Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had multiple; music/ads playing in background; ransom.trojan


  • This topic is locked This topic is locked
16 replies to this topic

#1 ozeal

ozeal

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 29 May 2014 - 07:37 PM

Hello Bleeping - I am working on a laptop that has had over 12 different virus/Trojans on it.. the 2 that I had the hardest problem with was the ranson.Trojan and the music/ads playing in the background..    I tried to follow some topics on these 2 guys and ran some programs.. rkill then mbam and other suggested tools..   while I should have just opened up a ticket I decided to fix on my own.. so I am humbly requesting help to see if I missed anything that I am unaware of..    At the conclusion of this work can my logs be removed or anything pertaining to the device ownership be removed?

 

dds.txt

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.55.2
Run by Brian Heidi at 20:23:10 on 2014-05-29
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3999.2522 [GMT -4:00]
.
AV: Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\iolo\System Mechanic\iologovernor64.exe
C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_206_ActiveX.exe
C:\Users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uURLSearchHooks: PC Tools Browser Guard: {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll
mWinlogon: Userinit = userinit.exe,
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [netObjUsb64] rundll32.exe "C:\Users\Brian Heidi\AppData\Roaming\netObjUsb64\netObjUsb64.dll",Uspsvc90 AvpServices90
uRun: [RunIt] "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" about:newaddon?id={64d64833-9296-421b-a362-83cfbd6291b6}
uRun: [Olturefyuvdo] "C:\Users\Brian Heidi\AppData\Roaming\Afazqiu\caywb.exe"
uRunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil64_13_0_0_206_ActiveX.exe -update activex
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
StartupFolder: C:\Users\BRIANH~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
uPolicies-System: WallpaperStyle = 2
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: WallpaperStyle = 2
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0055-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.33.1
TCP: Interfaces\{56CE361B-EDAE-4A71-944F-A92300479DEB} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.33.1
TCP: Interfaces\{56CE361B-EDAE-4A71-944F-A92300479DEB}\2456C6B696E6E253241443 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{56CE361B-EDAE-4A71-944F-A92300479DEB}\86F6573756F666C696768647 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{56CE361B-EDAE-4A71-944F-A92300479DEB}\A45637573764275616B6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{56CE361B-EDAE-4A71-944F-A92300479DEB}\A6563757373716675637 : DHCPNameServer = 71.252.0.12 68.237.161.12
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
x64-Run: [dleamon.exe] "C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe"
x64-Run: [EzPrint] "C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe"
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - <orphaned>
x64-Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-1-25 268512]
R0 pctDS;PC Tools Data Store;C:\Windows\System32\drivers\pctDS64.sys [2012-3-29 453896]
R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\System32\drivers\pctEFA64.sys [2012-3-29 1096176]
R1 ElRawDisk;ElRawDisk;C:\Windows\System32\drivers\ElRawDsk.sys [2014-1-21 30752]
R2 Browser Defender Update Service;Browser Defender Update Service;C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [2012-7-1 575448]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
R2 ioloSystemService;iolo System Service;C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2014-5-4 4492776]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 133928]
R2 PDFsFilter;PDFsFilter;C:\Windows\System32\drivers\PDFsFilter.sys [2014-1-21 82160]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2009-8-25 35104]
R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2009-6-29 70656]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2009-12-26 139264]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-3-11 347872]
S2 McMPFSvc;McAfee Personal Firewall Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc --> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [?]
S3 dleaCATSCustConnectService;dleaCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\dleaserv.exe [2009-7-1 45224]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-5-1 111616]
S3 mferkdk;McAfee Inc. mferkdk;C:\Windows\System32\drivers\mferkdk.sys [2010-5-15 40904]
S3 mfesmfk;McAfee Inc. mfesmfk;C:\Windows\System32\drivers\mfesmfk.sys [2010-5-15 49480]
S3 NETw1v64;Intel® Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw1v64.sys [2009-8-25 7058432]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 PCTBD;PC Tools Browser Defender Driver;C:\Windows\System32\drivers\PCTBD64.sys [2012-7-1 85224]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-25 233472]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 ssrangdr;ssrangdr;C:\Windows\System32\drivers\ssrangdr.sys [2009-12-13 4608]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-23 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-5-6 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
S4 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [2009-3-2 89600]
S4 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-8-9 228408]
S4 dlea_device;dlea_device;C:\Windows\System32\dleacoms.exe -service --> C:\Windows\System32\dleacoms.exe -service [?]
S4 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2013-12-16 166400]
S4 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2013-12-16 128512]
S4 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2011-5-13 30520]
S4 IHA_MessageCenter;IHA_MessageCenter;C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 290832]
S4 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2014-1-3 14624]
S4 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\nlssrv32.exe [2012-11-9 71280]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-8-14 39056]
S4 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-8-14 3291008]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S4 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~2\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> C:\PROGRA~2\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
=============== Created Last 30 ================
.
2014-05-29 23:46:14 1031560 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1171691C-7866-4C83-A7A5-B8588585B778}\gapaengine.dll
2014-05-29 23:45:58 10702536 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{83E346D8-9664-4AAF-BFFC-FC54818C2A51}\mpengine.dll
2014-05-18 17:43:21 10651704 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-18 17:01:24 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-05-18 17:01:24 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-18 16:52:05 477184 ----a-w- C:\Windows\System32\aepdu.dll
2014-05-18 16:52:04 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-05-18 16:44:11 1031560 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{74D0AA69-3CF3-4D9C-9E84-C97BFB3CF24D}\gapaengine.dll
2014-05-18 16:42:08 -------- d-----w- C:\Users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-05-12 02:39:23 -------- d-s---w- C:\Windows\System32\CompatTel
2014-05-12 02:32:22 -------- d-----w- C:\ProgramData\Oracle
2014-05-12 02:31:44 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-05-12 01:59:30 -------- d-----w- C:\Windows\ERUNT
2014-05-12 01:32:58 -------- d-----w- C:\AdwCleaner
2014-05-12 01:23:13 -------- d-----w- C:\TDSSKiller_Quarantine
2014-05-12 00:04:07 119512 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-05-12 00:03:26 88280 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-05-12 00:03:25 63192 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-05-12 00:03:25 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-05-12 00:03:24 -------- d-----w- C:\ProgramData\Malwarebytes
2014-05-12 00:03:24 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-07 20:45:07 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2014-05-07 20:45:07 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2014-05-07 20:45:07 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2014-05-07 20:45:07 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2014-05-07 20:45:07 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2014-05-06 01:21:16 -------- d-----w- C:\Users\Brian Heidi\AppData\Roaming\Afazqiu
2014-05-01 12:59:18 -------- d-sh--w- C:\Users\Brian Heidi\AppData\Local\EmieUserList
2014-05-01 12:59:18 -------- d-sh--w- C:\Users\Brian Heidi\AppData\Local\EmieSiteList
2014-05-01 12:33:40 -------- d-----w- C:\87111f52eea4d99f6199e8d5e42a7e47
2014-05-01 12:14:22 359936 ----a-w- C:\Program Files\Internet Explorer\IEShims.dll
2014-05-01 12:14:22 257536 ----a-w- C:\Program Files (x86)\Internet Explorer\IEShims.dll
2014-05-01 12:14:00 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-05-01 12:14:00 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-05-01 12:12:59 8011776 ----a-w- C:\Program Files\Internet Explorer\F12Resources.dll
2014-05-01 12:03:16 -------- d-----w- C:\b679b0456f01dded5a93bca559b92a
.
==================== Find3M  ====================
.
2014-05-12 01:24:02 512000 ----a-w- C:\Windows\System32\rpcss.dll
2014-05-01 11:59:37 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-01 11:59:37 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-04-30 14:24:54 57584 ----a-w- C:\Windows\System32\iolobtdfg.exe
2014-04-30 14:24:46 26184 ----a-w- C:\Windows\System32\smrgdf.exe
2014-04-30 14:08:36 2155152 ----a-w- C:\Windows\System32\Incinerator64.dll
2014-04-30 14:08:34 2097984 ----a-w- C:\Windows\SysWow64\Incinerator32.dll
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-03-11 13:52:30 133928 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2014-03-06 09:31:33 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-06 08:59:04 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-06 08:57:20 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:29:40 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:11:41 5784064 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-06 08:02:34 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:01:01 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36 4254720 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15 2043904 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39 1967104 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40 2260480 ----a-w- C:\Windows\System32\wininet.dll
2014-03-06 05:41:49 1789440 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-03-04 09:47:01 5550016 ----a-w- C:\Windows\System32\ntoskrnl.exe
2014-03-04 09:44:21 362496 ----a-w- C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21 243712 ----a-w- C:\Windows\System32\wow64.dll
2014-03-04 09:44:21 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:20 39936 ----a-w- C:\Windows\System32\wincredprovider.dll
2014-03-04 09:44:10 210944 ----a-w- C:\Windows\System32\wdigest.dll
2014-03-04 09:44:08 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2014-03-04 09:44:06 340992 ----a-w- C:\Windows\System32\schannel.dll
2014-03-04 09:44:03 722944 ----a-w- C:\Windows\System32\objsel.dll
2014-03-04 09:44:03 314880 ----a-w- C:\Windows\System32\msv1_0.dll
2014-03-04 09:44:03 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2014-03-04 09:44:00 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-03-04 09:44:00 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2014-03-04 09:43:56 57344 ----a-w- C:\Windows\System32\cngprovider.dll
2014-03-04 09:43:56 52736 ----a-w- C:\Windows\System32\dpapiprovider.dll
2014-03-04 09:43:56 44544 ----a-w- C:\Windows\System32\dimsroam.dll
2014-03-04 09:43:56 22016 ----a-w- C:\Windows\System32\credssp.dll
2014-03-04 09:43:55 56832 ----a-w- C:\Windows\System32\adprovider.dll
2014-03-04 09:43:55 53760 ----a-w- C:\Windows\System32\capiprovider.dll
2014-03-04 09:43:50 455168 ----a-w- C:\Windows\System32\winlogon.exe
2014-03-04 09:20:11 3969984 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2014-03-04 09:20:11 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2014-03-04 09:16:54 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2014-03-04 09:16:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2014-03-04 08:09:30 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29 2048 ----a-w- C:\Windows\SysWow64\user.exe
.
============= FINISH: 20:23:49.05 ===============

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:11:47 PM

Posted 01 June 2014 - 12:15 PM

Hello ozeal,

My name is Cody and I'll be helping you clean up your computer. :)

I will reply to your posts as soon as possible -- typically within 24 hours. In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, I just ask for notice ahead of time.

Please do note any time differences between us. If I do not respond within 48 hours, feel free to send me a private message.

==========================================================================

Some points for you to keep in mind:
  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.
==========================================================================

Farbar Recovery Scan Tool (FRST)
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen.
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
==========================================================================

Also, please list what tools you have run so far, and what the current symptoms are.

==========================================================================

What I'd like to see in your next post: :thumbsup2:
  • FRST logs.
  • Tools run so far.
  • Current symptoms.

Edited by TheShooter93, 01 June 2014 - 12:32 PM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#3 ozeal

ozeal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 01 June 2014 - 08:22 PM

Cody - thank you for your time..

 

I have run MBAM, ADWcleaner and MS Essentials.. think that is all.   I had to run Rkill and mbam with Adwcleaner to get the ransom and other virus to stop playing music in the background  ..  I have not seen any effects since then.. but I do not want to return the laptop only to have the virus still lurking in the background.

 

I also update java to last version and uninstalled any unknown programs\toolbars

 

