Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.0Access rootkit infection reported by Malwarebytes


  • Please log in to reply
12 replies to this topic

#1 willie6973

willie6973

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans
  • Local time:04:20 PM

Posted 31 May 2014 - 05:46 PM

Trojan.0Access rootkit infection reported by Malwarebytes AntiMalware and Anti-Rootkit (Beta) 

Requests advise / directions on how to remove or other next step.

 

Subject machine - Win 7 SP1 up to date. 

A virus problem initially reported and  supposedly cleaned by Avast free antivirus.  Avast identified  Java:Malware-gen {Trj] in 30+ objects.   No other symptoms reported by primary user.  The system seems fine to me based upon a few minutes use opening a few web pages,  downloading and running tools.   Primary user is spouse with limited computer skills.  She did mention the virus warning had been there a few days. 

 

I posted this problems and a baseline set of problem identification logs as   MBAR (Beta) reports Trojan.0Access; Avast, MBAM, other report clean . I was politely advised “You have picked up a nasty Zero Access Rootkit infection, please follow the directions below”

 

I foolishly did not follow the directions and instead attempting additional independent confirmation of a root kit infection. and other activities as follows:

  o  Removed out of date java

  o  allowed windows update to run

  o  Downloaded, created, Booted and ran most recent stand alone rescue CD from several anti virus vendors.  Allowed them to update their own  Virus data base via internet during package use.  Attempted to keep it non intrusive.  Used scan only whenever offered and I could find settings.  Declined remove/fix/etc if offered.  All reported clean except Sophos.  Used the following:

      AVG  CD version 120.140203; AVG version 13.0.3115 - reports clean

      Kaspersky Rescue Disk 10.0.32.17 - reports clean

      Avira Rescue System product 1.0.0.91 VDF 7.11.151.204 2014/05/28 AVE 8.3.18.32  - reports clean

      Sophos Rescue CD- product 4.96.4; engine 3.5.1..0;  virus data 5.00 

          ran as scan only with recommended levels (NOT advanced mode).

          reported:  3 errors;   1 virus  -  MAL/ZAccConf.A

 

Downloaded and ran several  rootkit scan / remove tools.  Used scan mode where offered (or I could find the setting).  several would not run - saying wrong os or can not run in 64 bit mode.GMER seemed to report problem(s) that changed with each run (logs attached).

 

Finally it began to dawn on me.  I was not compliant with the polite request  “please follow the directions below”.  Furthermore I had not documented the root kit attempts or results.  Effectively I was at the bottom of a hole digging it deeper.  So I quit. (I plead  stupidity compounded by exhaustion).

 

In order to reestablish the baseline I have re run the Security check/FSS/MiniToolBox, etc suite and posted the results below.  Also ran DSS and posted below. 

 

Any assistance would be gratefully appreciated.  Any directions dutifully followed. 

 

The system appears to be functioning normally.  It is offline and out of service and will remain so until fixed.  

The system contains partitions for HP TOOLS and recovery if required. I also have the boot CDs mentioned above and can obtain / create any others required.  Long ago I have been enterprise sys admin for Novell, Unix, Xenix, Windows.  Also electronic tech USN.

 

I have spare USB drives, USB disks, etc..  Also a working knowledge of computer hardware, software, security, etc. as I am a retired IT worker and former InfraGard member.

 

 

 +—+—+—+—+—+—+—+—+—+—+—+++

START OF  Security Check/FSS/MiniToolBox/… logs 

 +—+—+—+—+—+—+—+—+—+—+—+++

 Results of screen317's Security Check version 0.99.83  

 Windows 7 Service Pack 1 x64 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:``````````````

 Windows Firewall Enabled!  

avast! Antivirus   

 Antivirus up to date!   

`````````Anti-malware/Other Utilities Check:`````````

 Adobe Flash Player 13.0.0.214  

 Adobe Reader XI  

 Mozilla Firefox (29.0.1) 

 Google Chrome 34.0.1847.137  

 Google Chrome 35.0.1916.114  

````````Process Check: objlist.exe by Laurent````````

 Malwarebytes Anti-Malware mbamservice.exe  

 Malwarebytes Anti-Malware mbam.exe  

 Malwarebytes Anti-Malware mbamscheduler.exe   

 AVAST Software Avast AvastSvc.exe  

 AVAST Software Avast AvastUI.exe  

`````````````````System Health check`````````````````

 Total Fragmentation on Drive C: 0% 

````````````````````End of Log``````````````````````

 

 

Farbar Service Scanner Version: 21-05-2014

Ran by admin (administrator) on 31-05-2014 at 10:04:06

Running from "C:\Users\admin\Downloads"

Microsoft Windows 7 Home Premium  Service Pack 1 (X64)

