Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxy Redirect / Possible Zero Access


  • This topic is locked This topic is locked
15 replies to this topic

#1 Nicksdad

Nicksdad

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 10 May 2014 - 05:02 PM

Started with  something redirecting my my proxy server to http://127.0.0.1:14242

 

http://gnj.tooldiv.net/sd/dw32.html?u=http%3A%2F%2Fgnj.tooldiv.net.....

 

This has stopped after I ran rkill and reset IE settings, but my computer showed possible signs of a ZeroAccess infection.  It now boots very slowly and I get a message that my C;/Recycle bin is corrupt.  Seems otherwise sluggish compared to before.  

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16438  BrowserJavaVersion: 10.55.2
Run by AITTCalandra at 17:31:30 on 2014-05-10
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.3969.1977 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k NetworkService
c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\windows\SysWOW64\atashost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Notes\nsd.exe
C:\Program Files (x86)\Atlas Copco\MTCom\MTComSvc.exe
C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe
C:\windows\system32\o2flash.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\windows\system32\svchost.exe -k imgsvc
c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\Program Files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Altiris\Dagent\dagent.exe
C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
C:\Program Files\Altiris\Altiris Agent\x86\AeXNSAgentHostSurrogate32.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k bthsvcs
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files\Altiris\Dagent\dagentui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe
C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\ScanToPCActivationApp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\Atlas Copco\MTCom\MTComMonitor.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\windows\system32\RunDll32.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\HPNetworkCommunicatorCom.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files\Altiris\Altiris Agent\x86\AeXAgentUIHostSurrogate32.exe
C:\windows\system32\wbem\WmiApSrv.exe
C:\windows\SysWOW64\RunDll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\Macromed\Flash\FlashUtil64_13_0_0_206_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = Preserve
uDefault_Page_URL = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
uRun: [HP Photosmart Plus B210 series (NET)] "C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN09U2M7TF05J9:NW" -scfn "HP Photosmart Plus B210 series (NET)" -AutoStart 1
uRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [ccApp] "c:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
mRun: [USB3MON] "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun: [IMSS] "C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\AITTCA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MONITO~1.LNK - C:\windows\System32\RunDll32.exe
StartupFolder: C:\Users\AITTCA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SMARTS~1.LNK - C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MTCOMM~1.LNK - C:\Program Files (x86)\Atlas Copco\MTCom\MTComMonitor.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: repliweb
Trusted Zone: webex.com
DPF: {13AEBFDE-CA17-4423-AADE-59BD76C7BDA7} - hxxps://repliweb/repliweb-mft/upload/activex_packager.ocx
DPF: {88448E4B-4286-401F-BB90-A1765E8B104C} - hxxps://repliweb/repliweb-mft/LiteCopy/lc_client_activex.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.13.0.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{32873B15-0AE8-4C1C-A3F1-64DD167AB8DF} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{32873B15-0AE8-4C1C-A3F1-64DD167AB8DF}\1434130303 : DHCPNameServer = 10.128.30.115 10.128.40.115 10.193.8.28
TCP: Interfaces\{32873B15-0AE8-4C1C-A3F1-64DD167AB8DF}\24C4B402F46666963656 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{32873B15-0AE8-4C1C-A3F1-64DD167AB8DF}\341627E6966716C6D275966496 : DHCPNameServer = 10.26.255.241
TCP: Interfaces\{32873B15-0AE8-4C1C-A3F1-64DD167AB8DF}\34F657274797162746 : DHCPNameServer = 10.71.0.1
TCP: Interfaces\{32873B15-0AE8-4C1C-A3F1-64DD167AB8DF}\64169627669656C646F57455543545 : DHCPNameServer = 8.8.8.8 208.67.222.222
TCP: Interfaces\{32873B15-0AE8-4C1C-A3F1-64DD167AB8DF}\84F6C6964616970294E6E6025487072756373702D416E636865637475627 : DHCPNameServer = 192.168.6.1
TCP: Interfaces\{3FD6F94F-6F61-4B51-8C6C-FFE2DF22A582} : DHCPNameServer = 10.128.30.115 10.128.40.115
TCP: Interfaces\{AF473A4B-2C5E-4F94-90A7-50F191764E67} : DHCPNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{F551BC1C-97CA-4CFD-AC60-7DCF1E8CAC1B} : DHCPNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{F551BC1C-97CA-4CFD-AC60-7DCF1E8CAC1B}\1434130303 : DHCPNameServer = 10.128.30.115 10.128.40.115 10.193.8.28
TCP: Interfaces\{F551BC1C-97CA-4CFD-AC60-7DCF1E8CAC1B}\24C4B402F46666963656 : DHCPNameServer = 68.87.71.226 68.87.73.242 192.168.1.1
TCP: Interfaces\{F551BC1C-97CA-4CFD-AC60-7DCF1E8CAC1B}\4656661657C647 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{F551BC1C-97CA-4CFD-AC60-7DCF1E8CAC1B}\8484F6E6F62737632303 : DHCPNameServer = 10.61.32.1 1.1.1.1
TCP: Interfaces\{F551BC1C-97CA-4CFD-AC60-7DCF1E8CAC1B}\84F6D65677F6F646 : DHCPNameServer = 208.67.222.222 12.127.16.68 8.8.4.4
TCP: Interfaces\{F551BC1C-97CA-4CFD-AC60-7DCF1E8CAC1B}\D416272796F64747F57457563747 : DHCPNameServer = 8.8.8.8 4.2.2.2
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Notify: PCANotify - PCANotify.dll
Notify: SDWinLogon - SDWinLogon.dll
AppInit_DLLs= C:\WINDOWS\SYSWOW64\NVINIT.DLL AMINIT32.DLL, C:\WINDOWS\SYSWOW64\NVINIT.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
LSA: Notification Packages =  scecli C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
mASetup: {164EB883-354E-4290-AD76-67CEE65403A3} - msiexec.exe /fu {164EB883-354E-4290-AD76-67CEE65403A3} /qb!
mASetup: {FF507D54-6417-47B3-8FC7-773BACD2691B} - C:\windows\SysWOW64\msiexec.exe /fu {FF507D54-6417-47B3-8FC7-773BACD2691B} /q
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [DagentUI] C:\Program Files\Altiris\Dagent\dagentui.exe
x64-Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [IgfxTray] C:\windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\windows\System32\igfxpers.exe
x64-Run: [DFEPApplication] C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
x64-DPF: {CAFEEFAC-0017-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\AITTCalandra\AppData\Roaming\Mozilla\Firefox\Profiles\gfltf139.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-yff23&p=
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\windows\System32\drivers\iusb3hcs.sys [2013-3-28 20024]
R0 nvpciflt;nvpciflt;C:\windows\System32\drivers\nvpciflt.sys [2013-1-11 28992]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;C:\windows\System32\drivers\stdcfltn.sys [2011-11-8 22128]
R1 FSLX;FSLX;C:\windows\System32\drivers\fslx.sys [2011-3-10 416416]
R1 nvkflt;nvkflt;C:\windows\System32\drivers\nvkflt.sys [2013-1-11 249152]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 Altiris Deployment Agent;Altiris Deployment Agent;C:\Program Files\Altiris\Dagent\dagent.exe [2010-3-22 1960784]
R2 atashost;WebEx Service Host for Support Center;C:\Windows\SysWOW64\atashost.exe [2012-10-19 134456]
R2 DFEPService;Dell Feature Enhancement Pack Service;C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [2012-8-15 2280504]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-6-19 634632]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-3-28 166720]
R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;C:\Notes\nsd.exe -svcinvoke -ini "C:\Notes\notes.ini" --> C:\Notes\nsd.exe -svcinvoke -ini C:\Notes\notes.ini [?]
R2 MTCom;MTCom;C:\Program Files (x86)\Atlas Copco\MTCom\MTComSvc.exe [2013-6-25 175616]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe [2011-9-23 45592]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-9-15 1817560]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-9-15 1033688]
R2 Symantec AntiVirus;Symantec Endpoint Protection;C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2010-9-30 1832072]
R2 TracSrvWrapper;Check Point Endpoint Security VPN;C:\Program Files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe [2011-3-6 4298256]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-3-28 365376]
R3 AeXAgentSrvHost;AeXAgentSrvHost;C:\Program Files\Altiris\Altiris Agent\x86\AeXNSAgentHostSurrogate32.exe [2013-1-3 332624]
R3 bcbtums;Bluetooth RAM Firmware Download USB Filter;C:\windows\System32\drivers\bcbtums.sys [2013-1-14 134696]
R3 Blackberry Device Manager;Blackberry Device Manager;C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [2013-1-18 577536]
R3 btwampfl;btwampfl Bluetooth filter driver;C:\windows\System32\drivers\btwampfl.sys [2013-1-14 615976]
R3 btwl2cap;Bluetooth L2CAP Service;C:\windows\System32\drivers\btwl2cap.sys [2013-1-14 39976]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2013-11-21 137648]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;C:\windows\System32\drivers\iusb3hub.sys [2013-3-28 358456]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;C:\windows\System32\drivers\iusb3xhc.sys [2013-3-28 791608]
R3 O2SDJRDR;O2SDJRDR;C:\windows\System32\drivers\o2sdjw7x64.sys [2011-11-14 84712]
R3 ST_ACCEL;STMicroelectronics Accelerometer Service;C:\windows\System32\drivers\ST_ACCEL.sys [2013-1-11 68208]
R3 vna_ap;Check Point Virtual Network Adapter - Apollo;C:\windows\System32\drivers\vnaap.sys [2011-3-6 161256]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 Acceler;Accelerometer Service;C:\windows\System32\drivers\accelern.sys [2011-11-8 27760]
S3 AltirisAgentProvider;AltirisAgentProvider;C:\Program Files\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe [2013-1-3 408912]
S3 ConfigService;Altiris Deployment Solution - System Configuration;C:\Program Files\Altiris\Altiris Agent\Agents\Deployment\Agent\ConfigService.exe [2013-8-12 262144]
S3 cvusbdrv;Dell ControlVault;C:\windows\System32\drivers\cvusbdrv.sys [2011-11-8 38440]
S3 dmvsc;dmvsc;C:\windows\System32\drivers\dmvsc.sys [2010-11-21 71168]
S3 Impcd;Impcd;C:\windows\System32\drivers\Impcd.sys [2011-11-8 158976]
S3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2011-11-8 317440]
S3 O2MDFRDR;O2MDFRDR;C:\windows\System32\drivers\o2mdfw7x64.sys [2011-11-8 72808]
S3 O2MDRRDR;O2MDRRDR;C:\windows\System32\drivers\O2MDRw7x64.sys [2011-11-8 74984]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\System32\drivers\rdpvideominiport.sys [2010-11-20 20992]
S3 StorSvc;Storage Service;C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;C:\windows\System32\drivers\Synth3dVsc.sys [2010-11-21 88960]
S3 tcm;tcm;C:\windows\System32\drivers\tcm.sys [2011-11-8 17048]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\windows\System32\drivers\terminpt.sys [2010-11-21 34816]
S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 tsusbhub;Remote Deskotop USB Hub;C:\windows\System32\drivers\tsusbhub.sys [2010-11-21 117248]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2011-7-8 1255736]
.
=============== Created Last 30 ================
.
2014-05-08 11:25:37 27256 ----a-w- C:\windows\System32\drivers\FixZeroAccess.sys
2014-05-08 02:01:19 536576 ----a-w- C:\windows\SysWow64\sqlite3.dll
2014-05-08 02:00:29 -------- d-----w- C:\AdwCleaner
2014-05-07 15:22:21 -------- d-----w- C:\NPE
2014-05-06 06:15:17 -------- d-----w- C:\Program Files\CCleaner
2014-04-26 03:03:31 624128 ----a-w- C:\windows\System32\qedit.dll
2014-04-26 03:03:31 509440 ----a-w- C:\windows\SysWow64\qedit.dll
2014-04-26 03:00:39 3156480 ----a-w- C:\windows\System32\win32k.sys
2014-04-25 21:40:45 96168 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-04-21 01:13:13 73728 ----a-r- C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2014-04-21 01:13:13 73728 ----a-r- C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2014-04-21 01:13:13 73728 ----a-r- C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2014-04-21 01:13:10 -------- d-----w- C:\Program Files (x86)\Sophos
2014-04-15 14:07:19 -------- d-----w- C:\TaxACT
2014-04-13 02:18:59 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2014-04-13 02:18:59 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2014-04-13 02:18:59 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2014-04-13 02:18:59 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2014-04-13 02:18:59 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
.
==================== Find3M  ====================
.
2014-05-05 22:59:56 70832 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-05 22:59:56 692400 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 17:31:47.40 ===============
 