As requested:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041  BrowserJavaVersion: 10.55.2
Run by Brian Heidi at 20:23:10 on 2014-05-29
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3999.2522 [GMT -4:00]
.
AV: Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\iolo\System Mechanic\iologovernor64.exe
C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_206_ActiveX.exe
C:\Users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uURLSearchHooks: PC Tools Browser Guard: {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll
mWinlogon: Userinit = userinit.exe,
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [netObjUsb64] rundll32.exe "C:\Users\Brian Heidi\AppData\Roaming\netObjUsb64\netObjUsb64.dll",Uspsvc90 AvpServices90
uRun: [RunIt] "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" about:newaddon?id={64d64833-9296-421b-a362-83cfbd6291b6}
uRun: [Olturefyuvdo] "C:\Users\Brian Heidi\AppData\Roaming\Afazqiu\caywb.exe"
uRunOnce: [FlashPlayerUpdate] C:\Windows\System32\Macromed\Flash\FlashUtil64_13_0_0_206_ActiveX.exe -update activex
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
StartupFolder: C:\Users\BRIANH~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BLUETO~1.LNK - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
uPolicies-System: WallpaperStyle = 2
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: WallpaperStyle = 2
IE: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0055-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_55-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.33.1
TCP: Interfaces\{56CE361B-EDAE-4A71-944F-A92300479DEB} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.33.1
TCP: Interfaces\{56CE361B-EDAE-4A71-944F-A92300479DEB}\2456C6B696E6E253241443 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{56CE361B-EDAE-4A71-944F-A92300479DEB}\86F6573756F666C696768647 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{56CE361B-EDAE-4A71-944F-A92300479DEB}\A45637573764275616B6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{56CE361B-EDAE-4A71-944F-A92300479DEB}\A6563757373716675637 : DHCPNameServer = 71.252.0.12 68.237.161.12
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
SSODL: WebCheck - <orphaned>
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.137\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} -
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
x64-Run: [dleamon.exe] "C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe"
x64-Run: [EzPrint] "C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe"
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
x64-Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - <orphaned>
x64-Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-1-25 268512]
R0 pctDS;PC Tools Data Store;C:\Windows\System32\drivers\pctDS64.sys [2012-3-29 453896]
R0 pctEFA;PC Tools Extended File Attributes;C:\Windows\System32\drivers\pctEFA64.sys [2012-3-29 1096176]
R1 ElRawDisk;ElRawDisk;C:\Windows\System32\drivers\ElRawDsk.sys [2014-1-21 30752]
R2 Browser Defender Update Service;Browser Defender Update Service;C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [2012-7-1 575448]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
R2 ioloSystemService;iolo System Service;C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [2014-5-4 4492776]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 133928]
R2 PDFsFilter;PDFsFilter;C:\Windows\System32\drivers\PDFsFilter.sys [2014-1-21 82160]
R3 btwl2cap;Bluetooth L2CAP Service;C:\Windows\System32\drivers\btwl2cap.sys [2009-8-25 35104]
R3 enecir;ENE CIR Receiver;C:\Windows\System32\drivers\enecir.sys [2009-6-29 70656]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\Windows\System32\drivers\IntcHdmi.sys [2009-12-26 139264]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\drivers\NETw5s64.sys [2010-1-13 7675392]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-3-11 347872]
S2 McMPFSvc;McAfee Personal Firewall Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc --> C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [?]
S3 dleaCATSCustConnectService;dleaCATSCustConnectService;C:\Windows\System32\spool\drivers\x64\3\dleaserv.exe [2009-7-1 45224]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-5-1 111616]
S3 mferkdk;McAfee Inc. mferkdk;C:\Windows\System32\drivers\mferkdk.sys [2010-5-15 40904]
S3 mfesmfk;McAfee Inc. mfesmfk;C:\Windows\System32\drivers\mfesmfk.sys [2010-5-15 49480]
S3 NETw1v64;Intel® Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\NETw1v64.sys [2009-8-25 7058432]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\System32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 PCTBD;PC Tools Browser Defender Driver;C:\Windows\System32\drivers\PCTBD64.sys [2012-7-1 85224]
S3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-8-25 233472]
S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]
S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]
S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]
S3 ssrangdr;ssrangdr;C:\Windows\System32\drivers\ssrangdr.sys [2009-12-13 4608]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-6-23 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-5-6 1255736]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
S4 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [2009-3-2 89600]
S4 Com4QLBEx;Com4QLBEx;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-8-9 228408]
S4 dlea_device;dlea_device;C:\Windows\System32\dleacoms.exe -service --> C:\Windows\System32\dleacoms.exe -service [?]
S4 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2013-12-16 166400]
S4 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2013-12-16 128512]
S4 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2011-5-13 30520]
S4 IHA_MessageCenter;IHA_MessageCenter;C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [2011-12-12 290832]
S4 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2014-1-3 14624]
S4 nlsX86cc;Nalpeiron Licensing Service;C:\Windows\SysWOW64\nlssrv32.exe [2012-11-9 71280]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2013-8-14 39056]
S4 Skype C2C Service;Skype C2C Service;C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-8-14 3291008]
S4 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-9-5 171680]
S4 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~2\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> C:\PROGRA~2\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
=============== Created Last 30 ================
.
2014-05-29 23:46:14 1031560 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1171691C-7866-4C83-A7A5-B8588585B778}\gapaengine.dll
2014-05-29 23:45:58 10702536 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{83E346D8-9664-4AAF-BFFC-FC54818C2A51}\mpengine.dll
2014-05-18 17:43:21 10651704 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-18 17:01:24 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-05-18 17:01:24 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-18 16:52:05 477184 ----a-w- C:\Windows\System32\aepdu.dll
2014-05-18 16:52:04 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-05-18 16:44:11 1031560 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{74D0AA69-3CF3-4D9C-9E84-C97BFB3CF24D}\gapaengine.dll
2014-05-18 16:42:08 -------- d-----w- C:\Users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-05-12 02:39:23 -------- d-s---w- C:\Windows\System32\CompatTel
2014-05-12 02:32:22 -------- d-----w- C:\ProgramData\Oracle
2014-05-12 02:31:44 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-05-12 01:59:30 -------- d-----w- C:\Windows\ERUNT
2014-05-12 01:32:58 -------- d-----w- C:\AdwCleaner
2014-05-12 01:23:13 -------- d-----w- C:\TDSSKiller_Quarantine
2014-05-12 00:04:07 119512 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-05-12 00:03:26 88280 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-05-12 00:03:25 63192 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-05-12 00:03:25 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-05-12 00:03:24 -------- d-----w- C:\ProgramData\Malwarebytes
2014-05-12 00:03:24 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-07 20:45:07 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin5.dll
2014-05-07 20:45:07 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin4.dll
2014-05-07 20:45:07 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin3.dll
2014-05-07 20:45:07 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin2.dll
2014-05-07 20:45:07 159744 ----a-w- C:\Program Files\Internet Explorer\Plugins\npqtplugin.dll
2014-05-06 01:21:16 -------- d-----w- C:\Users\Brian Heidi\AppData\Roaming\Afazqiu
2014-05-01 12:59:18 -------- d-sh--w- C:\Users\Brian Heidi\AppData\Local\EmieUserList
2014-05-01 12:59:18 -------- d-sh--w- C:\Users\Brian Heidi\AppData\Local\EmieSiteList
2014-05-01 12:33:40 -------- d-----w- C:\87111f52eea4d99f6199e8d5e42a7e47
2014-05-01 12:14:22 359936 ----a-w- C:\Program Files\Internet Explorer\IEShims.dll
2014-05-01 12:14:22 257536 ----a-w- C:\Program Files (x86)\Internet Explorer\IEShims.dll
2014-05-01 12:14:00 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-05-01 12:14:00 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-05-01 12:12:59 8011776 ----a-w- C:\Program Files\Internet Explorer\F12Resources.dll
2014-05-01 12:03:16 -------- d-----w- C:\b679b0456f01dded5a93bca559b92a
.
==================== Find3M  ====================
.
2014-05-12 01:24:02 512000 ----a-w- C:\Windows\System32\rpcss.dll
2014-05-01 11:59:37 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-01 11:59:37 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-04-30 14:24:54 57584 ----a-w- C:\Windows\System32\iolobtdfg.exe
2014-04-30 14:24:46 26184 ----a-w- C:\Windows\System32\smrgdf.exe
2014-04-30 14:08:36 2155152 ----a-w- C:\Windows\System32\Incinerator64.dll
2014-04-30 14:08:34 2097984 ----a-w- C:\Windows\SysWow64\Incinerator32.dll
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-03-11 13:52:30 133928 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2014-03-06 09:31:33 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-06 08:59:04 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-06 08:57:20 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:29:40 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:11:41 5784064 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-06 08:02:34 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:01:01 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36 4254720 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15 2043904 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39 1967104 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40 2260480 ----a-w- C:\Windows\System32\wininet.dll
2014-03-06 05:41:49 1789440 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-03-04 09:47:01 5550016 ----a-w- C:\Windows\System32\ntoskrnl.exe
2014-03-04 09:44:21 362496 ----a-w- C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21 243712 ----a-w- C:\Windows\System32\wow64.dll
2014-03-04 09:44:21 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:20 39936 ----a-w- C:\Windows\System32\wincredprovider.dll
2014-03-04 09:44:10 210944 ----a-w- C:\Windows\System32\wdigest.dll
2014-03-04 09:44:08 86528 ----a-w- C:\Windows\System32\TSpkg.dll
2014-03-04 09:44:06 340992 ----a-w- C:\Windows\System32\schannel.dll
2014-03-04 09:44:03 722944 ----a-w- C:\Windows\System32\objsel.dll
2014-03-04 09:44:03 314880 ----a-w- C:\Windows\System32\msv1_0.dll
2014-03-04 09:44:03 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2014-03-04 09:44:00 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-03-04 09:44:00 424960 ----a-w- C:\Windows\System32\KernelBase.dll
2014-03-04 09:43:56 57344 ----a-w- C:\Windows\System32\cngprovider.dll
2014-03-04 09:43:56 52736 ----a-w- C:\Windows\System32\dpapiprovider.dll
2014-03-04 09:43:56 44544 ----a-w- C:\Windows\System32\dimsroam.dll
2014-03-04 09:43:56 22016 ----a-w- C:\Windows\System32\credssp.dll
2014-03-04 09:43:55 56832 ----a-w- C:\Windows\System32\adprovider.dll
2014-03-04 09:43:55 53760 ----a-w- C:\Windows\System32\capiprovider.dll
2014-03-04 09:43:50 455168 ----a-w- C:\Windows\System32\winlogon.exe
2014-03-04 09:20:11 3969984 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2014-03-04 09:20:11 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2014-03-04 09:16:54 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2014-03-04 09:16:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2014-03-04 08:09:30 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29 2048 ----a-w- C:\Windows\SysWow64\user.exe
.
============= FINISH: 20:23:49.05 ===============

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-06-2014 01
Ran by Brian Heidi at 2014-06-01 21:13:19
Running from C:\Users\Brian Heidi\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: Anti-Virus and Anti-Spyware (Enabled - Up to date) {86355677-4064-3EA7-ABB3-1B136EB04637}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Anti-Virus and Anti-Spyware (Enabled - Up to date) {3D54B793-665E-3129-9103-206115370C8A}
FW: Firewall (Enabled) {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

==================== Installed Programs ======================

Adobe Flash Player 13 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 13.0.0.206 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.06 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Browser Guard 4.0 (HKLM-x32\...\Browser Defender_is1) (Version: 4.0.0.1588 - PC Tools)
Cisco Connect (HKLM-x32\...\Cisco Connect) (Version: 1.0.10028.0 - Cisco Consumer Products LLC)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CyberLink DVD Suite (HKLM-x32\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 6.0.3101 - CyberLink Corp.)
CyberLink DVD Suite (x32 Version: 6.0.3101 - CyberLink Corp.) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dell V310-V510 Series (HKLM\...\Dell V310-V510 Series) (Version:  - Dell, Inc.)
Dropbox (HKCU\...\Dropbox) (Version: 2.8.2 - Dropbox, Inc.)
ENE CIR Receiver Driver (HKLM\...\FFE7D41DF3C645075BB149E21988B63996C34187) (Version: 2.7.4.0 - ENE)
Epson Event Manager (HKLM-x32\...\{03B8AA32-F23C-4178-B8E6-09ECD07EAA47}) (Version: 2.40.0001 - SEIKO EPSON CORPORATION)
EPSON NX420 Series Printer Uninstall (HKLM\...\EPSON NX420 Series) (Version:  - SEIKO EPSON Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EpsonNet Setup 3.3 (HKLM-x32\...\{C9D8A041-2963-4B31-8FFC-1500F3DB9293}) (Version: 3.3b - SEIKO EPSON CORPORATION)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 35.0.1916.114 - Google Inc.)
Google Update Helper (x32 Version: 1.3.24.7 - Google Inc.) Hidden
HP 3D DriveGuard (HKLM\...\{85A42FF0-F0D0-44A3-B226-C124D6E8B1D5}) (Version: 4.0.3.1 - Hewlett-Packard)
HP Advisor (HKLM-x32\...\{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}) (Version: 3.3.12286.3436 - Hewlett-Packard)
HP Customer Experience Enhancements (x32 Version: 6.0.1.3 - Hewlett-Packard) Hidden
HP Integrated Module with Bluetooth wireless technology (HKLM\...\{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}) (Version: 6.2.0.9602 - Broadcom Corporation)
HP MediaSmart DVD (HKLM-x32\...\InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}) (Version: 3.0.3123 - Hewlett-Packard)
HP MediaSmart DVD (x32 Version: 3.0.3123 - Hewlett-Packard) Hidden
HP MediaSmart Internet TV (HKLM-x32\...\InstallShield_{E553760D-D7F7-48BF-BD8B-C7E23BA04CB5}) (Version: 3.0.1916 - Hewlett-Packard)
HP MediaSmart Internet TV (x32 Version: 3.0.1916 - Hewlett-Packard) Hidden
HP MediaSmart Live TV (HKLM-x32\...\InstallShield_{67626E09-5366-4480-8F1E-93FADF50CA15}) (Version: 3.0.1924 - Hewlett-Packard)
HP MediaSmart Live TV (x32 Version: 3.0.1924 - Hewlett-Packard) Hidden
HP MediaSmart Movie Themes (HKLM-x32\...\InstallShield_{3023EBDA-BF1B-4831-B347-E5018555F26E}) (Version: 3.0.3102 - Hewlett-Packard)
HP MediaSmart Movie Themes (x32 Version: 3.0.3102 - Hewlett-Packard) Hidden
HP MediaSmart Music/Photo/Video (HKLM-x32\...\InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}) (Version: 3.0.3123 - Hewlett-Packard)
HP MediaSmart Music/Photo/Video (x32 Version: 3.0.3123 - Hewlett-Packard) Hidden
HP MediaSmart SlingPlayer (HKLM-x32\...\{90F6051D-A69F-4159-9203-7E20430E1056}) (Version: 2.1.1.60 - Sling Media, Inc.)
HP MediaSmart SmartMenu (HKLM\...\{88E60521-1E4E-4785-B9F1-1798A4BD0C30}) (Version: 3.0.30.1 - Hewlett-Packard)
HP MediaSmart Software Notebook Demo (HKLM-x32\...\{82A213BD-B6AA-4281-A2D3-59D51893CC56}) (Version: 1.00.0000 - Hewlett-Packard)
HP MediaSmart Webcam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.0.1913 - Hewlett-Packard)
HP MediaSmart Webcam (x32 Version: 3.0.1913 - Hewlett-Packard) Hidden
HP Quick Launch Buttons (HKLM-x32\...\{34D2AB40-150D-475D-AE32-BD23FB5EE355}) (Version: 6.50.12.1 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{F3B912F5-EB57-45AA-B3D1-EB532BCF6EF8}) (Version: 1.2.3220.3079 - Hewlett-Packard)
HP Smart Web Printing (HKLM-x32\...\HP Smart Web Printing) (Version: 131.1.35898 - Hewlett-Packard)
HP Smart Web Printing (x32 Version: 131.1.35898 - Hewlett-Packard) Hidden
HP Update (HKLM-x32\...\{D46D081B-F60E-467E-A7C4-117B70D76731}) (Version: 5.001.000.014 - Hewlett-Packard)
HP User Guides 0154 (HKLM-x32\...\{B51605BF-6326-4553-AE96-6D7F1813D5F5}) (Version: 1.01.0001 - Hewlett-Packard)
HP Wireless Assistant (HKLM-x32\...\{54CC7901-804D-4155-B353-21F0CC9112AB}) (Version: 3.50.9.1 - Hewlett-Packard)
HTC Driver Installer (HKLM-x32\...\{6D6664A9-3342-4948-9B7E-034EFE366F0F}) (Version: 2.0.7.018 - HTC Corporation)
HTC Sync (HKLM-x32\...\{DFAA3C20-5968-46A3-B7B0-0AF72D758A59}) (Version: 2.0.40 - HTC Corporation)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6230.0 - IDT)
IHA_MessageCenter (HKLM-x32\...\{53C49C8D-DFB2-42B9-A7EF-0F9CA386CC13}) (Version: 1.8.17 - Verizon)
Info Center 1.0.0.6 (HKLM-x32\...\Info Center_is1) (Version: 1.0.0.6 - PC Pitstop LLC)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1883 - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
iolo technologies' System Mechanic (HKLM-x32\...\{55FD1D5A-7AEF-4DA3-8FAF-A71B2A52FFC7}_is1) (Version: 12.7.1 - iolo technologies, LLC)
Java 7 Update 55 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217055FF}) (Version: 7.0.550 - Oracle)
Java Auto Updater (x32 Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.1913 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.1913 - CyberLink Corp.) Hidden
LightScribe System Software (HKLM-x32\...\{82EF29B1-9B60-4142-A155-0599216DD053}) (Version: 1.18.6.1 - LightScribe)
Malwarebytes Anti-Malware version 2.0.1.1004 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.1.1004 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office Home and Student 60 day trial (HKLM\...\OfficeTrial) (Version:  - )
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM-x32\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (HKLM-x32\...\{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}) (Version: 9.7.0621 - Microsoft Corporation)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Nalpeiron Service Update (HKLM-x32\...\Nalpeiron Service Update) (Version: 1.3 - Nalpeiron)
Nalpeiron Service Update (x32 Version: 1.3 - Nalpeiron) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.3101 - CyberLink Corp.)
Power2Go (x32 Version: 6.0.3101 - CyberLink Corp.) Hidden
PowerDirector (HKLM-x32\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 7.0.3101 - CyberLink Corp.)
PowerDirector (x32 Version: 7.0.3101 - CyberLink Corp.) Hidden
PowerRecover (x32 Version: 5.5.1923 - CyberLink Corp.) Hidden
QLBCASL (x32 Version: 6.40.17.2 - Hewlett-Packard) Hidden
QuickBooks (x32 Version: 20.0.4017.807 - Intuit Inc.) Hidden
QuickBooks Pro 2010 (HKLM-x32\...\{0700E22B-A422-40A5-BD20-04BF618CA0F9}) (Version: 20.0.4017.807 - Intuit Inc.)
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
RealDownloader (x32 Version: 1.3.3 - RealNetworks, Inc.) Hidden
RealNetworks - Microsoft Visual C++ 2008 Runtime (x32 Version: 9.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (x32 Version: 10.0 - RealNetworks, Inc) Hidden
RealPlayer (HKLM-x32\...\RealPlayer 16.0) (Version: 16.0.3 - RealNetworks)
Realtek 8136 8168 8169 Ethernet Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0007 - Realtek)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7100.30094 - Realtek Semiconductor Corp.)
RealUpgrade 1.1 (x32 Version: 1.1.0 - RealNetworks, Inc.) Hidden
Skype Click to Call (HKLM-x32\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.13.13771 - Skype Technologies S.A.)
Skype™ 6.11 (HKLM-x32\...\{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}) (Version: 6.11.102 - Skype Technologies S.A.)
SoftCafe MenuPro 9 (HKLM-x32\...\{B62AC3D0-A9C7-447D-81FC-2BC2D3B6C700}) (Version: 9.00.0008 - SoftCafe, LLC)
Software for Scanners (HKLM-x32\...\{B8726461-A7C6-4628-A67C-FE5FC5FB3E9F}) (Version: 0.08.0018 - BuTel Software)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.29.0 - Synaptics Incorporated)
TheSkyX First Light Edition (HKLM-x32\...\{ECE3188A-3B11-4332-B1B9-43FAA9A02626}) (Version: 10.0.2 - Software Bisque, Inc.)
TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2012 WinPerFedFormset (x32 Version: 012.000.2114 - Intuit Inc.) Hidden
TurboTax 2012 WinPerReleaseEngine (x32 Version: 012.000.0451 - Intuit Inc.) Hidden
TurboTax 2012 WinPerTaxSupport (x32 Version: 012.000.0179 - Intuit Inc.) Hidden
TurboTax 2012 wrapper (x32 Version: 012.000.0127 - Intuit Inc.) Hidden
TurboTax 2012 wvaiper (x32 Version: 012.000.1354 - Intuit Inc.) Hidden
TurboTax 2013 (HKLM-x32\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax 2013 WinPerFedFormset (x32 Version: 013.000.1986 - Intuit Inc.) Hidden
TurboTax 2013 WinPerReleaseEngine (x32 Version: 013.000.0492 - Intuit Inc.) Hidden
TurboTax 2013 WinPerTaxSupport (x32 Version: 013.000.0168 - Intuit Inc.) Hidden
TurboTax 2013 wrapper (x32 Version: 013.000.0135 - Intuit Inc.) Hidden
TurboTax 2013 wvaiper (x32 Version: 013.000.1286 - Intuit Inc.) Hidden
Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00) (HKLM\...\3134FEF0E1D959EC0CC2E458C94B7057B2AC0CC9) (Version: 10/22/2009 2.06.00 - FTDI)
Windows Driver Package - FTDI CDM Driver Package (10/22/2009 2.06.00) (HKLM\...\88EB56038379B8B7DCFB4D2448A60F52E064B265) (Version: 10/22/2009 2.06.00 - FTDI)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3538.0513 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Messenger (x32 Version: 15.4.3538.0513 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