Boot Mode: Normal

****************************************************************

 

Internet Services:

============

 

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

 

 

Windows Firewall:

=============

 

Firewall Disabled Policy: 

==================

 

 

System Restore:

============

 

System Restore Disabled Policy: 

========================

 

 

Action Center:

============

 

 

Windows Update:

============

 

Windows Autoupdate Disabled Policy: 

============================

 

 

Windows Defender:

==============

 

Other Services:

==============

 

 

File Check:

========

C:\Windows\System32\nsisvc.dll => MD5 is legit

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit

C:\Windows\System32\dhcpcore.dll => MD5 is legit

C:\Windows\System32\drivers\afd.sys => MD5 is legit

C:\Windows\System32\drivers\tdx.sys => MD5 is legit

C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit

C:\Windows\System32\dnsrslvr.dll => MD5 is legit

C:\Windows\System32\mpssvc.dll => MD5 is legit

C:\Windows\System32\bfe.dll => MD5 is legit

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit

C:\Windows\System32\SDRSVC.dll => MD5 is legit

C:\Windows\System32\vssvc.exe => MD5 is legit

C:\Windows\System32\wscsvc.dll => MD5 is legit

C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\System32\wuaueng.dll => MD5 is legit

C:\Windows\System32\qmgr.dll => MD5 is legit

C:\Windows\System32\es.dll => MD5 is legit

C:\Windows\System32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\System32\ipnathlp.dll => MD5 is legit

C:\Windows\System32\iphlpsvc.dll => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

 

 

**** End of log ****

 

MiniToolBox by Farbar  Version: 23-01-2014

Ran by admin (administrator) on 31-05-2014 at 10:06:45

Running from "C:\Users\admin\Downloads"

Microsoft Windows 7 Home Premium  Service Pack 1 (X64)

Boot Mode: Normal

***************************************************************************

 

========================= IE Proxy Settings: ============================== 

 

Proxy is not enabled.

No Proxy Server is set.

 

========================= FF Proxy Settings: ============================== 

 

========================= Hosts content: =================================

 

 

 

========================= IP Configuration: ================================

 

Realtek PCIe FE Family Controller = Local Area Connection (Connected)

Ralink RT5390 802.11b/g/n WiFi Adapter = Wireless Network Connection (Media disconnected)

Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)

 

 

# ----------------------------------

# IPv4 Configuration

# ----------------------------------

pushd interface ipv4

 

reset

set global icmpredirects=enabled

 

 

popd

# End of IPv4 configuration

 

 

 

Windows IP Configuration

 

   Host Name . . . . . . . . . . . . : HP-notebook

   Primary Dns Suffix  . . . . . . . : 

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : gateway.2wire.net

 

Wireless LAN adapter Wireless Network Connection 2:

 

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter

   Physical Address. . . . . . . . . : 60-D8-19-39-D6-9D

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

 

Ethernet adapter Local Area Connection:

 

   Connection-specific DNS Suffix  . : gateway.2wire.net

   Description . . . . . . . . . . . : Realtek PCIe FE Family Controller

   Physical Address. . . . . . . . . : 78-E3-B5-63-22-80

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::1cea:53da:a087:2be4%12(Preferred) 

   IPv4 Address. . . . . . . . . . . : 192.168.1.73(Preferred) 

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Lease Obtained. . . . . . . . . . : Saturday, May 31, 2014 9:56:10 AM

   Lease Expires . . . . . . . . . . : Sunday, June 01, 2014 9:56:09 AM

   Default Gateway . . . . . . . . . : 192.168.1.254

   DHCP Server . . . . . . . . . . . : 192.168.1.254

   DHCPv6 IAID . . . . . . . . . . . : 343466933

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-7A-ED-5A-60-D8-19-39-D6-9C

   DNS Servers . . . . . . . . . . . : 192.168.1.254

   NetBIOS over Tcpip. . . . . . . . : Enabled

 

Wireless LAN adapter Wireless Network Connection:

 

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : gateway.2wire.net

   Description . . . . . . . . . . . : Ralink RT5390 802.11b/g/n WiFi Adapter

   Physical Address. . . . . . . . . : 60-D8-19-39-D6-9C

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

 

Tunnel adapter isatap.gateway.2wire.net:

 

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : gateway.2wire.net

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

 

Tunnel adapter Teredo Tunneling Pseudo-Interface:

 

   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:24ec:3809:93b7:c9f8(Preferred) 

   Link-local IPv6 Address . . . . . : fe80::24ec:3809:93b7:c9f8%13(Preferred) 

   Default Gateway . . . . . . . . . : ::

   NetBIOS over Tcpip. . . . . . . . : Disabled

Server:  homeportal

Address:  192.168.1.254

 