Attached Files


Edited by Nicksdad, 10 May 2014 - 06:10 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 11 May 2014 - 09:42 AM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Nicksdad

Nicksdad
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 11 May 2014 - 10:47 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-05-2014
Ran by AITTCalandra (administrator) on AITLUS0625 on 11-05-2014 11:40:17
Running from C:\Users\AITTCalandra\Desktop
Platform: Windows 7 Enterprise Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe
(Symantec Corporation) C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Symantec Corporation) C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(IBM) C:\Notes\nsd.exe
(Atlas Copco Tools AB) C:\Program Files (x86)\Atlas Copco\MTCom\MTComSvc.exe
(NTI Corporation) C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe
(O2Micro International) C:\Windows\System32\o2flash.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
(Check Point Software Technologies) C:\Program Files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Altiris, Inc.) C:\Program Files\Altiris\Dagent\dagent.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
(Symantec Corporation) C:\Program Files\Altiris\Altiris Agent\x86\AeXNSAgentHostSurrogate32.exe
(Symantec Corporation) C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
(Symantec Corporation) C:\Program Files\Altiris\Altiris Agent\x86\AeXAgentUIHostSurrogate32.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
(Altiris, Inc.) C:\Program Files\Altiris\Dagent\dagentui.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\ScanToPCActivationApp.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Atlas Copco Tools AB) C:\Program Files (x86)\Atlas Copco\MTCom\MTComMonitor.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Symantec Corporation) C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\HPNetworkCommunicatorCom.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\HPNetworkCommunicator.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_13_0_0_206_ActiveX.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe

==================== Registry (Whitelisted) ==================
HKLM\...\Run: [DagentUI] => C:\Program Files\Altiris\Dagent\dagentui.exe [847184 2010-03-22] (Altiris, Inc.)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [611192 2011-07-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-02-13] (IDT, Inc.)
HKLM\...\Run: [DFEPApplication] => C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe [7077432 2012-08-15] (Dell Inc.)
HKLM-x32\...\Run: [ccApp] => c:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe [115560 2010-09-30] (Symantec Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [290688 2012-10-25] (Intel Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [267792 2013-01-17] (Research In Motion Limited)
HKLM-x32\...\Run: [IMSS] => C:\Program Files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe [133440 2012-07-19] (Intel Corporation)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\PCANotify-x32: PCANotify.dll [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$b81e386b92ffe1e1235e942f7d78f505\n. ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-278118735-2729461451-4031961895-15118\...\Run: [HP Photosmart Plus B210 series (NET)] => C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-278118735-2729461451-4031961895-15118\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKU\S-1-5-21-278118735-2729461451-4031961895-15118\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-278118735-2729461451-4031961895-15118\...\MountPoints2: D - D:\ScanSnap.exe
HKU\S-1-5-21-278118735-2729461451-4031961895-15118\...\MountPoints2: E - E:\LaunchU3.exe -a
HKU\S-1-5-21-278118735-2729461451-4031961895-15118\...\MountPoints2: {922a89d9-d9b7-11e2-800c-20689d62923c} - E:\LaunchU3.exe -a
HKU\S-1-5-21-278118735-2729461451-4031961895-15118\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-278118735-2729461451-4031961895-15118\$b81e386b92ffe1e1235e942f7d78f505\n. ATTENTION! ====> ZeroAccess?
AppInit_DLLs: AMINIT64.DLL => C:\windows\system32\AMINIT64.DLL [74576 2013-09-09] (Altiris Inc)
AppInit_DLLs: ,C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [260416 2012-02-21] (NVIDIA Corporation)
AppInit_DLLs:  AMINIT64.DLL => C:\windows\system32\AMINIT64.DLL [74576 2013-09-09] (Altiris Inc)
AppInit_DLLs-x32: C:\WINDOWS\SYSWOW64\NVINIT.DLL => C:\WINDOWS\SYSWOW64\NVINIT.DLL [214848 2012-02-21] (NVIDIA Corporation)
AppInit_DLLs-x32:  AMINIT32.DLL => "AMINIT32.DLL" File Not Found
AppInit_DLLs-x32: , C:\WINDOWS\SYSWOW64\NVINIT.DLL => C:\WINDOWS\SYSWOW64\NVINIT.DLL [214848 2012-02-21] (NVIDIA Corporation)
Lsa: [Notification Packages] scecli C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Photosmart Plus B210 series (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Photosmart Plus B210 series (Network).lnk -> C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\MTCom Monitor.lnk
ShortcutTarget: MTCom Monitor.lnk -> C:\Program Files (x86)\Atlas Copco\MTCom\MTComMonitor.exe (Atlas Copco Tools AB)
Startup: C:\Users\Asap Help\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Dell Inc.)
==================== Internet (Whitelisted) ====================
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
SearchScopes: HKLM - DefaultScope value is missing.
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {13AEBFDE-CA17-4423-AADE-59BD76C7BDA7} https://repliweb/repliweb-mft/upload/activex_packager.ocx
DPF: HKLM-x32 {88448E4B-4286-401F-BB90-A1765E8B104C} https://repliweb/repliweb-mft/LiteCopy/lc_client_activex.ocx
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.13.0.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
FireFox:
========
FF ProfilePath: C:\Users\AITTCalandra\AppData\Roaming\Mozilla\Firefox\Profiles\gfltf139.default
FF SelectedSearchEngine: Yahoo
FF Keyword.URL: hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-yff23&p=
FF Plugin: @adobe.com/FlashPlayer - C:\windows\system32\Macromed\Flash\NPSWF64_11_7_700_169.dll ()
FF Plugin: @java.com/DTPlugin,version=10.11.2 - C:\windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKCU\...\Firefox\Extensions: [{625F4D6B-2734-2C68-62F2-2F6BC372DCA2}] - C:\Program Files (x86)\ViewPassword-soft\161.xpi
Chrome:
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com"
CHR Extension: (Google Drive) - C:\Users\AITTCalandra\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-01-01]
CHR Extension: (YouTube) - C:\Users\AITTCalandra\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-01-01]
CHR Extension: (Google Search) - C:\Users\AITTCalandra\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-01-01]
CHR Extension: (Gmail) - C:\Users\AITTCalandra\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-01-01]
==================== Services (Whitelisted) =================
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [140672 2012-07-11] (SUPERAntiSpyware.com)
R3 AeXAgentSrvHost; C:\Program Files\Altiris\Altiris Agent\x86\AeXNSAgentHostSurrogate32.exe [332624 2013-12-06] (Symantec Corporation)
R2 AeXNSClient; C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe [2172240 2013-12-06] (Symantec Corporation)
R2 Altiris Deployment Agent; C:\Program Files\Altiris\Dagent\dagent.exe [1960784 2010-03-22] (Altiris, Inc.)
S3 AltirisAgentProvider; C:\Program Files\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe [408912 2013-12-06] (Symantec Corporation)
S3 awhost32; C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe [136568 2009-02-10] (Symantec Corporation)
R3 Blackberry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [577536 2013-01-18] (Research In Motion Limited)
R2 ccEvtMgr; c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108392 2010-09-30] (Symantec Corporation)
R2 ccSetMgr; c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe [108392 2010-09-30] (Symantec Corporation)
S3 ConfigService; C:\Program Files\Altiris\Altiris Agent\Agents\Deployment\Agent\ConfigService.exe [262144 2013-08-12] ()
S3 Cwbrxd; C:\windows\cwbrxd.exe [94208 2009-12-08] (IBM Corporation)
R2 DFEPService; C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [2280504 2012-08-15] (Dell Inc.)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-07-19] (Intel Corporation)
S3 LiveUpdate; C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE [3093880 2010-02-17] (Symantec Corporation)
R2 Lotus Notes Diagnostics; C:\Notes\nsd.exe [3315080 2008-12-06] (IBM)
R2 MTCom; C:\Program Files (x86)\Atlas Copco\MTCom\MTComSvc.exe [175616 2013-06-25] (Atlas Copco Tools AB)
R2 NTI BackupNowEZSvr; C:\Program Files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe [45592 2011-09-23] (NTI Corporation)
R2 O2FLASH; C:\Windows\system32\o2flash.exe [244328 2011-11-16] (O2Micro International)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1817560 2013-05-16] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1033688 2013-05-16] (Safer-Networking Ltd.)