==================== Restore Points  =========================

12-05-2014 02:18:22 Windows Update
12-05-2014 02:30:26 Installed Java 7 Update 55
12-05-2014 02:39:05 Windows Update
12-05-2014 02:41:19 Windows Update
18-05-2014 16:41:04 Windows Update
18-05-2014 16:57:10 Windows Update
18-05-2014 17:42:24 Windows Update
18-05-2014 17:44:28 Windows Update
18-05-2014 17:48:45 Removed Acrobat.com
18-05-2014 17:49:53 Windows Update
18-05-2014 18:08:43 Windows Update
18-05-2014 19:18:31 Windows Update
29-05-2014 23:44:32 Windows Update
30-05-2014 07:00:10 Windows Update
31-05-2014 07:00:10 Windows Update
01-06-2014 07:00:10 Windows Update

==================== Hosts content: ==========================

2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {009A4F00-6365-42D4-BE49-28FCCEC4FE49} - \Security Center Update - 2914082406 No Task File <==== ATTENTION
Task: {057CD269-5303-41BB-8B01-73F82018DDBB} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {121EF6FC-AE99-4C52-A4CD-B6F92E2F533B} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-3693674917-764092900-2463050806-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {1E65F99F-7A01-4250-9988-0A81F4A98074} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-12-21] (Google Inc.)
Task: {2929B3A5-BDDB-4939-AEC6-E6325D2F8C40} - System32\Tasks\iolo Process Governor => C:\Program Files (x86)\iolo\System Mechanic\iologovernor64.exe [2014-04-30] (iolo technologies, LLC)
Task: {4C218E00-DE28-41E5-AB3E-480D9D41AC76} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-12-21] (Google Inc.)
Task: {66917E56-F07D-4BB8-A3C2-25C81E436236} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3693674917-764092900-2463050806-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {7A824AE4-E6AE-4DEF-BF35-0189FD35109A} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-3693674917-764092900-2463050806-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {82C5F2D4-0469-4A87-8173-AAC957357B27} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {88122E44-F6E5-4989-887F-976751D55184} - System32\Tasks\CapSchedInst => c:\Program Files (x86)\Hewlett-Packard\Media\Live TV\Kernel\TV\CapSchedInst.exe [2009-07-24] (CL)
Task: {906A08DD-E017-48F0-9F7B-6975FC5714AA} - System32\Tasks\CapSvcInst => c:\Program Files (x86)\Hewlett-Packard\Media\Live TV\Kernel\TV\CapSvcInst.exe [2009-07-24] (CL)
Task: {94759054-DB60-4EF6-BA56-F1D09CC25B05} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-05-01] (Adobe Systems Incorporated)
Task: {97FBA0E4-3DCE-49BE-B249-4C708F6EBCD6} - System32\Tasks\Hewlett-Packard\HP Assistant\HPSA Upgrade => C:\ProgramData\Hewlett-Packard\HPSAUpgrade3\HpSAUpgrade.exe [2011-08-11] (Hewlett-Packard)
Task: {A84D87D7-50B2-40E2-A842-D1523D92A4CC} - System32\Tasks\DVDAgent => c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe [2009-07-23] (CyberLink Corp.)
Task: {C772CEEC-2B72-4E2C-844C-D1F2814A08AE} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-3693674917-764092900-2463050806-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe [2013-08-14] (RealNetworks, Inc.)
Task: {D883F30E-632C-487E-83B0-BCE960BC129F} - System32\Tasks\TVAgent => c:\Program Files (x86)\Hewlett-Packard\Media\Live TV\TVAgent.exe [2009-07-24] (CyberLink Corp.)
Task: {DA268610-524D-4128-ADD8-FF08BCFB1F03} - System32\Tasks\CLMLSvc => c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe [2009-07-23] (CyberLink)
Task: {E64BA1DD-2B74-4207-A43B-DDE654634954} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3693674917-764092900-2463050806-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {F8CE1758-D2C7-4E47-83DE-94DD4EC05923} - System32\Tasks\CapUninst => c:\Program Files (x86)\Hewlett-Packard\Media\Live TV\Kernel\TV\CapUninst.exe [2009-07-24] (CL)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2010-05-15 14:40 - 2009-11-04 13:18 - 00189440 _____ () C:\Windows\system32\spool\PRTPROCS\x64\dleadrpp.dll
2009-07-30 20:42 - 2009-07-30 20:42 - 00173344 _____ () C:\Program Files\WIDCOMM\Bluetooth Software\btkeyind.dll
2009-07-21 13:34 - 2009-07-21 13:34 - 00610872 _____ () C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
2010-05-15 14:47 - 2010-08-09 10:32 - 00770728 _____ () C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe
2010-05-15 14:47 - 2010-08-09 10:32 - 00139944 _____ () C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe
2012-07-01 18:08 - 2012-06-14 12:31 - 00108504 _____ () C:\Program Files (x86)\PC Tools Security\BDT\BSPatch.dll
2012-07-01 18:08 - 2012-06-14 12:31 - 00767960 _____ () C:\Windows\BDTSupport.dll
2010-05-15 14:47 - 2009-11-26 04:49 - 00086180 _____ () C:\Program Files (x86)\Dell V310-V510 Series\dleacfg.dll
2010-05-15 14:47 - 2010-04-01 13:23 - 00389120 _____ () C:\Program Files (x86)\Dell V310-V510 Series\dleascw.dll
2010-05-15 14:47 - 2009-05-27 08:16 - 00192512 _____ () C:\Program Files (x86)\Dell V310-V510 Series\dleadatr.dll
2010-05-15 14:47 - 2009-05-27 08:13 - 00081920 _____ () C:\Program Files (x86)\Dell V310-V510 Series\dleacats.dll
2010-05-15 14:47 - 2010-04-01 13:24 - 01159168 _____ () C:\Program Files (x86)\Dell V310-V510 Series\dleaDRS.dll
2010-05-15 14:47 - 2009-03-10 01:43 - 00155648 _____ () C:\Program Files (x86)\Dell V310-V510 Series\dleacaps.dll
2010-05-15 14:47 - 2009-03-05 13:55 - 00059904 _____ () C:\Program Files (x86)\Dell V310-V510 Series\dleacnv4.dll
2010-05-15 14:47 - 2009-06-22 09:08 - 00708608 _____ () C:\Program Files (x86)\Dell V310-V510 Series\Epwizard.DLL
2010-05-15 14:47 - 2009-06-22 09:06 - 00159744 _____ () C:\Program Files (x86)\Dell V310-V510 Series\customui.dll
2010-05-15 14:47 - 2009-06-22 09:06 - 00114688 _____ () C:\Program Files (x86)\Dell V310-V510 Series\Eputil.DLL
2010-05-15 14:47 - 2009-06-22 09:05 - 00139264 _____ () C:\Program Files (x86)\Dell V310-V510 Series\Imagutil.DLL
2010-05-15 14:47 - 2009-06-22 09:06 - 00061440 _____ () C:\Program Files (x86)\Dell V310-V510 Series\Epfunct.DLL
2010-05-15 14:47 - 2009-06-22 09:08 - 02203648 _____ () C:\Program Files (x86)\Dell V310-V510 Series\EPWizRes.dll
2010-05-15 14:47 - 2009-06-22 09:08 - 00045056 _____ () C:\Program Files (x86)\Dell V310-V510 Series\epstring.dll
2010-05-15 14:47 - 2009-06-22 09:08 - 00196608 _____ () C:\Program Files (x86)\Dell V310-V510 Series\EPOEMDll.dll
2010-05-15 14:47 - 2009-04-07 15:25 - 00409600 _____ () C:\Program Files (x86)\Dell V310-V510 Series\iptk.dll
2010-05-15 14:48 - 2009-03-02 10:25 - 00151552 _____ () C:\Program Files (x86)\Dell V310-V510 Series\dleaptp.dll
2014-05-29 19:43 - 2014-05-29 19:43 - 00043008 _____ () C:\Users\Brian Heidi\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpybqivr.dll
2013-08-23 15:01 - 2013-08-23 15:01 - 25100288 _____ () C:\Users\Brian Heidi\AppData\Roaming\Dropbox\bin\libcef.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\ProgramData\Temp:430C6D84
AlternateDataStreams: C:\ProgramData\Temp:DFC5A2B2

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\12563266.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\12563266.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ioloSystemService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MpfService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

==================== Disabled items from MSCONFIG ==============

==================== Faulty Device Manager Devices =============

Name: PC Tools Spyware Doctor Driver
Description: PC Tools Spyware Doctor Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: PCTSD
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (06/01/2014 07:00:02 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: The backup did not complete because of an error writing to the backup location F:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

Error: (06/01/2014 03:00:49 AM) (Source: MsiInstaller) (EventID: 1024) (User: NT AUTHORITY)
Description: Product: Microsoft Office Word Viewer 2003 - Update 'Security Update for Word Viewer (KB2878304): WORDVIEW' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (05/31/2014 08:38:12 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/31/2014 03:00:38 AM) (Source: MsiInstaller) (EventID: 1024) (User: NT AUTHORITY)
Description: Product: Microsoft Office Word Viewer 2003 - Update 'Security Update for Word Viewer (KB2878304): WORDVIEW' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (05/30/2014 08:48:11 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/30/2014 03:00:34 AM) (Source: MsiInstaller) (EventID: 1024) (User: NT AUTHORITY)
Description: Product: Microsoft Office Word Viewer 2003 - Update 'Security Update for Word Viewer (KB2878304): WORDVIEW' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (05/29/2014 07:42:56 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: The backup did not complete because of an error writing to the backup location F:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

Error: (05/29/2014 07:35:05 PM) (Source: SecurityCenter) (EventID: 3) (User: )
Description: The Windows Security Center Service was unable to establish event queries with WMI to monitor third party AntiVirus, AntiSpyware and Firewall.

Error: (05/29/2014 07:33:10 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/18/2014 03:18:48 PM) (Source: MsiInstaller) (EventID: 1024) (User: NT AUTHORITY)
Description: Product: Microsoft Office Word Viewer 2003 - Update 'Security Update for Word Viewer (KB2878304): WORDVIEW' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

System errors:
=============
Error: (06/01/2014 01:09:04 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.175.963.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.5.0216.00

 Source Path: 4.5.0216.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (06/01/2014 00:59:06 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.175.963.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.5.0216.00

 Source Path: 4.5.0216.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (06/01/2014 03:01:13 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Word Viewer (KB2878304).

Error: (05/31/2014 07:32:24 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

 New Signature Version:

 Previous Signature Version: 1.175.963.0

 Update Source: %NT AUTHORITY59

 Update Stage: 4.5.0216.00

 Source Path: 4.5.0216.01

 Signature Type: %NT AUTHORITY602

 Update Type: %NT AUTHORITY604

 User: NT AUTHORITY\SYSTEM

 Current Engine Version: %NT AUTHORITY605

 Previous Engine Version: %NT AUTHORITY606

 Error code: %NT AUTHORITY607

 Error description: %NT AUTHORITY608

Error: (05/31/2014 03:01:01 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Word Viewer (KB2878304).

Error: (05/30/2014 03:00:59 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Word Viewer (KB2878304).

Error: (05/29/2014 07:57:28 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The PC Tools Browser Defender Driver service depends the following service: PCTCore. This service might not be installed.

Error: (05/29/2014 07:56:58 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The PC Tools Browser Defender Driver service depends the following service: PCTCore. This service might not be installed.

Error: (05/29/2014 07:56:28 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The PC Tools Browser Defender Driver service depends the following service: PCTCore. This service might not be installed.

Error: (05/29/2014 07:55:58 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The PC Tools Browser Defender Driver service depends the following service: PCTCore. This service might not be installed.

Microsoft Office Sessions:
=========================
Error: (06/01/2014 07:00:02 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: F:\The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006)

Error: (06/01/2014 03:00:49 AM) (Source: MsiInstaller) (EventID: 1024) (User: NT AUTHORITY)
Description: Microsoft Office Word Viewer 2003Security Update for Word Viewer (KB2878304): WORDVIEW1603(NULL)(NULL)(NULL)

Error: (05/31/2014 08:38:12 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}\recordingmanager.exe

Error: (05/31/2014 03:00:38 AM) (Source: MsiInstaller) (EventID: 1024) (User: NT AUTHORITY)
Description: Microsoft Office Word Viewer 2003Security Update for Word Viewer (KB2878304): WORDVIEW1603(NULL)(NULL)(NULL)

Error: (05/30/2014 08:48:11 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}\recordingmanager.exe

Error: (05/30/2014 03:00:34 AM) (Source: MsiInstaller) (EventID: 1024) (User: NT AUTHORITY)
Description: Microsoft Office Word Viewer 2003Security Update for Word Viewer (KB2878304): WORDVIEW1603(NULL)(NULL)(NULL)

Error: (05/29/2014 07:42:56 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: F:\The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006)

Error: (05/29/2014 07:35:05 PM) (Source: SecurityCenter) (EventID: 3) (User: )
Description:

Error: (05/29/2014 07:33:10 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"C:\Windows\Installer\{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}\recordingmanager.exe

Error: (05/18/2014 03:18:48 PM) (Source: MsiInstaller) (EventID: 1024) (User: NT AUTHORITY)
Description: Microsoft Office Word Viewer 2003Security Update for Word Viewer (KB2878304): WORDVIEW1603(NULL)(NULL)(NULL)

==================== Memory info ===========================

Percentage of memory in use: 37%
Total physical RAM: 3999.19 MB
Available physical RAM: 2486.77 MB
Total Pagefile: 7996.55 MB
Available Pagefile: 6035.7 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:285.13 GB) (Free:223.33 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (RECOVERY) (Fixed) (Total:12.76 GB) (Free:2.13 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 2169E425)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=285 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 



#4 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:11:47 PM

Posted 01 June 2014 - 09:46 PM

Hello ozeal,

 

I believe you have mistakenly posted the DDS log instead of the primary FRST Scan Log (FRST.txt).

Please post FRST.txt for me to analyze.

------------------------

Also, just to confirm, you currently have no symptoms?


Edited by TheShooter93, 01 June 2014 - 09:49 PM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#5 ozeal

ozeal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 02 June 2014 - 05:14 AM

Yes no outward symptoms I see...    overall after talking more he said the laptop was off for over a year when he started to see problems.,

 

Sorry here it is..