Name:    google.com

Addresses:  2607:f8b0:4002:c07::8a

  74.125.196.102

  74.125.196.113

  74.125.196.100

  74.125.196.138

  74.125.196.139

  74.125.196.101

 

 

Pinging google.com [74.125.196.101] with 32 bytes of data:

Reply from 74.125.196.101: bytes=32 time=37ms TTL=43

Reply from 74.125.196.101: bytes=32 time=36ms TTL=43

 

Ping statistics for 74.125.196.101:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 36ms, Maximum = 37ms, Average = 36ms

Server:  homeportal

Address:  192.168.1.254

 

Name:    yahoo.com

Addresses:  98.139.183.24

  98.138.253.109

  206.190.36.45

 

 

Pinging yahoo.com [98.138.253.109] with 32 bytes of data:

Reply from 98.138.253.109: bytes=32 time=88ms TTL=46

Reply from 98.138.253.109: bytes=32 time=80ms TTL=46

 

Ping statistics for 98.138.253.109:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 80ms, Maximum = 88ms, Average = 84ms

 

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

 

Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================

Interface List

 14...60 d8 19 39 d6 9d ......Microsoft Virtual WiFi Miniport Adapter

 12...78 e3 b5 63 22 80 ......Realtek PCIe FE Family Controller

 11...60 d8 19 39 d6 9c ......Ralink RT5390 802.11b/g/n WiFi Adapter

  1...........................Software Loopback Interface 1

 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

===========================================================================

 

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.73     20

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      192.168.1.0    255.255.255.0         On-link      192.168.1.73    276

     192.168.1.73  255.255.255.255         On-link      192.168.1.73    276

    192.168.1.255  255.255.255.255         On-link      192.168.1.73    276

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link      192.168.1.73    276

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link      192.168.1.73    276

===========================================================================

Persistent Routes:

  None

 

IPv6 Route Table

===========================================================================

Active Routes:

 If Metric Network Destination      Gateway

 13     58 ::/0                     On-link

  1    306 ::1/128                  On-link

 13     58 2001::/32                On-link

 13    306 2001:0:9d38:6abd:24ec:3809:93b7:c9f8/128

                                    On-link

 12    276 fe80::/64                On-link

 13    306 fe80::/64                On-link

 12    276 fe80::1cea:53da:a087:2be4/128

                                    On-link

 13    306 fe80::24ec:3809:93b7:c9f8/128

                                    On-link

  1    306 ff00::/8                 On-link

 13    306 ff00::/8                 On-link

 12    276 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

========================= Winsock entries =====================================

 

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)

Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)

Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)

Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)

Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)

Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)

Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)

Catalog5 09 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)

x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)

x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)

x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)

x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)

x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)

x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)

x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)

x64-Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)

x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

 

========================= Event log errors: ===============================

 

Application errors:

==================

Error: (05/31/2014 09:54:27 AM) (Source: WinMgmt) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (05/31/2014 00:39:26 AM) (Source: Application Error) (User: )

Description: Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa

Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa

Exception code: 0xc0000005

Fault offset: 0x000040cd

Faulting process id: 0x16e4

Faulting application start time: 0xRootkitRevealer.exe0

Faulting application path: RootkitRevealer.exe1

Faulting module path: RootkitRevealer.exe2

Report Id: RootkitRevealer.exe3

 

Error: (05/31/2014 00:38:38 AM) (Source: Application Error) (User: )

Description: Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa

Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa

Exception code: 0xc0000005

Fault offset: 0x000040cd

Faulting process id: 0xe78

Faulting application start time: 0xRootkitRevealer.exe0

Faulting application path: RootkitRevealer.exe1

Faulting module path: RootkitRevealer.exe2

Report Id: RootkitRevealer.exe3

 

Error: (05/30/2014 11:27:25 PM) (Source: WinMgmt) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (05/30/2014 11:18:21 PM) (Source: WinMgmt) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (05/30/2014 07:20:21 PM) (Source: WinMgmt) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (05/30/2014 11:56:20 AM) (Source: WinMgmt) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (05/30/2014 09:56:35 AM) (Source: WinMgmt) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (05/29/2014 10:56:19 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledSPRetry 15615

 

Error: (05/29/2014 10:56:19 PM) (Source: Bonjour Service) (User: )

Description: Task Scheduling Error: m->NextScheduledEvent 15615

 

 

System errors:

=============

Error: (05/31/2014 00:51:38 AM) (Source: Application Popup) (User: )

Description: \??\C:\Windows\SysWow64\drivers\ajbovv8x.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

 

Error: (05/30/2014 11:27:29 PM) (Source: DCOM) (User: NT AUTHORITY)

Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

 

Error: (05/30/2014 07:20:09 PM) (Source: DCOM) (User: NT AUTHORITY)

Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

 