R2 SmcService; c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe [3234848 2010-09-30] (Symantec Corporation)
S4 SNAC; c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE [425800 2010-09-30] (Symantec Corporation)
R2 Symantec AntiVirus; c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1832072 2010-09-30] (Symantec Corporation)
R2 TracSrvWrapper; c:\Program Files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe [4298256 2011-03-06] (Check Point Software Technologies)
S2 Multi-user Cleanup Service; C:\Notes\ntmulti.exe [X]
==================== Drivers (Whitelisted) ====================
R1 awecho; C:\Windows\SysWow64\drivers\awechomd.sys [16432 2009-12-02] (Symantec Corporation)
R1 AW_HOST; C:\Windows\SysWow64\drivers\aw_host5.sys [23864 2007-03-30] (Symantec Corporation)
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [134696 2013-01-14] (Broadcom Corporation.)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-11-20] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [137648 2013-11-20] (Symantec Corporation)
R1 FSLX; C:\Windows\System32\drivers\fslx.sys [416416 2011-03-10] (Symantec Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Definitions\VirusDefs\20140510.001\eng64.sys [126040 2014-04-22] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Definitions\VirusDefs\20140510.001\ex64.sys [2099288 2014-04-22] (Symantec Corporation)
R1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [249152 2012-02-21] (NVIDIA Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [78336 2013-01-03] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SRTSP; C:\Windows\System32\Drivers\SRTSP64.SYS [447536 2010-09-30] (Symantec Corporation)
R1 SRTSP; C:\Windows\SysWOW64\Drivers\SRTSP64.SYS [447536 2010-09-30] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL64.SYS [482352 2010-09-30] (Symantec Corporation)
S3 SRTSPL; C:\Windows\SysWOW64\Drivers\SRTSPL64.SYS [482352 2010-09-30] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX64.SYS [32304 2010-09-30] (Symantec Corporation)
R1 SRTSPX; C:\Windows\SysWOW64\Drivers\SRTSPX64.SYS [32304 2010-09-30] (Symantec Corporation)
R3 ST_ACCEL; C:\Windows\System32\DRIVERS\ST_ACCEL.sys [68208 2011-11-04] (STMicroelectronics)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [173616 2012-01-17] (Symantec Corporation)
S3 tcm; C:\Windows\system32\drivers\tcm.sys [17048 2009-04-17] ()
R3 vna_ap; C:\Windows\System32\DRIVERS\vnaap.sys [161256 2011-03-06] (Check Point Software Technologies)
R1 vsdatant; C:\Windows\System32\DRIVERS\vsdatant.sys [444976 2011-03-01] (Check Point Software Technologies Ltd.)
S3 DisplayLinkUsbPort; system32\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========
2014-05-11 11:40 - 2014-05-11 11:40 - 00021500 _____ () C:\Users\AITTCalandra\Desktop\FRST.txt
2014-05-11 11:40 - 2014-05-11 11:40 - 00000000 ____D () C:\FRST
2014-05-11 11:39 - 2014-05-11 11:39 - 02066432 _____ (Farbar) C:\Users\AITTCalandra\Desktop\FRST64.exe
2014-05-11 00:36 - 2014-05-11 11:19 - 00000112 _____ () C:\windows\setupact.log
2014-05-11 00:36 - 2014-05-11 00:36 - 00000000 _____ () C:\windows\setuperr.log
2014-05-10 17:50 - 2014-05-10 17:50 - 00004359 _____ () C:\Users\AITTCalandra\Desktop\attach.zip
2014-05-10 17:23 - 2014-05-10 17:50 - 00022777 _____ () C:\Users\AITTCalandra\Desktop\dds.txt
2014-05-10 17:23 - 2014-05-10 17:50 - 00014933 _____ () C:\Users\AITTCalandra\Desktop\attach.txt
2014-05-08 07:25 - 2014-05-08 07:25 - 01805736 _____ (Symantec Corporation) C:\Users\AITTCalandra\Desktop\FixZeroAccess.exe
2014-05-08 07:25 - 2014-05-08 07:25 - 00027256 _____ (Symantec Corporation) C:\windows\system32\Drivers\FixZeroAccess.sys
2014-05-07 22:01 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\windows\SysWOW64\sqlite3.dll
2014-05-07 22:00 - 2014-05-10 18:59 - 00000000 ____D () C:\AdwCleaner
2014-05-07 21:59 - 2014-05-07 21:59 - 01316991 _____ () C:\Users\AITTCalandra\Desktop\AdwCleaner.exe
2014-05-07 21:56 - 2014-05-09 22:50 - 00003096 _____ () C:\Users\AITTCalandra\Desktop\Rkill.txt
2014-05-07 21:53 - 2014-05-07 21:53 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\AITTCalandra\Desktop\rkill.exe
2014-05-07 21:24 - 2014-05-07 21:24 - 00017394 _____ () C:\Users\AITTCalandra\Desktop\Result.txt
2014-05-07 21:17 - 2014-05-07 21:17 - 00982016 _____ (Farbar) C:\Users\AITTCalandra\Desktop\MiniToolBox.exe
2014-05-07 11:22 - 2014-05-07 12:30 - 00000000 ____D () C:\NPE
2014-05-07 11:19 - 2014-05-07 11:19 - 03077584 ____N (Symantec Corporation) C:\Users\AITTCalandra\Desktop\NPE.exe
2014-05-07 11:13 - 2014-05-07 11:13 - 00000000 ____D () C:\Users\AITTCalandra\Downloads\tdsskiller
2014-05-06 02:15 - 2014-05-06 02:15 - 00002786 _____ () C:\windows\System32\Tasks\CCleanerSkipUAC
2014-05-06 02:15 - 2014-05-06 02:15 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-05-06 02:15 - 2014-05-06 02:15 - 00000000 ____D () C:\Program Files\CCleaner
2014-05-05 12:00 - 2014-05-05 12:00 - 00000000 _____ () C:\t1ao.1
2014-04-25 23:03 - 2014-02-03 22:32 - 00624128 _____ (Microsoft Corporation) C:\windows\system32\qedit.dll
2014-04-25 23:03 - 2014-02-03 22:04 - 00509440 _____ (Microsoft Corporation) C:\windows\SysWOW64\qedit.dll
2014-04-25 23:00 - 2014-02-06 21:23 - 03156480 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2014-04-25 17:40 - 2014-04-25 17:40 - 00004129 _____ () C:\windows\SysWOW64\jupdate-1.7.0_55-b14.log
2014-04-25 17:40 - 2014-04-25 17:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-04-25 17:40 - 2014-04-14 20:13 - 00096168 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2014-04-25 17:40 - 2014-04-14 20:05 - 00264616 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe
2014-04-25 17:40 - 2014-04-14 20:05 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe
2014-04-25 17:40 - 2014-04-14 20:04 - 00175016 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe
2014-04-23 23:14 - 2014-04-23 23:14 - 00000000 ____D () C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bluetooth Devices
2014-04-20 21:13 - 2014-04-20 21:13 - 00003237 _____ () C:\Users\AITTCalandra\Desktop\Sophos Virus Removal Tool.lnk
2014-04-20 21:13 - 2014-04-20 21:13 - 00000000 ____D () C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
2014-04-20 21:13 - 2014-04-20 21:13 - 00000000 ____D () C:\Program Files (x86)\Sophos
2014-04-15 10:07 - 2014-04-15 18:13 - 00000000 ____D () C:\Users\AITTCalandra\Documents\TaxACT 2013
2014-04-15 10:07 - 2014-04-15 10:07 - 00001584 _____ () C:\Users\Public\Desktop\TaxACT 2013.lnk
2014-04-15 10:07 - 2014-04-15 10:07 - 00000046 _____ () C:\windows\TaxACT13.ini
2014-04-15 10:07 - 2014-04-15 10:07 - 00000000 ____D () C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TaxACT
2014-04-15 10:07 - 2014-04-15 10:07 - 00000000 ____D () C:\TaxACT
2014-04-15 10:07 - 2014-04-15 10:07 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TaxACT