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-06-2014 01
Ran by Brian Heidi (administrator) on BRIANHEIDI-PC on 01-06-2014 21:12:17
Running from C:\Users\Brian Heidi\Desktop
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\System Mechanic\ioloGovernor64.exe
(Threat Expert Ltd.) C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
() C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
() C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Dropbox, Inc.) C:\Users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2010\QBDBMgr.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610872 2009-07-21] ()
HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [dleamon.exe] => C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe [770728 2010-08-09] ()
HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe [139944 2010-08-09] ()
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-23] (IDT, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1439496 2010-10-19] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Runonce: [SMRequiresRestart] -  [X]
HKLM-x32\...\Runonce: [4FA12186-8D89-4137-B5DF-B472F6A69F8B] -  [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\.DEFAULT\...\Policies\system: [WallpaperStyle] 2
HKU\S-1-5-21-3693674917-764092900-2463050806-1000\...\Run: [netObjUsb64] => rundll32.exe "C:\Users\Brian Heidi\AppData\Roaming\netObjUsb64\netObjUsb64.dll",Uspsvc90 AvpServices90 <===== ATTENTION
HKU\S-1-5-21-3693674917-764092900-2463050806-1000\...\Run: [RunIt] => "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" about:newaddon?id={64d64833-9296-421b-a362-83cfbd6291b6}
HKU\S-1-5-21-3693674917-764092900-2463050806-1000\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_206_ActiveX.exe [533680 2014-05-01] (Adobe Systems Incorporated)
HKU\S-1-5-21-3693674917-764092900-2463050806-1000\...\Policies\system: [WallpaperStyle] 2
HKU\S-1-5-21-3693674917-764092900-2463050806-1000\...\MountPoints2: {c3e8c5ab-4c76-11df-b156-0027134cbe92} - F:\LaunchU3.exe -a
HKU\S-1-5-21-3693674917-764092900-2463050806-1000\...\MountPoints2: {c4f0b55f-9153-11de-9171-806e6f6e6963} - E:\setup.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=OIE9MSE&PC=UP09
URLSearchHook: HKCU - PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKCU - DefaultScope {B49CAB8F-6EC1-44C3-9ED5-21F4DA4E6E57} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKCU - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL =
SearchScopes: HKCU - {B49CAB8F-6EC1-44C3-9ED5-21F4DA4E6E57} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: HKLM-x32 {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation)
Handler-x32: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.33.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=16.0.3.51 - c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=16.0.3.51 - c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2009-08-09]
FF HKLM-x32\...\Firefox\Extensions: [{cb84136f-9c44-433a-9048-c5cd9df1dc16}] - C:\Program Files (x86)\PC Tools Security\BDT\Firefox\
FF Extension: Browser Guard Toolbar - C:\Program Files (x86)\PC Tools Security\BDT\Firefox\ []
FF HKLM-x32\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ []
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-09-08]

Chrome:
=======
CHR HomePage:
CHR Extension: (Google Docs) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-12-21]
CHR Extension: (Google Drive) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-12-21]
CHR Extension: (YouTube) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-12-21]
CHR Extension: (Google Search) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-12-21]
CHR Extension: (RealDownloader) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-12-21]
CHR Extension: (Skype Click to Call) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-12-21]
CHR Extension: (Google Wallet) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-21]
CHR Extension: (Gmail) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-12-21]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-10-09]

==================== Services (Whitelisted) =================

S4 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
R2 Browser Defender Update Service; C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [575448 2012-06-14] (Threat Expert Ltd.)
S3 dleaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [45224 2010-05-21] ()
S4 dlea_device; C:\Windows\system32\dleacoms.exe [1052328 2010-05-21] ( )
S4 dlea_device; C:\Windows\SysWOW64\dleacoms.exe [598696 2010-05-21] ( )
S4 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [290832 2011-12-12] (Verizon)
R2 ioloSystemService; C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [4492776 2014-04-30] (iolo technologies, LLC)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S4 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S4 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-01-21] ()
S4 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe [247808 2010-03-23] (IDT, Inc.)
S4 VideoAcceleratorService; C:\Program Files (x86)\SpeedBit Video Accelerator\VideoAcceleratorService.exe [281768 2013-12-20] (SPEEDbit)
S2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [X]

==================== Drivers (Whitelisted) ====================

R1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [30752 2013-12-03] (EldoS Corporation)
S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [40904 2010-03-04] (McAfee, Inc.)
S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [49480 2010-03-04] (McAfee, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
R1 MPFP; C:\Windows\System32\Drivers\Mpfp.sys [176144 2009-07-16] (McAfee, Inc.)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 PCTBD; C:\Windows\System32\Drivers\PCTBD64.sys [85224 2012-06-14] (PC Tools)
R0 pctDS; C:\Windows\System32\drivers\pctDS64.sys [453896 2012-02-28] (PC Tools)
R0 pctEFA; C:\Windows\System32\drivers\pctEFA64.sys [1096176 2012-02-28] (PC Tools)
S3 ssrangdr; C:\Windows\System32\DRIVERS\ssrangdr.sys [4608 2009-12-13] (SupportSoft Inc.)
U4 eabfiltr;
S1 gabkbmlq; \??\C:\Windows\system32\drivers\gabkbmlq.sys [X]
S1 PCTSD; System32\Drivers\PCTSD64.sys [X]
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S0 TfFsMon; system32\drivers\TfFsMon.sys [X]
S3 TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys [X]
S0 TFSysMon; system32\drivers\TfSysMon.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-01 21:12 - 2014-06-01 21:12 - 00016592 _____ () C:\Users\Brian Heidi\Desktop\FRST.txt
2014-06-01 21:11 - 2014-06-01 21:12 - 00000000 ____D () C:\FRST
2014-06-01 21:10 - 2014-06-01 21:10 - 02067456 _____ (Farbar) C:\Users\Brian Heidi\Desktop\FRST64.exe
2014-05-18 13:01 - 2014-05-06 00:40 - 23544320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-18 13:01 - 2014-05-06 00:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-18 13:01 - 2014-05-05 23:25 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-18 13:01 - 2014-05-05 23:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-18 13:01 - 2014-05-05 23:00 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-05-18 13:01 - 2014-05-05 22:10 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-18 12:52 - 2014-05-09 02:14 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-18 12:52 - 2014-05-09 02:11 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-05-18 12:52 - 2014-03-24 22:43 - 14175744 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-05-18 12:52 - 2014-03-24 22:09 - 12874240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2014-05-18 12:51 - 2014-04-11 22:22 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-05-18 12:51 - 2014-04-11 22:22 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2014-05-18 12:51 - 2014-04-11 22:19 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-05-18 12:51 - 2014-04-11 22:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2014-05-18 12:51 - 2014-04-11 22:19 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2014-05-18 12:51 - 2014-04-11 22:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2014-05-18 12:51 - 2014-04-11 22:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2014-05-18 12:51 - 2014-04-11 22:12 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-05-18 12:51 - 2014-04-11 22:10 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-05-18 12:51 - 2014-03-04 05:47 - 05550016 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2014-05-18 12:51 - 2014-03-04 05:44 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00722944 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\wincredprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-05-18 12:51 - 2014-03-04 05:43 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\cngprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\adprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\capiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\dpapiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-05-18 12:51 - 2014-03-04 05:20 - 03969984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2014-05-18 12:51 - 2014-03-04 05:20 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2014-05-18 12:51 - 2014-03-04 05:17 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cngprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpapiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wincredprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-05-18 12:51 - 2014-03-04 05:16 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2014-05-18 12:42 - 2014-05-29 19:43 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-05-11 22:39 - 2014-05-18 13:27 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-11 22:32 - 2014-05-11 22:32 - 00000000 ____D () C:\ProgramData\Oracle
2014-05-11 22:31 - 2014-05-11 22:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-05-11 22:31 - 2014-05-11 22:30 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-05-11 22:31 - 2014-05-11 22:30 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-05-11 22:31 - 2014-05-11 22:30 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-05-11 22:31 - 2014-05-11 22:30 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-05-11 22:24 - 2014-05-11 22:24 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Oracle
2014-05-11 21:59 - 2014-05-11 21:59 - 00000000 ____D () C:\Windows\ERUNT
2014-05-11 21:32 - 2014-05-11 21:53 - 00000000 ____D () C:\AdwCleaner
2014-05-11 21:23 - 2014-05-11 21:23 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-05-11 20:04 - 2014-05-11 22:07 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-11 20:03 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-05-11 20:03 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-05-11 20:03 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-05-07 16:44 - 2014-05-07 16:45 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-05-07 16:44 - 2014-05-07 16:44 - 00001845 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-05-07 16:44 - 2014-05-07 16:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-05-07 16:44 - 2014-05-07 16:44 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-05-05 21:57 - 2014-05-11 20:07 - 00000079 _____ () C:\Windows\system32\pkftvod.uao
2014-05-05 21:46 - 2014-05-05 21:46 - 00000064 _____ () C:\Windows\system32\armthqp.jlt
2014-05-05 21:46 - 2014-05-05 21:46 - 00000000 _____ () C:\Windows\system32\szweexz.lms
2014-05-05 21:21 - 2014-05-11 19:54 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Afazqiu
2014-05-05 21:19 - 2014-05-05 21:19 - 00306562 ____S () C:\Windows\system32\qrezpcg.uml
2014-05-04 22:44 - 2014-05-05 23:37 - 00003362 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3693674917-764092900-2463050806-1000
2014-05-04 22:44 - 2014-05-05 23:37 - 00003240 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3693674917-764092900-2463050806-1000
2014-05-04 21:51 - 2014-05-04 21:52 - 00000000 ____D () C:\Users\Brian Heidi\Desktop\Tax Returns

==================== One Month Modified Files and Folders =======

2014-06-01 21:12 - 2014-06-01 21:12 - 00016592 _____ () C:\Users\Brian Heidi\Desktop\FRST.txt
2014-06-01 21:12 - 2014-06-01 21:11 - 00000000 ____D () C:\FRST
2014-06-01 21:12 - 2009-12-20 05:52 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Local\Temp
2014-06-01 21:10 - 2014-06-01 21:10 - 02067456 _____ (Farbar) C:\Users\Brian Heidi\Desktop\FRST64.exe
2014-06-01 21:10 - 2013-06-16 03:11 - 01735736 _____ () C:\Windows\WindowsUpdate.log
2014-06-01 21:08 - 2010-05-15 14:34 - 00421260 _____ () C:\ProgramData\dleascan.log
2014-06-01 21:07 - 2014-04-06 18:51 - 00086686 _____ () C:\ProgramData\dlea.log
2014-06-01 20:43 - 2012-03-29 11:07 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-06-01 20:23 - 2013-12-21 17:11 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-06-01 13:23 - 2013-12-21 17:11 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-31 12:45 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2014-05-30 20:47 - 2013-11-10 22:34 - 00007262 _____ () C:\Windows\setupact.log
2014-05-30 08:52 - 2014-04-15 21:24 - 00000000 ____D () C:\Windows\Minidump
2014-05-30 08:52 - 2009-12-20 05:58 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Hewlett-Packard
2014-05-29 20:25 - 2013-12-21 17:11 - 00002102 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-05-29 19:46 - 2009-07-14 00:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-29 19:46 - 2009-07-14 00:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-29 19:43 - 2014-05-18 12:42 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-05-29 19:43 - 2013-05-13 19:24 - 00001040 _____ () C:\Users\Brian Heidi\Desktop\Dropbox.lnk
2014-05-29 19:43 - 2013-05-13 19:24 - 00000000 ___RD () C:\Users\Brian Heidi\Dropbox
2014-05-29 19:43 - 2013-05-13 19:22 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-05-29 19:43 - 2013-05-13 19:22 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Dropbox
2014-05-29 19:43 - 2009-12-20 05:58 - 00000000 ___RD () C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-05-29 19:42 - 2009-08-09 04:12 - 00000000 ____D () C:\ProgramData\Temp
2014-05-29 19:37 - 2009-07-14 01:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-05-29 19:32 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-18 14:18 - 2011-05-21 15:55 - 00018432 ___SH () C:\Users\Brian Heidi\Thumbs.db
2014-05-18 14:03 - 2013-12-21 18:15 - 00097128 _____ () C:\Windows\PFRO.log
2014-05-18 13:49 - 2009-08-09 04:23 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-05-18 13:47 - 2011-06-15 14:47 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Yahoo!
2014-05-18 13:47 - 2010-04-04 00:01 - 00000000 ____D () C:\ProgramData\Yahoo!
2014-05-18 13:47 - 2010-04-03 23:57 - 00000000 ____D () C:\Program Files (x86)\Yahoo!
2014-05-18 13:45 - 2012-04-08 10:03 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Skype
2014-05-18 13:29 - 2009-12-20 05:58 - 00000000 ___RD () C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-05-18 13:27 - 2014-05-11 22:39 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-18 13:18 - 2013-12-21 17:11 - 00003904 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-05-18 13:18 - 2013-12-21 17:11 - 00003652 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-05-18 13:01 - 2012-03-29 14:41 - 03054111 _____ () C:\Windows\system32\Drivers\Cat.DB
2014-05-18 13:00 - 2013-07-17 14:43 - 00000000 ____D () C:\Windows\system32\MRT
2014-05-18 12:59 - 2009-12-20 15:15 - 93223848 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-05-11 22:32 - 2014-05-11 22:32 - 00000000 ____D () C:\ProgramData\Oracle
2014-05-11 22:32 - 2009-08-09 05:27 - 00000000 ____D () C:\Program Files (x86)\Java
2014-05-11 22:31 - 2014-05-11 22:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-05-11 22:30 - 2014-05-11 22:31 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-05-11 22:30 - 2014-05-11 22:31 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-05-11 22:30 - 2014-05-11 22:31 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-05-11 22:30 - 2014-05-11 22:31 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-05-11 22:24 - 2014-05-11 22:24 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Oracle
2014-05-11 22:07 - 2014-05-11 20:04 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-11 21:59 - 2014-05-11 21:59 - 00000000 ____D () C:\Windows\ERUNT
2014-05-11 21:53 - 2014-05-11 21:32 - 00000000 ____D () C:\AdwCleaner
2014-05-11 21:24 - 2011-06-23 17:42 - 00512000 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2014-05-11 21:23 - 2014-05-11 21:23 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-05-11 21:07 - 2013-10-04 18:47 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Local\DellPhoto
2014-05-11 21:07 - 2009-07-14 01:37 - 00000000 ____D () C:\Windows\DigitalLocker
2014-05-11 20:48 - 2009-12-20 05:52 - 00000000 ____D () C:\Users\Brian Heidi
2014-05-11 20:07 - 2014-05-05 21:57 - 00000079 _____ () C:\Windows\system32\pkftvod.uao
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-11 19:54 - 2014-05-05 21:21 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Afazqiu
2014-05-09 02:14 - 2014-05-18 12:52 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-09 02:11 - 2014-05-18 12:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-05-07 16:45 - 2014-05-07 16:44 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-05-07 16:44 - 2014-05-07 16:44 - 00001845 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-05-07 16:44 - 2014-05-07 16:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-05-07 16:44 - 2014-05-07 16:44 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-05-07 16:10 - 2014-04-16 16:48 - 00003384 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-3693674917-764092900-2463050806-1000
2014-05-07 16:10 - 2014-04-16 16:48 - 00003262 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-3693674917-764092900-2463050806-1000
2014-05-07 11:24 - 2009-08-25 04:44 - 00000000 ____D () C:\ProgramData\Recovery
2014-05-06 17:45 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-05-06 00:40 - 2014-05-18 13:01 - 23544320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-06 00:17 - 2014-05-18 13:01 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-05 23:37 - 2014-05-04 22:44 - 00003362 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3693674917-764092900-2463050806-1000
2014-05-05 23:37 - 2014-05-04 22:44 - 00003240 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3693674917-764092900-2463050806-1000
2014-05-05 23:25 - 2014-05-18 13:01 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-05 23:07 - 2014-05-18 13:01 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-05 23:00 - 2014-05-18 13:01 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-05-05 22:10 - 2014-05-18 13:01 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-05 21:46 - 2014-05-05 21:46 - 00000064 _____ () C:\Windows\system32\armthqp.jlt
2014-05-05 21:46 - 2014-05-05 21:46 - 00000000 _____ () C:\Windows\system32\szweexz.lms
2014-05-05 21:19 - 2014-05-05 21:19 - 00306562 ____S () C:\Windows\system32\qrezpcg.uml
2014-05-05 21:19 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\sysprep
2014-05-04 21:52 - 2014-05-04 21:51 - 00000000 ____D () C:\Users\Brian Heidi\Desktop\Tax Returns
2014-05-04 21:40 - 2014-04-15 20:08 - 00000000 _____ () C:\Windows\system32\smrgdf.txt
2014-05-04 17:15 - 2014-01-21 18:21 - 00001425 _____ () C:\Users\Brian Heidi\Desktop\System Mechanic.lnk
2014-05-04 17:15 - 2014-01-21 18:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Mechanic
2014-05-04 17:15 - 2014-01-21 18:19 - 00000000 ____D () C:\ProgramData\iolo
2014-05-04 17:07 - 2014-01-21 18:21 - 00003118 _____ () C:\Windows\System32\Tasks\iolo Process Governor
2014-05-04 17:07 - 2014-01-21 18:21 - 00000000 ____D () C:\ProgramData\ioloGovernor

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3693674917-764092900-2463050806-1000\$62c84f77987b450cf5fd00ddcaad417b

Files to move or delete:
====================
C:\Users\Brian Heidi\gotomypc_533.exe

Some content of TEMP:
====================
C:\Users\Brian Heidi\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpybqivr.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-05-11 21:50

==================== End Of Log ============================


Edited by ozeal, 02 June 2014 - 05:26 AM.


#6 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:11:47 PM

Posted 02 June 2014 - 01:40 PM

Hello ozeal,

Before going any further, I need to let you know of the following.

-----

Backdoor Warning
 
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to proceed with removal, continue following these directions.
 