Error: (05/30/2014 00:04:29 PM) (Source: Service Control Manager) (User: )

Description: The Server service terminated with the following error: 

%%1062

 

Error: (05/30/2014 00:04:27 PM) (Source: Service Control Manager) (User: )

Description: The AMD FUEL Service service terminated with the following error: 

%%21

 

Error: (05/30/2014 11:55:57 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

 

Error: (05/30/2014 11:50:56 AM) (Source: BugCheck) (User: )

Description: 0x000000fe (0x0000000000000008, 0x0000000000000006, 0x0000000000000006, 0xfffffa80054a8000)C:\Windows\Minidump\053014-19796-01.dmp053014-19796-01

 

Error: (05/30/2014 09:57:16 AM) (Source: DCOM) (User: NT AUTHORITY)

Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

 

Error: (05/30/2014 09:54:58 AM) (Source: BugCheck) (User: )

Description: 0x000000fe (0x0000000000000008, 0x0000000000000006, 0x0000000000000006, 0xfffffa8005e64640)C:\Windows\Minidump\053014-23010-01.dmp053014-23010-01

 

Error: (05/30/2014 09:54:54 AM) (Source: EventLog) (User: )

Description: The previous system shutdown at 10:55:32 PM on ?5/?29/?2014 was unexpected.

 

 

Microsoft Office Sessions:

=========================

 

=========================== Installed Programs ============================

 

Adobe Flash Player 13 Plugin (Version: 13.0.0.214)

Adobe Reader XI (11.0.07) (Version: 11.0.07)

Adobe Shockwave Player 12.0 (Version: 12.0.9.149)

Agatha Christie - Peril at End House (Version: 2.2.0.95)

AMD APP SDK Runtime (Version: 2.4.650.9)

AMD Fuel (Version: 2011.0705.1115.18310)

AMD Media Foundation Decoders (Version: 1.0.60705.1113)

AMD Steady Video Plug-In  (Version: 1.00.0000)

AMD VISION Engine Control Center (Version: 2011.0705.1115.18310)

Apple Application Support (Version: 3.0.1)

Apple Mobile Device Support (Version: 7.1.1.3)

Apple Software Update (Version: 2.1.3.127)

ATI Catalyst Install Manager (Version: 3.0.829.0)

avast! Free Antivirus (Version: 9.0.2018)

Bejeweled 3 (Version: 2.2.0.97)

Blackhawk Striker 2 (Version: 2.2.0.95)

Blasterball 3 (Version: 2.2.0.97)

Blio (Version: 2.2.6699)

Bonjour (Version: 3.0.0.10)

Bonjour Print Services (Version: 2.0.2.0)

Bounce Symphony (Version: 2.2.0.97)

Cake Mania (Version: 2.2.0.95)

Catalyst Control Center - Branding (Version: 1.00.0000)

Catalyst Control Center Graphics Previews Common (Version: 2011.0705.1115.18310)

Catalyst Control Center InstallProxy (Version: 2011.0705.1115.18310)

Catalyst Control Center Localization All (Version: 2011.0705.1115.18310)

CCC Help Chinese Standard (Version: 2011.0705.1114.18310)

CCC Help Chinese Traditional (Version: 2011.0705.1114.18310)

CCC Help Czech (Version: 2011.0705.1114.18310)

CCC Help Danish (Version: 2011.0705.1114.18310)

CCC Help Dutch (Version: 2011.0705.1114.18310)

CCC Help English (Version: 2011.0705.1114.18310)

CCC Help Finnish (Version: 2011.0705.1114.18310)

CCC Help French (Version: 2011.0705.1114.18310)

CCC Help German (Version: 2011.0705.1114.18310)

CCC Help Greek (Version: 2011.0705.1114.18310)

CCC Help Hungarian (Version: 2011.0705.1114.18310)

CCC Help Italian (Version: 2011.0705.1114.18310)

CCC Help Japanese (Version: 2011.0705.1114.18310)

CCC Help Korean (Version: 2011.0705.1114.18310)

CCC Help Norwegian (Version: 2011.0705.1114.18310)

CCC Help Polish (Version: 2011.0705.1114.18310)

CCC Help Portuguese (Version: 2011.0705.1114.18310)

CCC Help Russian (Version: 2011.0705.1114.18310)

CCC Help Spanish (Version: 2011.0705.1114.18310)

CCC Help Swedish (Version: 2011.0705.1114.18310)

CCC Help Thai (Version: 2011.0705.1114.18310)

CCC Help Turkish (Version: 2011.0705.1114.18310)

ccc-utility64 (Version: 2011.0705.1115.18310)

Chronicles of Albian (Version: 2.2.0.95)

Chuzzle Deluxe (Version: 2.2.0.95)

Cradle of Rome 2 (Version: 2.2.0.95)