2014-04-12 22:18 - 2014-04-12 22:18 - 00001845 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-04-12 22:18 - 2014-04-12 22:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-04-12 22:18 - 2014-04-12 22:18 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-04-12 22:18 - 2014-04-12 22:18 - 00000000 ____D () C:\Program Files (x86)\QuickTime
==================== One Month Modified Files and Folders =======
2014-05-11 11:40 - 2014-05-11 11:40 - 00021500 _____ () C:\Users\AITTCalandra\Desktop\FRST.txt
2014-05-11 11:40 - 2014-05-11 11:40 - 00000000 ____D () C:\FRST
2014-05-11 11:39 - 2014-05-11 11:39 - 02066432 _____ (Farbar) C:\Users\AITTCalandra\Desktop\FRST64.exe
2014-05-11 11:26 - 2009-07-14 00:45 - 00024032 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-11 11:26 - 2009-07-14 00:45 - 00024032 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-11 11:22 - 2012-01-17 11:16 - 01718788 _____ () C:\windows\WindowsUpdate.log
2014-05-11 11:19 - 2014-05-11 00:36 - 00000112 _____ () C:\windows\setupact.log
2014-05-11 11:19 - 2009-07-14 01:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-05-11 02:24 - 2009-07-14 01:13 - 00779266 _____ () C:\windows\system32\PerfStringBackup.INI
2014-05-11 00:36 - 2014-05-11 00:36 - 00000000 _____ () C:\windows\setuperr.log
2014-05-10 18:59 - 2014-05-07 22:00 - 00000000 ____D () C:\AdwCleaner
2014-05-10 17:50 - 2014-05-10 17:50 - 00004359 _____ () C:\Users\AITTCalandra\Desktop\attach.zip
2014-05-10 17:50 - 2014-05-10 17:23 - 00022777 _____ () C:\Users\AITTCalandra\Desktop\dds.txt
2014-05-10 17:50 - 2014-05-10 17:23 - 00014933 _____ () C:\Users\AITTCalandra\Desktop\attach.txt
2014-05-09 22:50 - 2014-05-07 21:56 - 00003096 _____ () C:\Users\AITTCalandra\Desktop\Rkill.txt
2014-05-08 23:18 - 2012-10-18 12:05 - 00000672 _____ () C:\windows\system32\config\netlogon.ftl
2014-05-08 18:10 - 2013-09-10 09:08 - 00000000 ____D () C:\Users\AITTCalandra\AppData\Local\NPE
2014-05-08 07:25 - 2014-05-08 07:25 - 01805736 _____ (Symantec Corporation) C:\Users\AITTCalandra\Desktop\FixZeroAccess.exe
2014-05-08 07:25 - 2014-05-08 07:25 - 00027256 _____ (Symantec Corporation) C:\windows\system32\Drivers\FixZeroAccess.sys
2014-05-08 07:24 - 2012-10-18 13:45 - 00000000 ____D () C:\Users\AITTCalandra\Documents\Financial Info
2014-05-07 21:59 - 2014-05-07 21:59 - 01316991 _____ () C:\Users\AITTCalandra\Desktop\AdwCleaner.exe
2014-05-07 21:53 - 2014-05-07 21:53 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\AITTCalandra\Desktop\rkill.exe
2014-05-07 21:24 - 2014-05-07 21:24 - 00017394 _____ () C:\Users\AITTCalandra\Desktop\Result.txt
2014-05-07 21:17 - 2014-05-07 21:17 - 00982016 _____ (Farbar) C:\Users\AITTCalandra\Desktop\MiniToolBox.exe
2014-05-07 12:30 - 2014-05-07 11:22 - 00000000 ____D () C:\NPE
2014-05-07 11:19 - 2014-05-07 11:19 - 03077584 ____N (Symantec Corporation) C:\Users\AITTCalandra\Desktop\NPE.exe
2014-05-07 11:13 - 2014-05-07 11:13 - 00000000 ____D () C:\Users\AITTCalandra\Downloads\tdsskiller
2014-05-07 11:13 - 2012-10-18 13:29 - 00000000 ____D () C:\Users\AITTCalandra
2014-05-06 02:15 - 2014-05-06 02:15 - 00002786 _____ () C:\windows\System32\Tasks\CCleanerSkipUAC
2014-05-06 02:15 - 2014-05-06 02:15 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-05-06 02:15 - 2014-05-06 02:15 - 00000000 ____D () C:\Program Files\CCleaner
2014-05-05 18:59 - 2012-11-14 01:09 - 00692400 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2014-05-05 18:59 - 2012-11-14 01:09 - 00070832 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-05-05 12:00 - 2014-05-05 12:00 - 00000000 _____ () C:\t1ao.1
2014-04-27 14:11 - 2012-10-18 13:45 - 00000000 ____D () C:\Users\AITTCalandra\Documents\Expenses
2014-04-26 08:04 - 2009-07-14 00:45 - 00484728 _____ () C:\windows\system32\FNTCACHE.DAT
2014-04-25 17:41 - 2013-10-18 09:03 - 00000000 ____D () C:\ProgramData\Oracle
2014-04-25 17:40 - 2014-04-25 17:40 - 00004129 _____ () C:\windows\SysWOW64\jupdate-1.7.0_55-b14.log
2014-04-25 17:40 - 2014-04-25 17:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-04-25 17:40 - 2011-07-07 18:12 - 00000000 ____D () C:\Program Files (x86)\Java
2014-04-24 00:39 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\NDF
2014-04-23 23:14 - 2014-04-23 23:14 - 00000000 ____D () C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bluetooth Devices
2014-04-23 15:41 - 2012-10-18 13:45 - 00008721 _____ () C:\Users\AITTCalandra\Documents\ttpf.inst
2014-04-22 09:42 - 2009-07-14 01:08 - 00032630 _____ () C:\windows\Tasks\SCHEDLGU.TXT
2014-04-20 21:13 - 2014-04-20 21:13 - 00003237 _____ () C:\Users\AITTCalandra\Desktop\Sophos Virus Removal Tool.lnk
2014-04-20 21:13 - 2014-04-20 21:13 - 00000000 ____D () C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
2014-04-20 21:13 - 2014-04-20 21:13 - 00000000 ____D () C:\Program Files (x86)\Sophos
2014-04-20 21:13 - 2012-11-03 21:33 - 00000000 ____D () C:\ProgramData\Sophos
2014-04-17 02:05 - 2012-10-18 13:47 - 00000000 ____D () C:\Users\AITTCalandra\Documents\ST Wrench
2014-04-15 18:13 - 2014-04-15 10:07 - 00000000 ____D () C:\Users\AITTCalandra\Documents\TaxACT 2013
2014-04-15 10:14 - 2013-01-27 15:00 - 00000061 _____ () C:\windows\TaxACT12.ini
2014-04-15 10:07 - 2014-04-15 10:07 - 00001584 _____ () C:\Users\Public\Desktop\TaxACT 2013.lnk
2014-04-15 10:07 - 2014-04-15 10:07 - 00000046 _____ () C:\windows\TaxACT13.ini
2014-04-15 10:07 - 2014-04-15 10:07 - 00000000 ____D () C:\Users\AITTCalandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TaxACT
2014-04-15 10:07 - 2014-04-15 10:07 - 00000000 ____D () C:\TaxACT
2014-04-15 10:07 - 2014-04-15 10:07 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TaxACT
2014-04-15 09:19 - 2012-10-18 13:29 - 00003808 __RSH () C:\Users\AITTCalandra\ntuser.pol
2014-04-14 20:13 - 2014-04-25 17:40 - 00096168 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2014-04-14 20:05 - 2014-04-25 17:40 - 00264616 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe
2014-04-14 20:05 - 2014-04-25 17:40 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe
2014-04-14 20:04 - 2014-04-25 17:40 - 00175016 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe
2014-04-13 22:18 - 2013-09-18 08:49 - 00000000 ____D () C:\Users\AITTCalandra\AppData\Local\CrashDumps
2014-04-12 22:18 - 2014-04-12 22:18 - 00001845 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-04-12 22:18 - 2014-04-12 22:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-04-12 22:18 - 2014-04-12 22:18 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-04-12 22:18 - 2014-04-12 22:18 - 00000000 ____D () C:\Program Files (x86)\QuickTime
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$b81e386b92ffe1e1235e942f7d78f505
==================== Bamital & volsnap Check =================
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-05-05 22:14
==================== End Of Log ============================