===================================================

 

ComboFix Download and Scan

  • Please go to the download page for ComboFix by sUBs.
  • Click the Download Now button pictured below and save the file to your desktop:

    download.png
  • Disable any anti-virus and/or firewall software you have installed.
    instructions can be found here if needed
  • Close all open windows including your web browser
    as mentioned in the first post, you may want to print out all instructions before starting
  • Double-click on the ComboFix icon on your desktop. cf-icon.jpg
  • Read the Disclaimer and click I Agree if you want to run the software, then you should see a window like the one below:

    cf-preparing.jpg
  • DO NOT use your computer while ComboFix is running. There are a lot of things going on behind the scenes and a single mouse click can cause the program to stall.
  • However, if you see the prompt below, please click Yes to download the Microsoft Windows Recovery Console.

    recovery-console-prompt.jpg

    If an Internet connection is not available or you choose not to install the recovery console, ComboFix will run in Reduced Functionality mode
  • Allow ComboFix to reboot the computer if necessary, it will run again after you log back in.
  • When complete, a log file will be displayed, please copy and paste the contents of this file into your next post.

    cf-log.jpg
  • More information about downloading and using ComboFix can be found here if needed.

    ===================================================

    What I'd like to see in your next post:  :thumbsup2:
    • Confirmation you've read the Backdoor Warning.
    • Combofix log

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#7 ozeal

ozeal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 02 June 2014 - 08:41 PM

Cody - read the backdoor warning and will discuss with friend ..  may end up wiping after he takes off files, just want to get it safe enough to do that for half a day or so.

 

ComboFix 14-05-29.01 - Brian Heidi 06/02/2014  21:17:12.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3999.2479 [GMT -4:00]
Running from: c:\users\Brian Heidi\Desktop\ComboFix.exe
AV: Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 128 bytes in 1 streams.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Brian Heidi\AppData\Roaming\.#
c:\users\Brian Heidi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SMART_HDD.lnk
c:\users\Brian Heidi\AppData\Roaming\netObjUsb64\netObjUsb64.dll
c:\users\Public\videos\HP MediaSmart Demo.exe
.
Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-05-03 to 2014-06-03  )))))))))))))))))))))))))))))))
.
.
2014-06-02 01:11 . 2014-06-02 01:13 -------- d-----w- C:\FRST
2014-05-31 00:58 . 2014-04-30 23:20 10702536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C04DEE0D-BE3D-49C2-9321-1222B77A80D9}\mpengine.dll
2014-05-29 23:46 . 2014-05-04 21:43 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1171691C-7866-4C83-A7A5-B8588585B778}\gapaengine.dll
2014-05-29 23:45 . 2014-04-30 23:20 10702536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-18 17:01 . 2014-05-06 04:40 23544320 ----a-w- c:\windows\system32\mshtml.dll
2014-05-18 17:01 . 2014-05-06 03:00 84992 ----a-w- c:\windows\system32\mshtmled.dll
2014-05-18 17:01 . 2014-05-06 04:17 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-18 17:01 . 2014-05-06 03:07 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-05-18 16:52 . 2014-03-25 02:43 14175744 ----a-w- c:\windows\system32\shell32.dll
2014-05-18 16:52 . 2014-05-09 06:14 477184 ----a-w- c:\windows\system32\aepdu.dll
2014-05-18 16:52 . 2014-05-09 06:11 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-05-18 16:42 . 2014-05-29 23:43 -------- d-----w- c:\users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-05-12 02:39 . 2014-05-18 17:27 -------- d-s---w- c:\windows\system32\CompatTel
2014-05-12 02:32 . 2014-05-12 02:32 -------- d-----w- c:\programdata\Oracle
2014-05-12 02:32 . 2014-05-12 02:32 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-05-12 02:31 . 2014-05-12 02:30 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-05-12 02:24 . 2014-05-12 02:24 -------- d-----w- c:\users\Brian Heidi\AppData\Roaming\Oracle
2014-05-12 01:59 . 2014-05-12 01:59 -------- d-----w- c:\windows\ERUNT
2014-05-12 01:32 . 2014-05-12 01:53 -------- d-----w- C:\AdwCleaner
2014-05-12 01:23 . 2014-05-12 01:23 -------- d-----w- C:\TDSSKiller_Quarantine
2014-05-12 00:04 . 2014-05-12 02:07 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-12 00:03 . 2014-04-03 13:51 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-12 00:03 . 2014-04-03 13:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-12 00:03 . 2014-04-03 13:50 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-05-12 00:03 . 2014-05-12 00:03 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-05-12 00:03 . 2014-05-12 00:03 -------- d-----w- c:\programdata\Malwarebytes
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-05-07 20:44 . 2014-05-07 20:45 -------- d-----w- c:\program files (x86)\QuickTime
2014-05-07 20:44 . 2014-05-07 20:44 -------- d-----w- c:\programdata\Apple Computer
2014-05-06 01:21 . 2014-05-11 23:54 -------- d-----w- c:\users\Brian Heidi\AppData\Roaming\Afazqiu
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-18 16:59 . 2009-12-20 19:15 93223848 ----a-w- c:\windows\system32\MRT.exe
2014-05-12 01:24 . 2011-06-23 21:42 512000 ----a-w- c:\windows\system32\rpcss.dll
2014-05-04 21:43 . 2012-11-20 13:32 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-05-01 11:59 . 2012-03-29 15:07 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-01 11:59 . 2011-06-05 18:42 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-30 14:24 . 2014-01-21 22:21 57584 ----a-w- c:\windows\system32\iolobtdfg.exe
2014-04-30 14:24 . 2014-01-21 22:21 26184 ----a-w- c:\windows\system32\smrgdf.exe
2014-04-30 14:08 . 2014-01-21 22:21 2155152 ----a-w- c:\windows\system32\Incinerator64.dll
2014-04-30 14:08 . 2014-01-21 22:21 2097984 ----a-w- c:\windows\SysWow64\Incinerator32.dll
2014-03-11 13:52 . 2012-03-21 00:44 133928 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-11 02:52 . 2014-03-11 02:52 10 ----a-w- c:\windows\Fonts\wfonts.key
2014-03-06 09:31 . 2014-05-01 12:13 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-03-06 08:59 . 2014-05-01 12:13 66048 ----a-w- c:\windows\system32\iesetup.dll
2014-03-06 08:57 . 2014-05-01 12:14 548352 ----a-w- c:\windows\system32\vbscript.dll
2014-03-06 08:57 . 2014-05-01 12:12 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-03-06 08:53 . 2014-05-01 12:12 2767360 ----a-w- c:\windows\system32\iertutil.dll
2014-03-06 08:40 . 2014-05-01 12:13 51200 ----a-w- c:\windows\system32\jsproxy.dll
2014-03-06 08:39 . 2014-05-01 12:13 33792 ----a-w- c:\windows\system32\iernonce.dll
2014-03-06 08:32 . 2014-05-01 12:14 574976 ----a-w- c:\windows\system32\ieui.dll
2014-03-06 08:29 . 2014-05-01 12:13 139264 ----a-w- c:\windows\system32\ieUnatt.exe
2014-03-06 08:29 . 2014-05-01 12:12 111616 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-03-06 08:28 . 2014-05-01 12:13 752640 ----a-w- c:\windows\system32\jscript9diag.dll
2014-03-06 08:15 . 2014-05-01 12:12 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-06 08:11 . 2014-05-01 12:12 5784064 ----a-w- c:\windows\system32\jscript9.dll
2014-03-06 08:09 . 2014-05-01 12:13 453120 ----a-w- c:\windows\system32\dxtmsft.dll
2014-03-06 08:03 . 2014-05-01 12:13 586240 ----a-w- c:\windows\system32\ie4uinit.exe
2014-03-06 08:02 . 2014-05-01 12:13 61952 ----a-w- c:\windows\SysWow64\iesetup.dll
2014-03-06 08:02 . 2014-05-01 12:14 455168 ----a-w- c:\windows\SysWow64\vbscript.dll
2014-03-06 08:01 . 2014-05-01 12:12 51200 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56 . 2014-05-01 12:13 38400 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-03-06 07:48 . 2014-05-01 12:13 195584 ----a-w- c:\windows\system32\msrating.dll
2014-03-06 07:46 . 2014-05-01 12:12 4254720 ----a-w- c:\windows\SysWow64\jscript9.dll
2014-03-06 07:42 . 2014-05-01 12:13 296960 ----a-w- c:\windows\system32\dxtrans.dll
2014-03-06 07:38 . 2014-05-01 12:13 112128 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-03-06 07:36 . 2014-05-01 12:12 592896 ----a-w- c:\windows\SysWow64\jscript9diag.dll
2014-03-06 07:21 . 2014-05-01 12:13 628736 ----a-w- c:\windows\system32\msfeeds.dll
2014-03-06 07:13 . 2014-05-01 12:13 32256 ----a-w- c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11 . 2014-05-01 12:12 2043904 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-06 06:53 . 2014-05-01 12:12 13551104 ----a-w- c:\windows\system32\ieframe.dll
2014-03-06 06:40 . 2014-05-01 12:12 1967104 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2014-03-06 06:22 . 2014-05-01 12:12 2260480 ----a-w- c:\windows\system32\wininet.dll
2014-03-06 05:58 . 2014-05-01 12:12 1400832 ----a-w- c:\windows\system32\urlmon.dll
2014-03-06 05:50 . 2014-05-01 12:12 846336 ----a-w- c:\windows\system32\ieapfltr.dll
2014-03-06 05:41 . 2014-05-01 12:12 1789440 ----a-w- c:\windows\SysWow64\wininet.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
.
c:\users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-5-19 33322312]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-30 1079584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0autocheck smrgdf c:\users\Brian Heidi\AppData\Roaming\iolo\\0on.1\0???\0L\0SOFTWARE\Microsoft\Office\Outlook\Addins\BtOfficeAddin.BtOfficeIntegration.1
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys;c:\windows\SYSNATIVE\drivers\TfFsMon.sys [x]
R0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys;c:\windows\SYSNATIVE\drivers\TfSysMon.sys [x]
R1 gabkbmlq;gabkbmlq;c:\windows\system32\drivers\gabkbmlq.sys;c:\windows\SYSNATIVE\drivers\gabkbmlq.sys [x]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD64.sys;c:\windows\SYSNATIVE\Drivers\PCTSD64.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
R3 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\dleaserv.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 NETw1v64;Intel® Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw1v64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw1v64.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\Drivers\PCTBD64.sys;c:\windows\SYSNATIVE\Drivers\PCTBD64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys;c:\windows\SYSNATIVE\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 ssrangdr;ssrangdr;c:\windows\system32\DRIVERS\ssrangdr.sys;c:\windows\SYSNATIVE\DRIVERS\ssrangdr.sys [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys;c:\windows\SYSNATIVE\drivers\TfNetMon.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe;c:\windows\SYSNATIVE\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [x]
R4 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [x]
R4 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe;c:\windows\SYSNATIVE\dleacoms.exe [x]
R4 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [x]
R4 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [x]
R4 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
R4 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [x]
R4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
R4 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\nlssrv32.exe;c:\windows\SysWOW64\nlssrv32.exe [x]
R4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
R4 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~2\SPEEDB~1\VideoAcceleratorService.exe;c:\progra~2\SPEEDB~1\VideoAcceleratorService.exe [x]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS64.sys;c:\windows\SYSNATIVE\drivers\pctDS64.sys [x]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA64.sys;c:\windows\SYSNATIVE\drivers\pctEFA64.sys [x]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys;c:\windows\SYSNATIVE\drivers\ElRawDsk.sys [x]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files (x86)\PC Tools Security\BDT\BDTUpdateService.exe;c:\program files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [x]
S2 ioloSystemService;iolo System Service;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe [x]
S2 PDFsFilter;PDFsFilter;c:\windows\system32\DRIVERS\PDFsFilter.sys;c:\windows\SYSNATIVE\DRIVERS\PDFsFilter.sys [x]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys;c:\windows\SYSNATIVE\DRIVERS\enecir.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-05-30 00:24 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 11:59]
.
2014-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-12-21 21:11]
.
2014-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-12-21 21:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-07-21 610872]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-12-26 165912]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"dleamon.exe"="c:\program files (x86)\Dell V310-V510 Series\dleamon.exe" [2010-08-09 770728]
"EzPrint"="c:\program files (x86)\Dell V310-V510 Series\ezprint.exe" [2010-08-09 139944]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-03-23 487424]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.33.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-netObjUsb64 - c:\users\Brian Heidi\AppData\Roaming\netObjUsb64\netObjUsb64.dll
Wow6432Node-HKCU-Run-RunIt - c:\program files (x86)\Mozilla Firefox\firefox.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
SafeBoot-12563266.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
.
**************************************************************************
.
Completion time: 2014-06-02  21:33:52 - machine was rebooted
ComboFix-quarantined-files.txt  2014-06-03 01:33
.
Pre-Run: 239,559,970,816 bytes free
Post-Run: 239,468,978,176 bytes free
.
- - End Of File - - F93E022E09EC82822307C1823853B551
D8E1D44D38D41E802CF7F861A14C4048
 



#8 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:11:47 PM

Posted 03 June 2014 - 02:33 PM

Hello ozeal,

 

Please do the following.

 

-----

 

ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    
    
    2014-05-06 01:21 . 2014-05-11 23:54 -------- d-----w- c:\users\Brian Heidi\AppData\Roaming\Afazqiu
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by TheShooter93, 03 June 2014 - 02:33 PM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#9 ozeal

ozeal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 04 June 2014 - 04:52 AM

Created CFScript file..dragged into onto Combofix and it started..

 

 

