888]
S3 BTWAMPFL;BTWAMPFL;c:\windows\system32\DRIVERS\btwampfl.sys [2013-09-05 302120]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2013-09-05 33832]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2010-09-10 147360]
S3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2013-10-07 337200]
S3 DSASvc;OfficeScan Data Protection Service;c:\windows\system32\dgagent\DSAGENT.exe [2014-03-26 4143664]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-10-15 269824]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-19 41088]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwsn00.sys [2013-04-18 10375680]
S3 O2MDRRDR;O2MDRRDR;c:\windows\system32\DRIVERS\O2MDRw7.sys [2011-01-04 62440]
S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7.sys [2011-03-23 63976]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [2011-04-15 497272]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2012-12-06 689712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ   HPSLPSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-12 00:14 1077576 ----a-w- c:\program files\Google\Chrome\Application\34.0.1847.116\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-09-05 16:24]
.
2014-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-13 15:15]
.
2014-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-09-13 15:15]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: {{B4FECE59-6D0A-4EE6-A07F-E6A94F846E55} - res://c:\program files\Tomabo\YouTube Video Downloader\YTVD_IE.dll/300
Trusted Zone: intuit.com
Trusted Zone: wescodist.com\bas
Trusted Zone: intuit.com
Trusted Zone: wescodist.com\bas
TCP: DhcpNameServer = 10.0.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(596)
c:\windows\system32\wvauth.DLL
.
- - - - - - - > 'Explorer.exe'(7136)
c:\program files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll
.
Completion time: 2014-04-19  11:34:53
ComboFix-quarantined-files.txt  2014-04-19 16:34
ComboFix2.txt  2014-04-18 13:56
ComboFix3.txt  2014-04-17 15:01
.
Pre-Run: 162,014,392,320 bytes free
Post-Run: 161,987,080,192 bytes free
.
- - End Of File - - E37E18DE1833E42F49D0033FCC731CBD
A36C5E4F47E84449FF07ED3517B43A31





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users