CyberLink YouCam (Version: 3.5.1.4119)

D3DX10 (Version: 15.4.2368.0902)

ESU for Microsoft Windows 7 SP1 (Version: 2.1.1)

Evernote v. 4.2.3 (Version: 4.2.3.22)

Farm Frenzy (Version: 2.2.0.95)

FATE (Version: 2.2.0.97)

Google Chrome (Version: 35.0.1916.114)

Google Update Helper (Version: 1.3.24.7)

Governor of Poker 2 Premium Edition (Version: 2.2.0.95)

Hewlett-Packard ACLM.NET v1.1.1.0 (Version: 1.00.0000)

HP Auto (Version: 1.0.12935.3667)

HP Client Services (Version: 1.1.12938.3539)

HP Customer Experience Enhancements (Version: 6.0.1.7)

HP Documentation (Version: 1.1.0.0)

HP Games (Version: 1.0.2.5)

HP Launch Box (Version: 1.0.11)

HP MovieStore (Version: 1.0.057)

HP MovieStore (Version: 2.0)

HP On Screen Display (Version: 1.2.2)

HP Power Manager (Version: 1.2.3)

HP Quick Launch (Version: 2.4.3)

HP QuickWeb (Version: 3.1.0.9760)

HP Setup (Version: 8.7.4751.3798)

HP Setup Manager (Version: 1.1.13476.3753)

HP Software Framework (Version: 4.1.6.1)

HP Support Assistant (Version: 6.0.5.4)

iCloud (Version: 3.1.0.40)

IDT Audio (Version: 1.0.6341.0)

iTunes (Version: 11.1.5.5)

Jewel Quest: The Sleepless Star - Collector's Edition (Version: 2.2.0.95)

Junk Mail filter update (Version: 15.4.3502.0922)

Mah Jong Medley (Version: 2.2.0.95)

Malwarebytes Anti-Malware version 2.0.2.1012 (Version: 2.0.2.1012)

Mesh Runtime (Version: 15.4.5722.2)

Microsoft .NET Framework 4.5.1 (Version: 4.5.50938)

Microsoft Application Error Reporting (Version: 12.0.6015.5000)

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Enterprise 2007 (Version: 12.0.6612.1000)

Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)

Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)

Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)

Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)

Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)

Microsoft Silverlight (Version: 5.1.30214.0)

Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)

Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)

Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (Version: 10.0.30319)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)

Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)

Mozilla Firefox 29.0.1 (x86 en-US) (Version: 29.0.1)

Mozilla Maintenance Service (Version: 29.0.1)

MSVCRT (Version: 15.4.2862.0708)

MSVCRT_amd64 (Version: 15.4.2862.0708)

MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)

MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)

Mystery of Mortlake Mansion (Version: 2.2.0.97)

Namco All-Stars: PAC-MAN (Version: 2.2.0.95)

Penguins! (Version: 2.2.0.95)

Plants vs. Zombies - Game of the Year (Version: 2.2.0.95)

PlayReady PC Runtime x86 (Version: 1.3.0)

Poker Superstars III (Version: 2.2.0.95)

Polar Bowler (Version: 2.2.0.97)

Polar Golfer (Version: 2.2.0.95)

QuickTime 7 (Version: 7.75.80.95)

Ralink RT5390 802.11b/g/n WiFi Adapter (Version: 3.02.01.0)

Realtek Ethernet Controller Driver (Version: 7.45.516.2011)

Realtek PCIE Card Reader (Version: 6.1.7601.81)

Recovery Manager (Version: 2.0.0)

RoxioNow Player (Version: 1.9.5.103)

Shape Shifter

Slingo Supreme (Version: 2.2.0.97)

swMSM (Version: 12.0.0.1)

Synaptics TouchPad Driver (Version: 15.3.29.0)

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office Infopath 2007 Help (KB963662)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition

Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2880505) 32-Bit Edition

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Update Installer for WildTangent Games App

Vacation Quest - The Hawaiian Islands (Version: 2.2.0.97)

Virtual Villagers 5 - New Believers (Version: 2.2.0.97)

Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)

Visual Studio 2010 x64 Redistributables (Version: 13.0.0.1)

Visual Studio 2012 x64 Redistributables (Version: 14.0.0.1)

Visual Studio 2012 x86 Redistributables (Version: 14.0.0.1)

WildTangent Games App (HP Games) (Version: 4.0.10.5)

Windows Live Communications Platform (Version: 15.4.3502.0922)

Windows Live Essentials (Version: 15.4.3502.0922)

Windows Live Essentials (Version: 15.4.3508.1109)

Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)

Windows Live Installer (Version: 15.4.3502.0922)

Windows Live Language Selector (Version: 15.4.3508.1109)

Windows Live Mail (Version: 15.4.3502.0922)