ComboFix 14-05-29.01 - Brian Heidi 06/04/2014   5:35.2.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3999.2101 [GMT -4:00]
Running from: c:\users\Brian Heidi\Desktop\ComboFix.exe
Command switches used :: c:\users\Brian Heidi\Desktop\CFScript.txt
AV: Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-05-04 to 2014-06-04  )))))))))))))))))))))))))))))))
.
.
2014-06-04 09:43 . 2014-06-04 09:43 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2014-06-04 09:43 . 2014-06-04 09:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-06-02 01:11 . 2014-06-02 01:13 -------- d-----w- C:\FRST
2014-05-31 00:58 . 2014-04-30 23:20 10702536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C04DEE0D-BE3D-49C2-9321-1222B77A80D9}\mpengine.dll
2014-05-29 23:46 . 2014-05-04 21:43 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1171691C-7866-4C83-A7A5-B8588585B778}\gapaengine.dll
2014-05-29 23:45 . 2014-04-30 23:20 10702536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-18 17:01 . 2014-05-06 04:40 23544320 ----a-w- c:\windows\system32\mshtml.dll
2014-05-18 17:01 . 2014-05-06 03:00 84992 ----a-w- c:\windows\system32\mshtmled.dll
2014-05-18 17:01 . 2014-05-06 04:17 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-18 17:01 . 2014-05-06 03:07 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-05-18 16:52 . 2014-03-25 02:43 14175744 ----a-w- c:\windows\system32\shell32.dll
2014-05-18 16:52 . 2014-05-09 06:14 477184 ----a-w- c:\windows\system32\aepdu.dll
2014-05-18 16:52 . 2014-05-09 06:11 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-05-18 16:42 . 2014-05-29 23:43 -------- d-----w- c:\users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-05-12 02:39 . 2014-05-18 17:27 -------- d-s---w- c:\windows\system32\CompatTel
2014-05-12 02:32 . 2014-05-12 02:32 -------- d-----w- c:\programdata\Oracle
2014-05-12 02:32 . 2014-05-12 02:32 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-05-12 02:31 . 2014-05-12 02:30 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-05-12 02:24 . 2014-05-12 02:24 -------- d-----w- c:\users\Brian Heidi\AppData\Roaming\Oracle
2014-05-12 01:59 . 2014-05-12 01:59 -------- d-----w- c:\windows\ERUNT
2014-05-12 01:32 . 2014-05-12 01:53 -------- d-----w- C:\AdwCleaner
2014-05-12 01:23 . 2014-05-12 01:23 -------- d-----w- C:\TDSSKiller_Quarantine
2014-05-12 00:04 . 2014-06-04 09:29 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-12 00:03 . 2014-04-03 13:51 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-12 00:03 . 2014-04-03 13:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-12 00:03 . 2014-04-03 13:50 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-05-12 00:03 . 2014-05-12 00:03 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-05-12 00:03 . 2014-05-12 00:03 -------- d-----w- c:\programdata\Malwarebytes
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-05-07 20:44 . 2014-05-07 20:45 -------- d-----w- c:\program files (x86)\QuickTime
2014-05-07 20:44 . 2014-05-07 20:44 -------- d-----w- c:\programdata\Apple Computer
2014-05-06 01:21 . 2014-05-11 23:54 -------- d-----w- c:\users\Brian Heidi\AppData\Roaming\Afazqiu
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-18 16:59 . 2009-12-20 19:15 93223848 ----a-w- c:\windows\system32\MRT.exe
2014-05-12 01:24 . 2011-06-23 21:42 512000 ----a-w- c:\windows\system32\rpcss.dll
2014-05-04 21:43 . 2012-11-20 13:32 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-05-01 11:59 . 2012-03-29 15:07 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-01 11:59 . 2011-06-05 18:42 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-30 14:24 . 2014-01-21 22:21 57584 ----a-w- c:\windows\system32\iolobtdfg.exe
2014-04-30 14:24 . 2014-01-21 22:21 26184 ----a-w- c:\windows\system32\smrgdf.exe
2014-04-30 14:08 . 2014-01-21 22:21 2155152 ----a-w- c:\windows\system32\Incinerator64.dll
2014-04-30 14:08 . 2014-01-21 22:21 2097984 ----a-w- c:\windows\SysWow64\Incinerator32.dll
2014-03-11 13:52 . 2012-03-21 00:44 133928 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-11 02:52 . 2014-03-11 02:52 10 ----a-w- c:\windows\Fonts\wfonts.key
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
.
c:\users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-5-19 33322312]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-30 1079584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0autocheck smrgdf c:\users\Brian Heidi\AppData\Roaming\iolo\\0on.1\0???\0L\0SOFTWARE\Microsoft\Office\Outlook\Addins\BtOfficeAddin.BtOfficeIntegration.1
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys;c:\windows\SYSNATIVE\drivers\TfFsMon.sys [x]
R0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys;c:\windows\SYSNATIVE\drivers\TfSysMon.sys [x]
R1 gabkbmlq;gabkbmlq;c:\windows\system32\drivers\gabkbmlq.sys;c:\windows\SYSNATIVE\drivers\gabkbmlq.sys [x]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD64.sys;c:\windows\SYSNATIVE\Drivers\PCTSD64.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
R3 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\dleaserv.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 NETw1v64;Intel® Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw1v64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw1v64.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\Drivers\PCTBD64.sys;c:\windows\SYSNATIVE\Drivers\PCTBD64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys;c:\windows\SYSNATIVE\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 ssrangdr;ssrangdr;c:\windows\system32\DRIVERS\ssrangdr.sys;c:\windows\SYSNATIVE\DRIVERS\ssrangdr.sys [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys;c:\windows\SYSNATIVE\drivers\TfNetMon.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe;c:\windows\SYSNATIVE\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [x]
R4 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [x]
R4 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe;c:\windows\SYSNATIVE\dleacoms.exe [x]
R4 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [x]
R4 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [x]
R4 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
R4 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [x]
R4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
R4 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\nlssrv32.exe;c:\windows\SysWOW64\nlssrv32.exe [x]
R4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
R4 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~2\SPEEDB~1\VideoAcceleratorService.exe;c:\progra~2\SPEEDB~1\VideoAcceleratorService.exe [x]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS64.sys;c:\windows\SYSNATIVE\drivers\pctDS64.sys [x]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA64.sys;c:\windows\SYSNATIVE\drivers\pctEFA64.sys [x]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys;c:\windows\SYSNATIVE\drivers\ElRawDsk.sys [x]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files (x86)\PC Tools Security\BDT\BDTUpdateService.exe;c:\program files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [x]
S2 ioloSystemService;iolo System Service;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe [x]
S2 PDFsFilter;PDFsFilter;c:\windows\system32\DRIVERS\PDFsFilter.sys;c:\windows\SYSNATIVE\DRIVERS\PDFsFilter.sys [x]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys;c:\windows\SYSNATIVE\DRIVERS\enecir.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-05-30 00:24 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 11:59]
.
2014-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-12-21 21:11]
.
2014-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-12-21 21:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-07-21 610872]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-12-26 165912]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"dleamon.exe"="c:\program files (x86)\Dell V310-V510 Series\dleamon.exe" [2010-08-09 770728]
"EzPrint"="c:\program files (x86)\Dell V310-V510 Series\ezprint.exe" [2010-08-09 139944]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-03-23 487424]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.33.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-06-04  05:47:44
ComboFix-quarantined-files.txt  2014-06-04 09:47
ComboFix2.txt  2014-06-03 01:33
.
Pre-Run: 239,403,008,000 bytes free
Post-Run: 239,332,827,136 bytes free
.
- - End Of File - - B3626433319A4DBEF0AEC1FFA53A8A76
D8E1D44D38D41E802CF7F861A14C4048
 



#10 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:11:47 PM

Posted 04 June 2014 - 02:18 PM

Hello ozeal,

 

There was a mistake in my previous ComboFix script, I apologize.

 

I have fixed it and supplied the correct instructions below.

 

-----

 

ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    
    
    Folder:: 
    c:\users\Brian Heidi\AppData\Roaming\Afazqiu
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by TheShooter93, 04 June 2014 - 02:19 PM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#11 ozeal

ozeal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 04 June 2014 - 04:58 PM

Log file:

 

 

ComboFix 14-05-29.01 - Brian Heidi 06/04/2014  17:41:29.3.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3999.2464 [GMT -4:00]
Running from: c:\users\Brian Heidi\Desktop\ComboFix.exe
Command switches used :: c:\users\Brian Heidi\Desktop\CFScript.txt
AV: Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Brian Heidi\AppData\Roaming\Afazqiu
.
.
(((((((((((((((((((((((((   Files Created from 2014-05-04 to 2014-06-04  )))))))))))))))))))))))))))))))
.
.
2014-06-04 21:46 . 2014-06-04 21:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2014-06-04 21:46 . 2014-06-04 21:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-06-02 01:11 . 2014-06-02 01:13 -------- d-----w- C:\FRST
2014-05-31 00:58 . 2014-04-30 23:20 10702536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C04DEE0D-BE3D-49C2-9321-1222B77A80D9}\mpengine.dll
2014-05-29 23:46 . 2014-05-04 21:43 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1171691C-7866-4C83-A7A5-B8588585B778}\gapaengine.dll
2014-05-29 23:45 . 2014-04-30 23:20 10702536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-18 17:01 . 2014-05-06 04:40 23544320 ----a-w- c:\windows\system32\mshtml.dll
2014-05-18 17:01 . 2014-05-06 03:00 84992 ----a-w- c:\windows\system32\mshtmled.dll
2014-05-18 17:01 . 2014-05-06 04:17 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-18 17:01 . 2014-05-06 03:07 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-05-18 16:52 . 2014-03-25 02:43 14175744 ----a-w- c:\windows\system32\shell32.dll
2014-05-18 16:52 . 2014-05-09 06:14 477184 ----a-w- c:\windows\system32\aepdu.dll
2014-05-18 16:52 . 2014-05-09 06:11 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-05-18 16:42 . 2014-05-29 23:43 -------- d-----w- c:\users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-05-12 02:39 . 2014-05-18 17:27 -------- d-s---w- c:\windows\system32\CompatTel
2014-05-12 02:32 . 2014-05-12 02:32 -------- d-----w- c:\programdata\Oracle
2014-05-12 02:32 . 2014-05-12 02:32 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-05-12 02:31 . 2014-05-12 02:30 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-05-12 02:24 . 2014-05-12 02:24 -------- d-----w- c:\users\Brian Heidi\AppData\Roaming\Oracle
2014-05-12 01:59 . 2014-05-12 01:59 -------- d-----w- c:\windows\ERUNT
2014-05-12 01:32 . 2014-05-12 01:53 -------- d-----w- C:\AdwCleaner
2014-05-12 01:23 . 2014-05-12 01:23 -------- d-----w- C:\TDSSKiller_Quarantine
2014-05-12 00:04 . 2014-06-04 09:29 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-12 00:03 . 2014-04-03 13:51 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-12 00:03 . 2014-04-03 13:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-12 00:03 . 2014-04-03 13:50 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-05-12 00:03 . 2014-05-12 00:03 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-05-12 00:03 . 2014-05-12 00:03 -------- d-----w- c:\programdata\Malwarebytes
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-05-07 20:45 . 2014-05-07 20:45 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-05-07 20:44 . 2014-05-07 20:45 -------- d-----w- c:\program files (x86)\QuickTime
2014-05-07 20:44 . 2014-05-07 20:44 -------- d-----w- c:\programdata\Apple Computer
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-18 16:59 . 2009-12-20 19:15 93223848 ----a-w- c:\windows\system32\MRT.exe
2014-05-12 01:24 . 2011-06-23 21:42 512000 ----a-w- c:\windows\system32\rpcss.dll
2014-05-04 21:43 . 2012-11-20 13:32 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-05-01 11:59 . 2012-03-29 15:07 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-01 11:59 . 2011-06-05 18:42 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-30 14:24 . 2014-01-21 22:21 57584 ----a-w- c:\windows\system32\iolobtdfg.exe
2014-04-30 14:24 . 2014-01-21 22:21 26184 ----a-w- c:\windows\system32\smrgdf.exe
2014-04-30 14:08 . 2014-01-21 22:21 2155152 ----a-w- c:\windows\system32\Incinerator64.dll
2014-04-30 14:08 . 2014-01-21 22:21 2097984 ----a-w- c:\windows\SysWow64\Incinerator32.dll
2014-03-11 13:52 . 2012-03-21 00:44 133928 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-11 02:52 . 2014-03-11 02:52 10 ----a-w- c:\windows\Fonts\wfonts.key
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 131248 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2010-10-19 1439496]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
.
c:\users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2014-5-19 33322312]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-30 1079584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0autocheck smrgdf c:\users\Brian Heidi\AppData\Roaming\iolo\\0on.1\0???\0L\0SOFTWARE\Microsoft\Office\Outlook\Addins\BtOfficeAddin.BtOfficeIntegration.1
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys;c:\windows\SYSNATIVE\drivers\TfFsMon.sys [x]
R0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys;c:\windows\SYSNATIVE\drivers\TfSysMon.sys [x]
R1 gabkbmlq;gabkbmlq;c:\windows\system32\drivers\gabkbmlq.sys;c:\windows\SYSNATIVE\drivers\gabkbmlq.sys [x]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD64.sys;c:\windows\SYSNATIVE\Drivers\PCTSD64.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
R3 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\dleaserv.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 NETw1v64;Intel® Wireless WiFi Link 1000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\NETw1v64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw1v64.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\Drivers\PCTBD64.sys;c:\windows\SYSNATIVE\Drivers\PCTBD64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys;c:\windows\SYSNATIVE\DRIVERS\Rts516xIR.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 ssrangdr;ssrangdr;c:\windows\system32\DRIVERS\ssrangdr.sys;c:\windows\SYSNATIVE\DRIVERS\ssrangdr.sys [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys;c:\windows\SYSNATIVE\drivers\TfNetMon.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
R4 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe;c:\windows\SYSNATIVE\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [x]
R4 Com4QLBEx;Com4QLBEx;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [x]
R4 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe;c:\windows\SYSNATIVE\dleacoms.exe [x]
R4 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [x]
R4 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [x]
R4 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
R4 IHA_MessageCenter;IHA_MessageCenter;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe;c:\program files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [x]
R4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
R4 nlsX86cc;Nalpeiron Licensing Service;c:\windows\SysWOW64\nlssrv32.exe;c:\windows\SysWOW64\nlssrv32.exe [x]
R4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
R4 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [x]
R4 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~2\SPEEDB~1\VideoAcceleratorService.exe;c:\progra~2\SPEEDB~1\VideoAcceleratorService.exe [x]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS64.sys;c:\windows\SYSNATIVE\drivers\pctDS64.sys [x]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA64.sys;c:\windows\SYSNATIVE\drivers\pctEFA64.sys [x]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\ElRawDsk.sys;c:\windows\SYSNATIVE\drivers\ElRawDsk.sys [x]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files (x86)\PC Tools Security\BDT\BDTUpdateService.exe;c:\program files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [x]
S2 ioloSystemService;iolo System Service;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe;c:\program files (x86)\iolo\Common\Lib\ioloServiceManager.exe [x]
S2 PDFsFilter;PDFsFilter;c:\windows\system32\DRIVERS\PDFsFilter.sys;c:\windows\SYSNATIVE\DRIVERS\PDFsFilter.sys [x]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys;c:\windows\SYSNATIVE\DRIVERS\enecir.sys [x]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys;c:\windows\SYSNATIVE\drivers\IntcHdmi.sys [x]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys;c:\windows\SYSNATIVE\DRIVERS\NETw5s64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-05-30 00:24 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 11:59]
.
2014-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-12-21 21:11]
.
2014-06-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-12-21 21:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-09-10 23:54 164016 ----a-w- c:\users\Brian Heidi\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-07-21 610872]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-12-26 165912]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"dleamon.exe"="c:\program files (x86)\Dell V310-V510 Series\dleamon.exe" [2010-08-09 770728]
"EzPrint"="c:\program files (x86)\Dell V310-V510 Series\ezprint.exe" [2010-08-09 139944]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-03-23 487424]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.33.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-06-04  17:51:47
ComboFix-quarantined-files.txt  2014-06-04 21:51
ComboFix2.txt  2014-06-04 09:47
ComboFix3.txt  2014-06-03 01:33
.
Pre-Run: 239,453,663,232 bytes free
Post-Run: 239,382,245,376 bytes free
.
- - End Of File - - 24AE0021D3D679AE1064792ADD37F6F2
D8E1D44D38D41E802CF7F861A14C4048

 



#12 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:11:47 PM

Posted 05 June 2014 - 02:48 PM

Hello ozeal,
 
Looking much better!  :thumbsup2:
 
Little bit left to do though, please see below.
 
==========================

ESET Online Scanner

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click Run ESET Online Scanner.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not be presented with a log.
  • Click the Back button.
  • Click the Finish button.
======================================
 
Also, please provide a fresh FRST Scan log in your next post.
 
Note: perform the FRST Scan after the ESET scan.
 