 

 

Attached Files


Edited by Nicksdad, 11 May 2014 - 10:58 AM.


#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 11 May 2014 - 10:47 PM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

HKU\S-1-5-21-278118735-2729461451-4031961895-15118\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-278118735-2729461451-4031961895-15118\$b81e386b92ffe1e1235e942f7d78f505\n. ATTENTION! ====> ZeroAccess?
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$b81e386b92ffe1e1235e942f7d78f505\n. ATTENTION! ====> ZeroAccess?
C:\$Recycle.Bin\S-1-5-18\$b81e386b92ffe1e1235e942f7d78f505
Folder: C:\t1ao.1
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Nicksdad

Nicksdad
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 12 May 2014 - 12:58 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-05-2014 01
Ran by AITTCalandra at 2014-05-12 13:55:41 Run:1
Running from C:\Users\AITTCalandra\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-278118735-2729461451-4031961895-15118\...409d6c4515e9\InprocServer32: [Default-shell32] C:\$Recycle.Bin\S-1-5-21-278118735-2729461451-4031961895-15118\$b81e386b92ffe1e1235e942f7d78f505\n. ATTENTION! ====> ZeroAccess?
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$b81e386b92ffe1e1235e942f7d78f505\n. ATTENTION! ====> ZeroAccess?
C:\$Recycle.Bin\S-1-5-18\$b81e386b92ffe1e1235e942f7d78f505
Folder: C:\t1ao.1
*****************

HKU\S-1-5-21-278118735-2729461451-4031961895-15118\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
C:\$Recycle.Bin\S-1-5-18\$b81e386b92ffe1e1235e942f7d78f505 => Moved successfully.

========================= Folder: C:\t1ao.1 ========================

The path is not a directory.

==== End of Fixlog ====



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 12 May 2014 - 03:56 PM

Please do this next:
 
icon11.gif  Download Combofix from HERE, and save it to your desktop.  
 
**Note:  It is important that it is saved directly to your desktop**
 
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------
 
Double click on ComboFix.exe & follow the prompts. 
  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
  • .
    Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.
     
    Please include the following in your next post:
    • ComboFix log

    Threads are closed after 5 days of inactivity.