Windows Live Mesh (Version: 15.4.3502.0922)

Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)

Windows Live Messenger (Version: 15.4.3502.0922)

Windows Live MIME IFilter (Version: 15.4.3502.0922)

Windows Live Movie Maker (Version: 15.4.3502.0922)

Windows Live Photo Common (Version: 15.4.3502.0922)

Windows Live Photo Gallery (Version: 15.4.3502.0922)

Windows Live PIMT Platform (Version: 15.4.3508.1109)

Windows Live Remote Client (Version: 15.4.5722.2)

Windows Live Remote Client Resources (Version: 15.4.5722.2)

Windows Live Remote Service (Version: 15.4.5722.2)

Windows Live Remote Service Resources (Version: 15.4.5722.2)

Windows Live SOXE (Version: 15.4.3502.0922)

Windows Live SOXE Definitions (Version: 15.4.3502.0922)

Windows Live UX Platform (Version: 15.4.3502.0922)

Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)

Windows Live Writer (Version: 15.4.3502.0922)

Windows Live Writer Resources (Version: 15.4.3502.0922)

Zuma Deluxe (Version: 2.2.0.95)

 

========================= Devices: ================================

 

 

========================= Memory info: ===================================

 

Percentage of memory in use: 39%

Total physical RAM: 3562.91 MB

Available physical RAM: 2144.97 MB

Total Pagefile: 7123.99 MB

Available Pagefile: 5448.57 MB

Total Virtual: 4095.88 MB

Available Virtual: 3971.8 MB

 

========================= Partitions: =====================================

 

1 Drive c: () (Fixed) (Total:447.21 GB) (Free:387.27 GB) NTFS

2 Drive d: (Recovery) (Fixed) (Total:14.39 GB) (Free:1.6 GB) NTFS

3 Drive e: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:1.1 GB) FAT32

4 Drive f: (SBAV 5.0) (CDROM) (Total:0.13 GB) (Free:0 GB) CDFS

 

========================= Users: ========================================

 

User accounts for \\HP-NOTEBOOK

 

admin                    Administrator            Guest                    

jim                      patsy                    

 

========================= Restore Points ==================================

 

07-05-2014 12:15:39 Windows Update

13-05-2014 12:46:19 Windows Update

15-05-2014 12:20:36 Windows Update

21-05-2014 12:56:48 Windows Update

29-05-2014 00:56:16 Scheduled Checkpoint

30-05-2014 14:59:52 Windows Update

30-05-2014 16:36:56 Removed Java 7 Update 51

31-05-2014 04:20:46 avast! antivirus system restore point

 

**** End of log ****

 

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 5/31/2014

Scan Time: 10:10:25 AM

Logfile: 4mbam-log.txt

Administrator: Yes

 

Version: 2.00.2.1012

Malware Database: v2014.05.31.06

Rootkit Database: v2014.05.21.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: admin

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 339242

Time Elapsed: 17 min, 5 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 1

Trojan.Zaccess, HKU\S-1-5-21-209853449-2167449011-705526027-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^‚?Æ‚ù§, No Action By User, [f21d8aca94e7c2743705ef13768a53ad], 

 

Registry Data: 0

(No malicious items detected)

 

Folders: 7

Trojan.0Access, C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\‚ù§‚?∏‚??, No Action By User, [828d3321a2d960d6f442f111956bda26], 

Trojan.0Access, C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\‚ù§‚?∏‚??\‚∞¢‚?†‚ç®, No Action By User, [828d3321a2d960d6f442f111956bda26], 

Trojan.0Access, C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\‚ù§‚?∏‚??\‚∞¢‚?†‚ç®\‚?ÆÔØπ‡π?, No Action By User, [828d3321a2d960d6f442f111956bda26], 

Trojan.0Access, C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\‚ù§‚?∏‚??\‚∞¢‚?†‚ç®\‚?ÆÔØπ‡π?\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}, No Action By User, [828d3321a2d960d6f442f111956bda26], 

Trojan.0Access, C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\‚ù§‚?∏‚??\‚∞¢‚?†‚ç®\‚?ÆÔØπ‡π?\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\L, No Action By User, [828d3321a2d960d6f442f111956bda26], 

Trojan.0Access, C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\‚ù§‚?∏‚??\‚∞¢‚?†‚ç®\‚?ÆÔØπ‡π?\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\U, No Action By User, [828d3321a2d960d6f442f111956bda26], 

Trojan.0Access, C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}, No Action By User, [937cf36191ea181e54e31de5a8589070], 

 

Files: 1

Trojan.0Access, C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\‚ù§‚?∏‚??\‚∞¢‚?†‚ç®\‚?ÆÔØπ‡π?\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\@, No Action By User, [828d3321a2d960d6f442f111956bda26], 

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1009

www.malwarebytes.org

 

Database version: v2014.05.31.07

 

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 11.0.9600.17107

admin :: HP-NOTEBOOK [administrator]

 

5/31/2014 10:36:04 AM

mbar-log-2014-05-31 (10-36-04).txt

 

Scan type: Quick scan

Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken

Scan options disabled: 

Objects scanned: 332921

Time elapsed: 13 minute(s), 42 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 7

C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙ (Trojan.0Access) -> No action taken.