======================================
 
What I'd like to see in your next post: :thumbsup2:
  • ESET log
  • FRST Scan log

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#13 ozeal

ozeal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 05 June 2014 - 05:53 PM

ESET Log -

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
C:\Users\Brian Heidi\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PFG0KYCZ\flashplayerpro-setup[1].exe Win32/DownloadAdmin.G potentially unwanted application deleted - quarantined
C:\Users\Brian Heidi\AppData\Roaming\Mozilla\Firefox\Profiles\0\extensions\pgpbianbii@pgpbianbii.org.xpi Win32/TrojanDownloader.Tracur.V trojan deleted - quarantined

 

FRST Log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-06-2014
Ran by Brian Heidi (administrator) on BRIANHEIDI-PC on 05-06-2014 18:38:53
Running from C:\Users\Brian Heidi\Desktop
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\System Mechanic\ioloGovernor64.exe
(Threat Expert Ltd.) C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
(CyberLink) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610872 2009-07-21] ()
HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [dleamon.exe] => C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe [770728 2010-08-09] ()
HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe [139944 2010-08-09] ()
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-23] (IDT, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1439496 2010-10-19] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\.DEFAULT\...\Policies\system: [WallpaperStyle] 2
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKCU - PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKCU - DefaultScope {B49CAB8F-6EC1-44C3-9ED5-21F4DA4E6E57} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKCU - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL =
SearchScopes: HKCU - {B49CAB8F-6EC1-44C3-9ED5-21F4DA4E6E57} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  No File
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: HKLM-x32 {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation)
Handler-x32: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.169.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=16.0.3.51 - c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=16.0.3.51 - c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2009-08-09]
FF HKLM-x32\...\Firefox\Extensions: [{cb84136f-9c44-433a-9048-c5cd9df1dc16}] - C:\Program Files (x86)\PC Tools Security\BDT\Firefox\
FF Extension: Browser Guard Toolbar - C:\Program Files (x86)\PC Tools Security\BDT\Firefox\ []
FF HKLM-x32\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ []
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-09-08]

Chrome:
=======
CHR HomePage:
CHR Extension: (Google Docs) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-12-21]
CHR Extension: (Google Drive) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-12-21]
CHR Extension: (YouTube) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-12-21]
CHR Extension: (Google Search) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-12-21]
CHR Extension: (RealDownloader) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-12-21]
CHR Extension: (Skype Click to Call) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-12-21]
CHR Extension: (Google Wallet) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-21]
CHR Extension: (Gmail) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-12-21]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-10-09]

==================== Services (Whitelisted) =================

S4 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
R2 Browser Defender Update Service; C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [575448 2012-06-14] (Threat Expert Ltd.)
S3 dleaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [45224 2010-05-21] ()
S4 dlea_device; C:\Windows\system32\dleacoms.exe [1052328 2010-05-21] ( )
S4 dlea_device; C:\Windows\SysWOW64\dleacoms.exe [598696 2010-05-21] ( )
S4 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [290832 2011-12-12] (Verizon)
R2 ioloSystemService; C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [4492776 2014-04-30] (iolo technologies, LLC)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S4 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S4 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-01-21] ()
S4 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe [247808 2010-03-23] (IDT, Inc.)
S4 VideoAcceleratorService; C:\Program Files (x86)\SpeedBit Video Accelerator\VideoAcceleratorService.exe [281768 2013-12-20] (SPEEDbit)
S2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [X]

==================== Drivers (Whitelisted) ====================

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [30752 2013-12-03] (EldoS Corporation)
S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [40904 2010-03-04] (McAfee, Inc.)
S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [49480 2010-03-04] (McAfee, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
R1 MPFP; C:\Windows\System32\Drivers\Mpfp.sys [176144 2009-07-16] (McAfee, Inc.)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 PCTBD; C:\Windows\System32\Drivers\PCTBD64.sys [85224 2012-06-14] (PC Tools)
R0 pctDS; C:\Windows\System32\drivers\pctDS64.sys [453896 2012-02-28] (PC Tools)
R0 pctEFA; C:\Windows\System32\drivers\pctEFA64.sys [1096176 2012-02-28] (PC Tools)
S3 ssrangdr; C:\Windows\System32\DRIVERS\ssrangdr.sys [4608 2009-12-13] (SupportSoft Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U4 eabfiltr;
S1 gabkbmlq; \??\C:\Windows\system32\drivers\gabkbmlq.sys [X]
S1 PCTSD; System32\Drivers\PCTSD64.sys [X]
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S0 TfFsMon; system32\drivers\TfFsMon.sys [X]
S3 TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys [X]
S0 TFSysMon; system32\drivers\TfSysMon.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-05 18:38 - 2014-06-05 18:39 - 00014792 _____ () C:\Users\Brian Heidi\Desktop\FRST.txt
2014-06-05 18:38 - 2014-06-05 18:38 - 00000000 ____D () C:\Users\Brian Heidi\Desktop\FRST-OlderVersion
2014-06-05 15:49 - 2014-06-05 15:49 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-06-04 17:51 - 2014-06-04 17:51 - 00024448 _____ () C:\ComboFix.txt
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Public\AppData\Local\temp
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Default\AppData\Local\temp
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Default User\AppData\Local\temp
2014-06-02 21:14 - 2014-06-04 17:51 - 00000000 ____D () C:\Qoobox
2014-06-02 21:14 - 2014-06-02 21:29 - 00000000 ____D () C:\Windows\erdnt
2014-06-02 21:14 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-06-02 21:14 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-06-02 21:14 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-06-02 21:14 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-06-02 21:14 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-06-02 21:14 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-06-02 21:14 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-06-02 21:14 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-06-02 21:10 - 2014-06-02 21:10 - 05203398 ____R (Swearware) C:\Users\Brian Heidi\Desktop\ComboFix.exe
2014-06-01 21:11 - 2014-06-05 18:38 - 00000000 ____D () C:\FRST
2014-06-01 21:10 - 2014-06-05 18:38 - 02068992 _____ (Farbar) C:\Users\Brian Heidi\Desktop\FRST64.exe
2014-05-18 13:01 - 2014-05-06 00:40 - 23544320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-18 13:01 - 2014-05-06 00:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-18 13:01 - 2014-05-05 23:25 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-18 13:01 - 2014-05-05 23:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-18 13:01 - 2014-05-05 23:00 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-05-18 13:01 - 2014-05-05 22:10 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-18 12:52 - 2014-05-09 02:14 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-18 12:52 - 2014-05-09 02:11 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-05-18 12:52 - 2014-03-24 22:43 - 14175744 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-05-18 12:52 - 2014-03-24 22:09 - 12874240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2014-05-18 12:51 - 2014-04-11 22:22 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-05-18 12:51 - 2014-04-11 22:22 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2014-05-18 12:51 - 2014-04-11 22:19 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-05-18 12:51 - 2014-04-11 22:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2014-05-18 12:51 - 2014-04-11 22:19 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2014-05-18 12:51 - 2014-04-11 22:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2014-05-18 12:51 - 2014-04-11 22:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2014-05-18 12:51 - 2014-04-11 22:12 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-05-18 12:51 - 2014-04-11 22:10 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-05-18 12:51 - 2014-03-04 05:47 - 05550016 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2014-05-18 12:51 - 2014-03-04 05:44 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00722944 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\wincredprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-05-18 12:51 - 2014-03-04 05:43 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\cngprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\adprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\capiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\dpapiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-05-18 12:51 - 2014-03-04 05:20 - 03969984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2014-05-18 12:51 - 2014-03-04 05:20 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2014-05-18 12:51 - 2014-03-04 05:17 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cngprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpapiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wincredprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-05-18 12:51 - 2014-03-04 05:16 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2014-05-18 12:42 - 2014-05-29 19:43 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-05-11 22:39 - 2014-05-18 13:27 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-11 22:32 - 2014-05-11 22:32 - 00000000 ____D () C:\ProgramData\Oracle
2014-05-11 22:31 - 2014-05-11 22:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-05-11 22:31 - 2014-05-11 22:30 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-05-11 22:31 - 2014-05-11 22:30 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-05-11 22:31 - 2014-05-11 22:30 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-05-11 22:31 - 2014-05-11 22:30 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-05-11 22:24 - 2014-05-11 22:24 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Oracle
2014-05-11 21:59 - 2014-05-11 21:59 - 00000000 ____D () C:\Windows\ERUNT
2014-05-11 21:32 - 2014-05-11 21:53 - 00000000 ____D () C:\AdwCleaner
2014-05-11 21:23 - 2014-05-11 21:23 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-05-11 20:04 - 2014-06-04 05:29 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-11 20:03 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-05-11 20:03 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-05-11 20:03 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-05-07 16:44 - 2014-05-07 16:45 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-05-07 16:44 - 2014-05-07 16:44 - 00001845 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-05-07 16:44 - 2014-05-07 16:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-05-07 16:44 - 2014-05-07 16:44 - 00000000 ____D () C:\ProgramData\Apple Computer

==================== One Month Modified Files and Folders =======

2014-06-05 18:39 - 2014-06-05 18:38 - 00014792 _____ () C:\Users\Brian Heidi\Desktop\FRST.txt
2014-06-05 18:39 - 2009-12-20 05:52 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Local\Temp
2014-06-05 18:38 - 2014-06-05 18:38 - 00000000 ____D () C:\Users\Brian Heidi\Desktop\FRST-OlderVersion
2014-06-05 18:38 - 2014-06-01 21:11 - 00000000 ____D () C:\FRST
2014-06-05 18:38 - 2014-06-01 21:10 - 02068992 _____ (Farbar) C:\Users\Brian Heidi\Desktop\FRST64.exe
2014-06-05 18:23 - 2013-12-21 17:11 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-06-05 17:43 - 2012-03-29 11:07 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-06-05 17:01 - 2013-06-16 03:11 - 01649539 _____ () C:\Windows\WindowsUpdate.log
2014-06-05 16:46 - 2013-11-10 22:34 - 00007430 _____ () C:\Windows\setupact.log
2014-06-05 15:49 - 2014-06-05 15:49 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-06-05 13:23 - 2013-12-21 17:11 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-06-05 12:27 - 2009-07-14 00:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-05 12:27 - 2009-07-14 00:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-04 17:51 - 2014-06-04 17:51 - 00024448 _____ () C:\ComboFix.txt
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Public\AppData\Local\temp
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Default\AppData\Local\temp
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Default User\AppData\Local\temp
2014-06-04 17:51 - 2014-06-02 21:14 - 00000000 ____D () C:\Qoobox
2014-06-04 17:46 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-06-04 05:29 - 2014-05-11 20:04 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-06-02 21:36 - 2009-08-09 04:12 - 00000000 ____D () C:\ProgramData\Temp
2014-06-02 21:33 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-06-02 21:29 - 2014-06-02 21:14 - 00000000 ____D () C:\Windows\erdnt
2014-06-02 21:25 - 2013-12-21 18:15 - 00110194 _____ () C:\Windows\PFRO.log
2014-06-02 21:25 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-02 21:24 - 2013-10-05 18:49 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\netObjUsb64
2014-06-02 21:24 - 2010-05-15 14:34 - 00511614 _____ () C:\ProgramData\dleascan.log
2014-06-02 21:23 - 2014-04-06 18:51 - 00109381 _____ () C:\ProgramData\dlea.log
2014-06-02 21:10 - 2014-06-02 21:10 - 05203398 ____R (Swearware) C:\Users\Brian Heidi\Desktop\ComboFix.exe
2014-05-31 12:45 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2014-05-30 08:52 - 2014-04-15 21:24 - 00000000 ____D () C:\Windows\Minidump
2014-05-30 08:52 - 2009-12-20 05:58 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Hewlett-Packard
2014-05-29 20:25 - 2013-12-21 17:11 - 00002102 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-05-29 19:43 - 2014-05-18 12:42 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-05-29 19:43 - 2013-05-13 19:24 - 00001040 _____ () C:\Users\Brian Heidi\Desktop\Dropbox.lnk
2014-05-29 19:43 - 2013-05-13 19:24 - 00000000 ___RD () C:\Users\Brian Heidi\Dropbox
2014-05-29 19:43 - 2013-05-13 19:22 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-05-29 19:43 - 2013-05-13 19:22 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Dropbox
2014-05-29 19:43 - 2009-12-20 05:58 - 00000000 ___RD () C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-05-29 19:37 - 2009-07-14 01:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-05-18 14:18 - 2011-05-21 15:55 - 00018432 ___SH () C:\Users\Brian Heidi\Thumbs.db
2014-05-18 13:49 - 2009-08-09 04:23 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-05-18 13:47 - 2011-06-15 14:47 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Yahoo!
2014-05-18 13:47 - 2010-04-04 00:01 - 00000000 ____D () C:\ProgramData\Yahoo!
2014-05-18 13:47 - 2010-04-03 23:57 - 00000000 ____D () C:\Program Files (x86)\Yahoo!
2014-05-18 13:45 - 2012-04-08 10:03 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Skype
2014-05-18 13:29 - 2009-12-20 05:58 - 00000000 ___RD () C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-05-18 13:27 - 2014-05-11 22:39 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-18 13:18 - 2013-12-21 17:11 - 00003904 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-05-18 13:18 - 2013-12-21 17:11 - 00003652 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-05-18 13:01 - 2012-03-29 14:41 - 03054111 _____ () C:\Windows\system32\Drivers\Cat.DB
2014-05-18 13:00 - 2013-07-17 14:43 - 00000000 ____D () C:\Windows\system32\MRT
2014-05-18 12:59 - 2009-12-20 15:15 - 93223848 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-05-11 22:32 - 2014-05-11 22:32 - 00000000 ____D () C:\ProgramData\Oracle
2014-05-11 22:32 - 2009-08-09 05:27 - 00000000 ____D () C:\Program Files (x86)\Java
2014-05-11 22:31 - 2014-05-11 22:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-05-11 22:30 - 2014-05-11 22:31 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-05-11 22:30 - 2014-05-11 22:31 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-05-11 22:30 - 2014-05-11 22:31 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-05-11 22:30 - 2014-05-11 22:31 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-05-11 22:24 - 2014-05-11 22:24 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Oracle
2014-05-11 21:59 - 2014-05-11 21:59 - 00000000 ____D () C:\Windows\ERUNT
2014-05-11 21:53 - 2014-05-11 21:32 - 00000000 ____D () C:\AdwCleaner
2014-05-11 21:24 - 2011-06-23 17:42 - 00512000 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2014-05-11 21:23 - 2014-05-11 21:23 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-05-11 21:07 - 2013-10-04 18:47 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Local\DellPhoto
2014-05-11 21:07 - 2009-07-14 01:37 - 00000000 ____D () C:\Windows\DigitalLocker
2014-05-11 20:48 - 2009-12-20 05:52 - 00000000 ____D () C:\Users\Brian Heidi
2014-05-11 20:07 - 2014-05-05 21:57 - 00000079 _____ () C:\Windows\system32\pkftvod.uao
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-09 02:14 - 2014-05-18 12:52 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-09 02:11 - 2014-05-18 12:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-05-07 16:45 - 2014-05-07 16:44 - 00000000 ____D () C:\Program Files (x86)\QuickTime
2014-05-07 16:44 - 2014-05-07 16:44 - 00001845 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-05-07 16:44 - 2014-05-07 16:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-05-07 16:44 - 2014-05-07 16:44 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-05-07 16:10 - 2014-04-16 16:48 - 00003384 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-3693674917-764092900-2463050806-1000
2014-05-07 16:10 - 2014-04-16 16:48 - 00003262 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-3693674917-764092900-2463050806-1000
2014-05-07 11:24 - 2009-08-25 04:44 - 00000000 ____D () C:\ProgramData\Recovery
2014-05-06 17:45 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-05-06 00:40 - 2014-05-18 13:01 - 23544320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-06 00:17 - 2014-05-18 13:01 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

Files to move or delete:
====================
C:\Users\Brian Heidi\gotomypc_533.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== BCD ================================

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
extendedinput           Yes
default                 {current}
resumeobject            {f04f848d-78e1-11de-b692-abbf25df600e}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
customactions           0x1000085000001
                        0x5400000f
custom:5400000f         {7ecaf2ac-9158-11de-8a8a-aa6df7ea8179}

Windows Boot Loader
-------------------
identifier              {572bcd60-ffa7-11d9-aae0-0007e994107d}
device                  ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
path                    \windows\system32\boot\winload.exe
description             Microsoft Windows PE 2.0
osdevice                ramdisk=[boot]\sources\boot.wim,{ramdiskoptions}
systemroot              \windows
detecthal               Yes
winpe                   Yes
ems                     Yes

Windows Boot Loader
-------------------
identifier              {7ecaf2ac-9158-11de-8a8a-aa6df7ea8179}
device                  ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{7ecaf2ad-9158-11de-8a8a-aa6df7ea8179}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
inherit                 {bootloadersettings}
osdevice                ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{7ecaf2ad-9158-11de-8a8a-aa6df7ea8179}
systemroot              \windows
nx                      OptIn
winpe                   Yes

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 7
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {7ecaf2ac-9158-11de-8a8a-aa6df7ea8179}
recoveryenabled         Yes
osdevice                partition=C:
systemroot              \Windows
resumeobject            {f04f848d-78e1-11de-b692-abbf25df600e}
nx                      OptIn

Resume from Hibernate
---------------------
identifier              {f04f848d-78e1-11de-b692-abbf25df600e}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
filedevice              partition=C:
filepath                \hiberfil.sys
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 Yes

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {7ecaf2ad-9158-11de-8a8a-aa6df7ea8179}
description             Ramdisk Options
ramdisksdidevice        partition=D:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi

Setup Ramdisk Options
---------------------
identifier              {ramdiskoptions}
description             Ramdisk Options
ramdisksdidevice        boot
ramdisksdipath          \boot\boot.sdi

 

LastRegBack: 2014-06-02 22:04

==================== End Of Log ============================

 



#14 TheShooter93

TheShooter93

    Cody


  • Malware Response Team
  • 4,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:11:47 PM

Posted 06 June 2014 - 08:23 AM

Hello ozeal,
 
Looks like ESET found some malicious entries on your computer as well. We're almost there!  :thumbsup:
 
Your FRST log also showed a couple things...please do the following.
 
----------
 
Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt

SearchScopes: HKLM - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl 
SearchScopes: HKLM-x32 - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.

===================================================
 
In your next post please include another fresh FRST log, just in case anything else pops up.  :)
 
===================================================
 
What I'd like to see in your next post:  :thumbsup2:

  • Fixlog.txt
  • Fresh FRST log
  • How is your computer running?

Edited by TheShooter93, 06 June 2014 - 08:24 AM.

CCNA R&SCCNA Security | Network+  |  B.S. - Information Technology | Cyber Security Engineer

If I am helping you and have not replied within 48 hours, please send me a private message.