    ASAP & UNITE Member


    The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


    #7 Nicksdad

    Nicksdad
    • Topic Starter

    • Members
    • 40 posts
    • OFFLINE
    •  
    • Local time:08:44 PM

    Posted 14 May 2014 - 12:06 AM

    omboFix 14-05-13.01 - AITTCalandra 05/14/2014   0:51.1.4 - x64
    Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.3969.2006 [GMT -4:00]
    Running from: c:\users\AITTCalandra\Desktop\ComboFix.exe
    AV: Symantec Endpoint Protection *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
    SP: Symantec Endpoint Protection *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
     * Created a new restore point
    .
    .
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\program files (x86)\QuickTime\QTTask.exe
    c:\programdata\Config
    c:\users\AITTCalandra\AppData\Roaming\Daex
    c:\users\AITTCalandra\AppData\Roaming\Daex\agok.ule
    c:\users\AITTCalandra\g2mdlhlpx.exe
    c:\users\AITTCalandra\GoToAssistDownloadHelper.exe
    c:\windows\MICROSOFT
    c:\windows\MICROSOFT\Excel\Excel12.xlb
    c:\windows\MICROSOFT\Office\Excel12.pip
    c:\windows\MICROSOFT\Office\Groove12.pip
    .
    .
    (((((((((((((((((((((((((   Files Created from 2014-04-14 to 2014-05-14  )))))))))))))))))))))))))))))))
    .
    .
    2014-05-14 04:37 . 2014-05-14 04:37 -------- d-----w- c:\users\AITTCalandra\AppData\Roaming\smkits
    2014-05-12 16:08 . 2014-03-04 09:44 16384 ----a-w- c:\windows\system32\ntvdm64.dll
    2014-05-12 16:08 . 2014-03-04 09:17 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
    2014-05-12 16:08 . 2014-03-04 09:44 13312 ----a-w- c:\windows\system32\wow64cpu.dll
    2014-05-12 16:08 . 2014-03-04 09:16 5120 ----a-w- c:\windows\SysWow64\wow32.dll
    2014-05-12 16:08 . 2014-03-04 08:09 7680 ----a-w- c:\windows\SysWow64\instnm.exe
    2014-05-12 16:08 . 2014-03-04 08:09 2048 ----a-w- c:\windows\SysWow64\user.exe
    2014-05-12 16:08 . 2014-03-04 09:44 362496 ----a-w- c:\windows\system32\wow64win.dll
    2014-05-12 16:08 . 2014-03-04 09:44 243712 ----a-w- c:\windows\system32\wow64.dll
    2014-05-12 16:08 . 2014-03-04 09:16 25600 ----a-w- c:\windows\SysWow64\setup16.exe
    2014-05-12 16:08 . 2014-03-04 09:44 1163264 ----a-w- c:\windows\system32\kernel32.dll
    2014-05-11 15:40 . 2014-05-12 17:55 -------- d-----w- C:\FRST
    2014-05-08 11:25 . 2014-05-08 11:25 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
    2014-05-08 02:01 . 2010-08-30 12:34 536576 ----a-w- c:\windows\SysWow64\sqlite3.dll
    2014-05-08 02:00 . 2014-05-10 22:59 -------- d-----w- C:\AdwCleaner
    2014-05-07 15:22 . 2014-05-07 16:30 -------- d-----w- C:\NPE
    2014-05-06 06:15 . 2014-05-06 06:15 -------- d-----w- c:\program files\CCleaner
    2014-04-26 03:03 . 2014-02-04 02:32 624128 ----a-w- c:\windows\system32\qedit.dll
    2014-04-26 03:03 . 2014-02-04 02:04 509440 ----a-w- c:\windows\SysWow64\qedit.dll
    2014-04-26 03:00 . 2014-02-07 01:23 3156480 ----a-w- c:\windows\system32\win32k.sys
    2014-04-25 21:40 . 2014-04-15 00:13 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
    2014-04-21 01:13 . 2014-04-21 01:13 73728 ----a-r- c:\users\AITTCalandra\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
    2014-04-21 01:13 . 2014-04-21 01:13 73728 ----a-r- c:\users\AITTCalandra\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
    2014-04-21 01:13 . 2014-04-21 01:13 73728 ----a-r- c:\users\AITTCalandra\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
    2014-04-21 01:13 . 2014-04-21 01:13 -------- d-----w- c:\program files (x86)\Sophos
    2014-04-15 14:07 . 2014-04-15 14:07 -------- d-----w- C:\TaxACT
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-05-05 22:59 . 2012-11-14 05:09 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-05-05 22:59 . 2012-11-14 05:09 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2014-03-31 07:51 . 2011-07-08 05:04 90655440 ----a-w- c:\windows\system32\MRT.exe
    2014-03-04 09:17 . 2014-05-12 16:08 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Photosmart Plus B210 series (NET)"="c:\program files\HP\HP Photosmart Plus B210 series\Bin\ScanToPCActivationApp.exe" [2012-10-17 2573416]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2010-09-30 115560]
    "USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-10-25 290688]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
    "RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2013-01-17 267792]
    "IMSS"="c:\program files (x86)\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2012-07-19 133440]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
    .
    c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-8-15 507448]
    .
    c:\users\Asap Help\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-8-15 507448]
    .
    c:\users\AITTCalandra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Monitor Ink Alerts - HP Photosmart Plus B210 series (Network).lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Photosmart Plus B210 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN09U2M7TF05J9;CONNECTION=NW;MONITOR=1; [2009-7-13 45568]
    Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-8-15 507448]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2012-2-1 1380128]
    MTCom Monitor.lnk - c:\program files (x86)\Atlas Copco\MTCom\MTComMonitor.exe [2013-6-25 106496]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Smart Settings.lnk - c:\program files\Dell\Feature Enhancement Pack\SmartSettings.exe [2012-8-15 507448]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2007-04-27 17:10 18744 ----a-w- c:\windows\System32\PCANotify.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ    autocheck autochk *\0\0sdnclean64.exe
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ    scecli c:\program files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-278118735-2729461451-4031961895-15118\Scripts\Logon\0\0]
    "Script"=Auburn Hills AIT LogonScript.v4.vbs
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
    R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys;c:\windows\SYSNATIVE\drivers\accelern.sys [x]
    R3 AltirisAgentProvider;AltirisAgentProvider;c:\program files\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe;c:\program files\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe [x]
    R3 Blackberry Device Manager;Blackberry Device Manager;c:\program files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe;c:\program files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [x]
    R3 ConfigService;Altiris Deployment Solution - System Configuration;c:\program files\Altiris\Altiris Agent\Agents\Deployment\Agent\ConfigService.exe;c:\program files\Altiris\Altiris Agent\Agents\Deployment\Agent\ConfigService.exe [x]
    R3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys;c:\windows\SYSNATIVE\Drivers\cvusbdrv.sys [x]
    R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys;c:\windows\SYSNATIVE\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
    R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys [x]
    R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
    R3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\O2MDFw7x64.sys;c:\windows\SYSNATIVE\drivers\O2MDFw7x64.sys [x]
    R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7x64.sys;c:\windows\SYSNATIVE\drivers\O2MDRw7x64.sys [x]
    R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
    R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys;c:\windows\SYSNATIVE\drivers\Synth3dVsc.sys [x]
    R3 tcm;tcm;c:\windows\system32\drivers\tcm.sys;c:\windows\SYSNATIVE\drivers\tcm.sys [x]
    R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
    R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
    S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
    S0 nvpciflt;nvpciflt;c:\windows\system32\DRIVERS\nvpciflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvpciflt.sys [x]
    S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys;c:\windows\SYSNATIVE\DRIVERS\stdcfltn.sys [x]
    S1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys;c:\windows\SYSNATIVE\drivers\fslx.sys [x]
    S1 nvkflt;nvkflt;c:\windows\system32\DRIVERS\nvkflt.sys;c:\windows\SYSNATIVE\DRIVERS\nvkflt.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
    S2 Altiris Deployment Agent;Altiris Deployment Agent;c:\program files\Altiris\Dagent\dagent.exe;c:\program files\Altiris\Dagent\dagent.exe [x]
    S2 atashost;WebEx Service Host for Support Center;c:\windows\SysWOW64\atashost.exe;c:\windows\SysWOW64\atashost.exe [x]
    S2 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\Dell\Feature Enhancement Pack\DFEPService.exe;c:\program files\Dell\Feature Enhancement Pack\DFEPService.exe [x]
    S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
    S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
    S2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\notes\nsd.exe;c:\notes\nsd.exe [x]
    S2 MTCom;MTCom;c:\program files (x86)\Atlas Copco\MTCom\MTComSvc.exe;c:\program files (x86)\Atlas Copco\MTCom\MTComSvc.exe [x]
    S2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe;c:\program files (x86)\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe [x]
    S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
    S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
    S2 TracSrvWrapper;Check Point Endpoint Security VPN;c:\program files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe;c:\program files (x86)\CheckPoint\Endpoint Connect\TracSrvWrapper.exe [x]
    S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
    S3 AeXAgentSrvHost;AeXAgentSrvHost;c:\program files\Altiris\Altiris Agent\x86\AeXNSAgentHostSurrogate32.exe;c:\program files\Altiris\Altiris Agent\x86\AeXNSAgentHostSurrogate32.exe [x]
    S3 bcbtums;Bluetooth RAM Firmware Download USB Filter;c:\windows\system32\drivers\bcbtums.sys;c:\windows\SYSNATIVE\drivers\bcbtums.sys [x]
    S3 btwampfl;btwampfl Bluetooth filter driver;c:\windows\system32\drivers\btwampfl.sys;c:\windows\SYSNATIVE\drivers\btwampfl.sys [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
    S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
    S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
    S3 O2SDJRDR;O2SDJRDR;c:\windows\system32\DRIVERS\o2sdjw7x64.sys;c:\windows\SYSNATIVE\DRIVERS\o2sdjw7x64.sys [x]
    S3 ST_ACCEL;STMicroelectronics Accelerometer Service;c:\windows\system32\DRIVERS\ST_ACCEL.sys;c:\windows\SYSNATIVE\DRIVERS\ST_ACCEL.sys [x]
    S3 vna_ap;Check Point Virtual Network Adapter - Apollo;c:\windows\system32\DRIVERS\vnaap.sys;c:\windows\SYSNATIVE\DRIVERS\vnaap.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{164EB883-354E-4290-AD76-67CEE65403A3}]
    2010-11-21 03:24 73216 ----a-w- c:\windows\System32\msiexec.exe
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{FF507D54-6417-47B3-8FC7-773BACD2691B}]
    2010-11-21 03:24 73216 ----a-w- c:\windows\SysWOW64\msiexec.exe
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DagentUI"="c:\program files\Altiris\Dagent\dagentui.exe" [2010-03-22 847184]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2011-07-20 611192]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-02-14 1425408]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-11-07 171064]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-11-07 399416]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2012-11-07 441912]
    "DFEPApplication"="c:\program files\Dell\Feature Enhancement Pack\DFEPApplication.exe" [2012-08-15 7077432]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\windows\System32\AMInit64.dll c:\windows\System32\nvinitx.dll c:\windows\System32\AMInit64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
    Trusted Zone: repliweb
    Trusted Zone: webex.com
    TCP: DhcpNameServer = 192.168.6.1 64.134.255.2 64.134.255.10
    DPF: {13AEBFDE-CA17-4423-AADE-59BD76C7BDA7} - hxxps://repliweb/repliweb-mft/upload/activex_packager.ocx
    DPF: {88448E4B-4286-401F-BB90-A1765E8B104C} - hxxps://repliweb/repliweb-mft/LiteCopy/lc_client_activex.ocx
    FF - ProfilePath - c:\users\AITTCalandra\AppData\Roaming\Mozilla\Firefox\Profiles\gfltf139.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-yff23&p=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Wow6432Node-HKCU-Run-QuickTime Task - c:\program files (x86)\QuickTime\QTTask.exe
    Wow6432Node-HKLM-Run-QuickTime Task - c:\program files (x86)\QuickTime\QTTask.exe
    Notify-SDWinLogon - SDWinLogon.dll
    SafeBoot-88878689.sys
    SafeBoot-Symantec Antvirus
    Toolbar-Locked - (no file)
    AddRemove-52938534-B616-89B7-AD47-79F78A0B5F29 - c:\program files (x86)\ViewPassword-soft\Uninstall.exe
    AddRemove-AltirisAgent - c:\program files (x86)\Altiris\Altiris Agent\AeXNSAgent.exe
    AddRemove-{92F2A534-C3E4-4B18-BEBD-329F5E848C8B} - c:\program files (x86)\Altiris\Altiris Agent\AeXNSAgent.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
       00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Communications]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
       00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\NS Client]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
       00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.13"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    c:\windows\system32\o2flash.exe
    c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    c:\program files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
    c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
    .
    **************************************************************************
    .
    Completion time: 2014-05-14  01:03:49 - machine was rebooted
    ComboFix-quarantined-files.txt  2014-05-14 05:03
    .
    Pre-Run: 182,362,157,056 bytes free
    Post-Run: 182,256,177,152 bytes free
    .
    - - End Of File - - 7D2AF3F5CE132D3575703C98B344D01A
     