C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨ (Trojan.0Access) -> No action taken.

C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨\ (Trojan.0Access) -> No action taken.

C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨\\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3} (Trojan.0Access) -> No action taken.

C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨\\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\L (Trojan.0Access) -> No action taken.

C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨\\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\U (Trojan.0Access) -> No action taken.

C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3} (Trojan.0Access) -> No action taken.

 

Files Detected: 1

C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨\\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\@ (Trojan.0Access) -> No action taken.

 

Physical Sectors Detected: 0

(No malicious items detected)

 

(end)

 

 

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1009

 

© Malwarebytes Corporation 2011-2012

 

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

 

Account is Administrative

 

Internet Explorer version: 11.0.9600.17107

 

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED

CPU speed: 1.397000 GHz

Memory total: 3735977984, free: 2270355456

 

=======================================

Initializing...

Done!

Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 38DAC283

 

Partition information:

 

    Partition 0 type is Primary (0x7)

    Partition is ACTIVE.

    Partition starts at LBA: 2048  Numsec = 407552

    Partition file system is NTFS

    Partition is bootable

 

    Partition 1 type is Primary (0x7)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 409600  Numsec = 937871360

 

    Partition 2 type is Primary (0x7)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 938280960  Numsec = 30169088

 

    Partition 3 type is Other (0xc)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 968450048  Numsec = 8321072

 

Disk Size: 500107862016 bytes

Sector size: 512 bytes

 

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...

Done!

Scan Interrupted

Scan was aborted.

=======================================

 

 

Removal queue found; removal started

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...

Removal finished

---------------------------------------

Malwarebytes Anti-Rootkit BETA 1.07.0.1009

 

© Malwarebytes Corporation 2011-2012

 

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

 

Account is Administrative

 

Internet Explorer version: 11.0.9600.17107

 

File system is: NTFS

Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED

CPU speed: 1.397000 GHz

Memory total: 3735977984, free: 2000404480

 

Downloaded database version: v2014.05.31.07

Downloaded database version: v2014.05.21.01

=======================================

Initializing...

Done!

Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...

Done!

Drive 0

Scanning MBR on drive 0...

Inspecting partition table:

MBR Signature: 55AA

Disk Signature: 38DAC283

 

Partition information:

 

    Partition 0 type is Primary (0x7)

    Partition is ACTIVE.

    Partition starts at LBA: 2048  Numsec = 407552

    Partition file system is NTFS

    Partition is bootable

 

    Partition 1 type is Primary (0x7)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 409600  Numsec = 937871360

 

    Partition 2 type is Primary (0x7)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 938280960  Numsec = 30169088

 

    Partition 3 type is Other (0xc)

    Partition is NOT ACTIVE.

    Partition starts at LBA: 968450048  Numsec = 8321072

 

Disk Size: 500107862016 bytes

Sector size: 512 bytes

 

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...

Done!

Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙ --> [Trojan.0Access]

Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨ --> [Trojan.0Access]

Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨\ --> [Trojan.0Access]

Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨\\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3} --> [Trojan.0Access]

Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨\\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\@ --> [Trojan.0Access]

Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨\\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\L --> [Trojan.0Access]

Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\≸⋙\☠⍨\\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\U --> [Trojan.0Access]

Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3} --> [Trojan.0Access]

Scan finished

=======================================

 

 

Removal queue found; removal started

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...

Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...

Removal finished

 

 

Rkill 2.6.6 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2014 BleepingComputer.com

More Information about Rkill can be found at this link:

 http://www.bleepingcomputer.com/forums/topic308364.html

 

Program started at: 05/31/2014 10:52:15 AM in x64 mode.

Windows Version: Windows 7 Home Premium Service Pack 1

 

Checking for Windows services to stop:

 

 * No malware services found to stop.

 

Checking for processes to terminate:

 

 * No malware processes found to kill.

 

Checking Registry for malware related settings:

 

 * No issues found in the Registry.

 

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

 

Performing miscellaneous checks:

 

 * No issues found.

 

Checking Windows Service Integrity: 

 

 * No issues found.

 

Searching for Missing Digital Signatures: 

 

 * No issues found.

 

Checking HOSTS File: 

 

 * No issues found.