 

 


#15 ozeal

ozeal
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 07 June 2014 - 07:11 AM

Computer is running good - its just what I don't understand or see running is my concern :devil:

 

logs as requested:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-06-2014
Ran by Brian Heidi at 2014-06-07 08:02:59 Run:1
Running from C:\Users\Brian Heidi\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
SearchScopes: HKLM - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
*****************

'HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0809851D-6B6B-49C8-93A3-D43B32E2A276}' => Key deleted successfully.
'HKCR\CLSID\{0809851D-6B6B-49C8-93A3-D43B32E2A276}'=> Key not found.
'HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0809851D-6B6B-49C8-93A3-D43B32E2A276}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{0809851D-6B6B-49C8-93A3-D43B32E2A276}'=> Key not found.

==== End of Fixlog ====

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 06-06-2014
Ran by Brian Heidi (administrator) on BRIANHEIDI-PC on 07-06-2014 08:04:08
Running from C:\Users\Brian Heidi\Desktop
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\System Mechanic\ioloGovernor64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
() C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe
() C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Dropbox, Inc.) C:\Users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Threat Expert Ltd.) C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(CyberLink Corp.) C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
(CyberLink) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610872 2009-07-21] ()
HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [dleamon.exe] => C:\Program Files (x86)\Dell V310-V510 Series\dleamon.exe [770728 2010-08-09] ()
HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Dell V310-V510 Series\ezprint.exe [139944 2010-08-09] ()
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-23] (IDT, Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1439496 2010-10-19] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\.DEFAULT\...\Policies\system: [WallpaperStyle] 2
HKU\S-1-5-21-3693674917-764092900-2463050806-1000\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\system32\Macromed\Flash\FlashUtil64_13_0_0_206_ActiveX.exe [533680 2014-05-01] (Adobe Systems Incorporated)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Brian Heidi\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKCU - PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - DefaultScope {B49CAB8F-6EC1-44C3-9ED5-21F4DA4E6E57} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKCU - {0809851D-6B6B-49C8-93A3-D43B32E2A276} URL =
SearchScopes: HKCU - {B49CAB8F-6EC1-44C3-9ED5-21F4DA4E6E57} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
BHO: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  No File
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: HKLM-x32 {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files (x86)\Yahoo!\Common\Yinsthelper.dll
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\syswow64\urlmon.dll (Microsoft Corporation)
Handler-x32: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76 192.168.33.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=16.0.3.51 - c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=16.0.3.51 - c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2009-08-09]
FF HKLM-x32\...\Firefox\Extensions: [{cb84136f-9c44-433a-9048-c5cd9df1dc16}] - C:\Program Files (x86)\PC Tools Security\BDT\Firefox\
FF Extension: Browser Guard Toolbar - C:\Program Files (x86)\PC Tools Security\BDT\Firefox\ []
FF HKLM-x32\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ []
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-09-08]

Chrome:
=======
CHR HomePage:
CHR Extension: (Google Docs) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-12-21]
CHR Extension: (Google Drive) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-12-21]
CHR Extension: (YouTube) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-12-21]
CHR Extension: (Google Search) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-12-21]
CHR Extension: (RealDownloader) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-12-21]
CHR Extension: (Skype Click to Call) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-12-21]
CHR Extension: (Google Wallet) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-21]
CHR Extension: (Gmail) - C:\Users\Brian Heidi\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-12-21]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-10-09]

==================== Services (Whitelisted) =================

S4 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
R2 Browser Defender Update Service; C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe [575448 2012-06-14] (Threat Expert Ltd.)
S3 dleaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\dleaserv.exe [45224 2010-05-21] ()
S4 dlea_device; C:\Windows\system32\dleacoms.exe [1052328 2010-05-21] ( )
S4 dlea_device; C:\Windows\SysWOW64\dleacoms.exe [598696 2010-05-21] ( )
S4 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [290832 2011-12-12] (Verizon)
R2 ioloSystemService; C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [4492776 2014-04-30] (iolo technologies, LLC)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)
S4 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S4 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-01-21] ()
S4 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe [247808 2010-03-23] (IDT, Inc.)
S4 VideoAcceleratorService; C:\Program Files (x86)\SpeedBit Video Accelerator\VideoAcceleratorService.exe [281768 2013-12-20] (SPEEDbit)
S2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [X]

==================== Drivers (Whitelisted) ====================

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 ElRawDisk; C:\Windows\system32\drivers\ElRawDsk.sys [30752 2013-12-03] (EldoS Corporation)
S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [40904 2010-03-04] (McAfee, Inc.)
S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [49480 2010-03-04] (McAfee, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)
R1 MPFP; C:\Windows\System32\Drivers\Mpfp.sys [176144 2009-07-16] (McAfee, Inc.)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)
S3 PCTBD; C:\Windows\System32\Drivers\PCTBD64.sys [85224 2012-06-14] (PC Tools)
R0 pctDS; C:\Windows\System32\drivers\pctDS64.sys [453896 2012-02-28] (PC Tools)
R0 pctEFA; C:\Windows\System32\drivers\pctEFA64.sys [1096176 2012-02-28] (PC Tools)
S3 ssrangdr; C:\Windows\System32\DRIVERS\ssrangdr.sys [4608 2009-12-13] (SupportSoft Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U4 eabfiltr;
S1 gabkbmlq; \??\C:\Windows\system32\drivers\gabkbmlq.sys [X]
S1 PCTSD; System32\Drivers\PCTSD64.sys [X]
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S0 TfFsMon; system32\drivers\TfFsMon.sys [X]
S3 TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys [X]
S0 TFSysMon; system32\drivers\TfSysMon.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-05 18:38 - 2014-06-07 08:04 - 00015730 _____ () C:\Users\Brian Heidi\Desktop\FRST.txt
2014-06-05 18:38 - 2014-06-07 08:02 - 00000000 ____D () C:\Users\Brian Heidi\Desktop\FRST-OlderVersion
2014-06-05 15:49 - 2014-06-05 15:49 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-06-04 17:51 - 2014-06-04 17:51 - 00024448 _____ () C:\ComboFix.txt
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Public\AppData\Local\temp
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Default\AppData\Local\temp
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Default User\AppData\Local\temp
2014-06-02 21:14 - 2014-06-04 17:51 - 00000000 ____D () C:\Qoobox
2014-06-02 21:14 - 2014-06-02 21:29 - 00000000 ____D () C:\Windows\erdnt
2014-06-02 21:14 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-06-02 21:14 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-06-02 21:14 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-06-02 21:14 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-06-02 21:14 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-06-02 21:14 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-06-02 21:14 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-06-02 21:14 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-06-02 21:10 - 2014-06-02 21:10 - 05203398 ____R (Swearware) C:\Users\Brian Heidi\Desktop\ComboFix.exe
2014-06-01 21:11 - 2014-06-07 08:04 - 00000000 ____D () C:\FRST
2014-06-01 21:10 - 2014-06-07 08:02 - 02072576 _____ (Farbar) C:\Users\Brian Heidi\Desktop\FRST64.exe
2014-05-18 13:01 - 2014-05-06 00:40 - 23544320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-18 13:01 - 2014-05-06 00:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-18 13:01 - 2014-05-05 23:25 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-18 13:01 - 2014-05-05 23:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-18 13:01 - 2014-05-05 23:00 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-05-18 13:01 - 2014-05-05 22:10 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-18 12:52 - 2014-05-09 02:14 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-18 12:52 - 2014-05-09 02:11 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-05-18 12:52 - 2014-03-24 22:43 - 14175744 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-05-18 12:52 - 2014-03-24 22:09 - 12874240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2014-05-18 12:51 - 2014-04-11 22:22 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-05-18 12:51 - 2014-04-11 22:22 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2014-05-18 12:51 - 2014-04-11 22:19 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-05-18 12:51 - 2014-04-11 22:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2014-05-18 12:51 - 2014-04-11 22:19 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2014-05-18 12:51 - 2014-04-11 22:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2014-05-18 12:51 - 2014-04-11 22:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2014-05-18 12:51 - 2014-04-11 22:12 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-05-18 12:51 - 2014-04-11 22:10 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-05-18 12:51 - 2014-03-04 05:47 - 05550016 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2014-05-18 12:51 - 2014-03-04 05:44 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00722944 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-05-18 12:51 - 2014-03-04 05:44 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\wincredprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-05-18 12:51 - 2014-03-04 05:43 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\cngprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\adprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\capiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\dpapiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll
2014-05-18 12:51 - 2014-03-04 05:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-05-18 12:51 - 2014-03-04 05:20 - 03969984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2014-05-18 12:51 - 2014-03-04 05:20 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2014-05-18 12:51 - 2014-03-04 05:17 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cngprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpapiprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wincredprovider.dll
2014-05-18 12:51 - 2014-03-04 05:17 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-05-18 12:51 - 2014-03-04 05:16 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2014-05-18 12:42 - 2014-06-07 07:59 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-05-11 22:39 - 2014-05-18 13:27 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-11 22:32 - 2014-05-11 22:32 - 00000000 ____D () C:\ProgramData\Oracle
2014-05-11 22:31 - 2014-05-11 22:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-05-11 22:31 - 2014-05-11 22:30 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-05-11 22:31 - 2014-05-11 22:30 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-05-11 22:31 - 2014-05-11 22:30 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-05-11 22:31 - 2014-05-11 22:30 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-05-11 22:24 - 2014-05-11 22:24 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Oracle
2014-05-11 21:59 - 2014-05-11 21:59 - 00000000 ____D () C:\Windows\ERUNT
2014-05-11 21:32 - 2014-05-11 21:53 - 00000000 ____D () C:\AdwCleaner
2014-05-11 21:23 - 2014-05-11 21:23 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-05-11 20:04 - 2014-06-04 05:29 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-11 20:03 - 2014-04-03 09:51 - 00088280 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-05-11 20:03 - 2014-04-03 09:51 - 00063192 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-05-11 20:03 - 2014-04-03 09:50 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

==================== One Month Modified Files and Folders =======

2014-06-07 08:04 - 2014-06-05 18:38 - 00015730 _____ () C:\Users\Brian Heidi\Desktop\FRST.txt
2014-06-07 08:04 - 2014-06-01 21:11 - 00000000 ____D () C:\FRST
2014-06-07 08:04 - 2013-06-16 03:11 - 01693854 _____ () C:\Windows\WindowsUpdate.log
2014-06-07 08:04 - 2009-12-20 05:52 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Local\Temp
2014-06-07 08:03 - 2014-04-06 18:51 - 00109470 _____ () C:\ProgramData\dlea.log
2014-06-07 08:03 - 2010-05-15 14:34 - 00512258 _____ () C:\ProgramData\dleascan.log
2014-06-07 08:02 - 2014-06-05 18:38 - 00000000 ____D () C:\Users\Brian Heidi\Desktop\FRST-OlderVersion
2014-06-07 08:02 - 2014-06-01 21:10 - 02072576 _____ (Farbar) C:\Users\Brian Heidi\Desktop\FRST64.exe
2014-06-07 08:01 - 2009-07-14 01:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-06-07 07:59 - 2014-05-18 12:42 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\DropboxMaster
2014-06-07 07:59 - 2013-05-13 19:24 - 00000000 ___RD () C:\Users\Brian Heidi\Dropbox
2014-06-07 07:59 - 2013-05-13 19:22 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Dropbox
2014-06-07 07:57 - 2013-12-21 18:15 - 00111172 _____ () C:\Windows\PFRO.log
2014-06-07 07:57 - 2013-12-21 17:11 - 00000904 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-06-07 07:57 - 2013-11-10 22:34 - 00007486 _____ () C:\Windows\setupact.log
2014-06-07 07:57 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-05 18:43 - 2012-03-29 11:07 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-06-05 18:23 - 2013-12-21 17:11 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-06-05 15:49 - 2014-06-05 15:49 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-06-05 12:27 - 2009-07-14 00:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-05 12:27 - 2009-07-14 00:45 - 00023248 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-04 17:51 - 2014-06-04 17:51 - 00024448 _____ () C:\ComboFix.txt
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Public\AppData\Local\temp
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Default\AppData\Local\temp
2014-06-04 17:51 - 2014-06-04 17:51 - 00000000 ____D () C:\Users\Default User\AppData\Local\temp
2014-06-04 17:51 - 2014-06-02 21:14 - 00000000 ____D () C:\Qoobox
2014-06-04 17:46 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-06-04 05:29 - 2014-05-11 20:04 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-06-02 21:36 - 2009-08-09 04:12 - 00000000 ____D () C:\ProgramData\Temp
2014-06-02 21:33 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-06-02 21:29 - 2014-06-02 21:14 - 00000000 ____D () C:\Windows\erdnt
2014-06-02 21:24 - 2013-10-05 18:49 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\netObjUsb64
2014-06-02 21:10 - 2014-06-02 21:10 - 05203398 ____R (Swearware) C:\Users\Brian Heidi\Desktop\ComboFix.exe
2014-05-31 12:45 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2014-05-30 08:52 - 2014-04-15 21:24 - 00000000 ____D () C:\Windows\Minidump
2014-05-30 08:52 - 2009-12-20 05:58 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Hewlett-Packard
2014-05-29 20:25 - 2013-12-21 17:11 - 00002102 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-05-29 19:43 - 2013-05-13 19:24 - 00001040 _____ () C:\Users\Brian Heidi\Desktop\Dropbox.lnk
2014-05-29 19:43 - 2013-05-13 19:22 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-05-29 19:43 - 2009-12-20 05:58 - 00000000 ___RD () C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-05-18 14:18 - 2011-05-21 15:55 - 00018432 ___SH () C:\Users\Brian Heidi\Thumbs.db
2014-05-18 13:49 - 2009-08-09 04:23 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-05-18 13:47 - 2011-06-15 14:47 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Yahoo!
2014-05-18 13:47 - 2010-04-04 00:01 - 00000000 ____D () C:\ProgramData\Yahoo!
2014-05-18 13:47 - 2010-04-03 23:57 - 00000000 ____D () C:\Program Files (x86)\Yahoo!
2014-05-18 13:45 - 2012-04-08 10:03 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Skype
2014-05-18 13:29 - 2009-12-20 05:58 - 00000000 ___RD () C:\Users\Brian Heidi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-05-18 13:27 - 2014-05-11 22:39 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-18 13:18 - 2013-12-21 17:11 - 00003904 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-05-18 13:18 - 2013-12-21 17:11 - 00003652 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-05-18 13:01 - 2012-03-29 14:41 - 03054111 _____ () C:\Windows\system32\Drivers\Cat.DB
2014-05-18 13:00 - 2013-07-17 14:43 - 00000000 ____D () C:\Windows\system32\MRT
2014-05-18 12:59 - 2009-12-20 15:15 - 93223848 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-05-11 22:32 - 2014-05-11 22:32 - 00000000 ____D () C:\ProgramData\Oracle
2014-05-11 22:32 - 2009-08-09 05:27 - 00000000 ____D () C:\Program Files (x86)\Java
2014-05-11 22:31 - 2014-05-11 22:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-05-11 22:30 - 2014-05-11 22:31 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-05-11 22:30 - 2014-05-11 22:31 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-05-11 22:30 - 2014-05-11 22:31 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-05-11 22:30 - 2014-05-11 22:31 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-05-11 22:24 - 2014-05-11 22:24 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Roaming\Oracle
2014-05-11 21:59 - 2014-05-11 21:59 - 00000000 ____D () C:\Windows\ERUNT
2014-05-11 21:53 - 2014-05-11 21:32 - 00000000 ____D () C:\AdwCleaner
2014-05-11 21:24 - 2011-06-23 17:42 - 00512000 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2014-05-11 21:23 - 2014-05-11 21:23 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-05-11 21:07 - 2013-10-04 18:47 - 00000000 ____D () C:\Users\Brian Heidi\AppData\Local\DellPhoto
2014-05-11 21:07 - 2009-07-14 01:37 - 00000000 ____D () C:\Windows\DigitalLocker
2014-05-11 20:48 - 2009-12-20 05:52 - 00000000 ____D () C:\Users\Brian Heidi
2014-05-11 20:07 - 2014-05-05 21:57 - 00000079 _____ () C:\Windows\system32\pkftvod.uao
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-11 20:03 - 2014-05-11 20:03 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-09 02:14 - 2014-05-18 12:52 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-09 02:11 - 2014-05-18 12:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

Files to move or delete:
====================
C:\Users\Brian Heidi\gotomypc_533.exe

Some content of TEMP:
====================
C:\Users\Brian Heidi\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpdt_kt5.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-06-02 22:04

==================== End Of Log ============================






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users