    #8 RPMcMurphy

    RPMcMurphy

      Bleeping *^#@%~


    • Malware Response Team
    • 3,970 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:44 PM

    Posted 14 May 2014 - 10:01 PM

     icon11.gif  You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

    Open MBAM

    • Click the Update tab
    • Click Check for Updates
    • If an update is found, it will download and install the latest version.
    • The program will close to update and reopen.
    • Once the program has loaded, select "Perform Full Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Uncheck any entries from C:\System Volume Information, C:\_OTL\MovedFiles or C:\Qoobox
    • Make sure that everything else is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


    Threads are closed after 5 days of inactivity.

    ASAP & UNITE Member


    The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


    #9 Nicksdad

    Nicksdad
    • Topic Starter

    • Members
    • 40 posts
    • OFFLINE
    •  
    • Local time:08:44 PM

    Posted 15 May 2014 - 10:05 AM

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2014.05.14.11

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 10.0.9200.16438
    AITTCalandra :: AITLUS0625 [administrator]

    5/15/2014 1:16:25 AM
    mbam-log-2014-05-15 (01-16-25).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 445787
    Time elapsed: 1 hour(s), 5 minute(s), 35 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\Software\Mozilla\Firefox\Extensions|{625F4D6B-2734-2C68-62F2-2F6BC372DCA2} (PUP.Optional.ViewPassword.A) -> Data: C:\Program Files (x86)\ViewPassword-soft\161.xpi -> Quarantined and deleted successfully.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)



    #10 RPMcMurphy

    RPMcMurphy

      Bleeping *^#@%~


    • Malware Response Team
    • 3,970 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:44 PM

    Posted 15 May 2014 - 09:38 PM

    How is your computer running now?  Please do this next:

     

    icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

    • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    • Click Scan
    • Wait for the scan to finish
    • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
    • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.


    Threads are closed after 5 days of inactivity.

    ASAP & UNITE Member


    The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


    #11 Nicksdad

    Nicksdad
    • Topic Starter

    • Members
    • 40 posts
    • OFFLINE
    •  
    • Local time:08:44 PM

    Posted 17 May 2014 - 04:06 PM

    The computer seems to run fine.  Internet has become extremely slow, but my wife just confirmed it's the same on her Mac, so I don't think it has anything to do with what's going on.

     

    C:\AdwCleaner\Quarantine\C\Program Files (x86)\ViewPassword-soft\ViewPasswordFIX161.exe.vir a variant of Win32/AdWare.AddLyrics.AK application
    C:\AdwCleaner\Quarantine\C\Program Files (x86)\ViewPassword-soft\ViewPasswordFIXQNw.exe.vir a variant of Win32/AdWare.AddLyrics.AJ application
     



    #12 Nicksdad

    Nicksdad
    • Topic Starter

    • Members
    • 40 posts
    • OFFLINE
    •  
    • Local time:08:44 PM

    Posted 17 May 2014 - 05:12 PM

    So I tried Firefox and everything seems fine.  I use IE and it's worse than dial-up???  Did a reset of IE, but no help.  Upgraded from IE 10 to IE 11 and still slow.


    Edited by Nicksdad, 17 May 2014 - 05:51 PM.


    #13 RPMcMurphy

    RPMcMurphy

      Bleeping *^#@%~


    • Malware Response Team
    • 3,970 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:44 PM

    Posted 18 May 2014 - 09:07 AM

    I'm not sure what could be causing your issues with IE, especially if you reset it.  If you continue to have issues consider posting in our browser forum located HERE

    Malware wise, your logs are looking good (Those ESET detections are already in quarantine).  All I have left for you is some important housekeeping:

    icon11.gif  Your Adobe reader needs to be updated.  Please visit Adobe's site and grab the newest version.  Be sure to watch for and uncheck any boxes offering to install other software.

    icon11.gif  Uninstall ComboFix

    • Press the Windows key + R on your keyboard or click Start -> Run.  Copy and past the following text into the run box that opens and press OK:
      Combofix /Uninstall

    Combofix_uninstall_image.jpg

    icon11.gif  Download OTC to your desktop and run it
    • Click Yes to begin the cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
    • Manually delete any remaining logs or tools from our fixes

    icon11.gif  Double click on AdwCleaner.exe to run the tool again.
    • Click on the Uninstall button.
    • Click Yes when asked are you sure you want to uninstall.
    • Both AdwCleaner.exe, its folder and all logs will be removed.

    icon11.gif  Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't,  manually reboot to ensure a complete clean

    icon11.gif  Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
    • Restart any anti-malware programs that we disabled while we were cleaning your machine.
    • Keep your antivirus application and MBAM current and updated.  Scan with them at least weekly.
    • Please read this post for some helpful information.

    Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!


    Threads are closed after 5 days of inactivity.

    ASAP & UNITE Member


    The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


    #14 Nicksdad

    Nicksdad
    • Topic Starter

    • Members
    • 40 posts
    • OFFLINE
    •  
    • Local time:08:44 PM

    Posted 18 May 2014 - 02:32 PM

    All set.   Thanks for all of your time and help.



    #15 RPMcMurphy

    RPMcMurphy

      Bleeping *^#@%~


    • Malware Response Team
    • 3,970 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:08:44 PM

    Posted 20 May 2014 - 09:50 PM

    You're welcome.  Take care.


    Threads are closed after 5 days of inactivity.

    ASAP & UNITE Member


    The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users