 

Program finished at: 05/31/2014 10:54:30 AM

Execution time: 0 hours(s), 2 minute(s), and 14 seconds(s)

 

 +—+—+—+—+—+—+—+—+—+—+—+++

END OF  Security Check/FSS/MiniToolBox/… logs 

 +—+—+—+—+—+—+—+—+—+—+—+++

 

 +—+—+—+—+—+—+—+—+—+—+—+++

Starte OF  DSS logs

 +—+—+—+—+—+—+—+—+—+—+—+++

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 

Internet Explorer: 11.0.9600.17041

Run by admin at 11:56:49 on 2014-05-31

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3563.2037 [GMT -5:00]

.

AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Program Files\IDT\WDM\STacSV64.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\atieclxx.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\AVAST Software\Avast\AvastSvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe

C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe

C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe

C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe

C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\IDT\WDM\sttray64.exe

C:\Program Files\AVAST Software\Avast\AvastUI.exe

C:\Windows\system32\SearchIndexer.exe

C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mWinlogon: Userinit = userinit.exe

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - <orphaned>

BHO: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - <orphaned>

BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204

DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab

DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab

TCP: NameServer = 192.168.1.254

TCP: Interfaces\{58D8B3A1-6910-45B1-97A8-789105515D47} : DHCPNameServer = 192.168.1.254

TCP: Interfaces\{FDB3186C-734E-4F57-90F1-E90781A32BC0} : DHCPNameServer = 192.168.1.254

Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll

Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\AMD\SteadyVideo\VideoMIMEFilter.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - 

x64-BHO: SteadyVideoBHO Class: {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll

x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe

x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe

x64-RunOnce: [NCPluginUpdater] "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update

x64-Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll

x64-Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll

x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - 

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gy45imv.default\

FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\5\NP_wtapp.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1209149.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll

.

============= SERVICES / DRIVERS ===============

.

R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2011-4-16 79488]

R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2011-4-16 40064]

R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2013-11-22 65776]

R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2013-11-22 208416]

R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswsnx.sys [2013-11-22 1039096]

R1 aswSP;aswSP;C:\Windows\System32\drivers\aswsp.sys [2013-11-22 423240]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-7-6 204288]

R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-7-5 365568]

R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2014-5-30 29208]

R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2013-11-22 79184]

R2 aswStm;aswStm;C:\Windows\System32\drivers\aswstm.sys [2014-1-21 85328]

R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2014-5-30 50344]

R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-6-21 85560]

R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-5-21 103992]

R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2011-4-8 26680]

R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-12-14 2375168]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-5-29 1809720]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-5-29 860472]

R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]

R3 amdiox64;AMD IO Driver;C:\Windows\System32\drivers\amdiox64.sys [2011-12-14 46136]

R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2011-3-30 114704]

R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2010-7-28 31088]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-5-29 25816]

R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-5-29 122584]

R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-5-29 63704]

R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2012-12-6 2350176]

R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2011-12-14 338536]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]

R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-12-14 47232]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]

S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]

S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-4-18 111616]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-1 19456]

S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\System32\drivers\VSTAZL6.SYS [2009-7-13 292864]

S3 SrvHsfV92;SrvHsfV92;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]

S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\System32\drivers\VSTCNXT6.SYS [2009-7-13 740864]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-1 57856]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-11-1 30208]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-1-2 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2014-05-31 05:47:42 -------- d-----w- C:\Users\admin\Pavark

2014-05-31 05:38:56 -------- d-----w- C:\Users\admin\AppData\Local\CrashDumps

2014-05-31 05:32:44 -------- d-----w- C:\ProgramData\RogueKiller

2014-05-31 04:22:43 29208 ----a-w- C:\Windows\System32\drivers\aswHwid.sys

2014-05-31 04:22:38 43152 ----a-w- C:\Windows\avastSS.scr

2014-05-30 15:00:47 10702536 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{612727A2-D0EC-4E8F-BF3F-CF0118D09066}\mpengine.dll

2014-05-30 12:08:22 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2014-05-29 17:57:35 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-05-29 17:30:49 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys

2014-05-29 17:30:23 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys

2014-05-29 17:30:23 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys

2014-05-29 17:30:23 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys

2014-05-29 17:30:23 -------- d-----w- C:\ProgramData\Malwarebytes

2014-05-29 17:30:23 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware

2014-05-29 17:29:30 -------- d-----w- C:\Users\admin\AppData\Local\Programs

2014-05-16 00:49:06 1266800 ----a-w- C:\Program Files (x86)\Mozilla Firefox\icuin52.dll

2014-05-16 00:49:06 10594416 ----a-w- C:\Program Files (x86)\Mozilla Firefox\icudt52.dll

2014-05-16 00:49:05 965232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\icuuc52.dll

2014-05-15 12:28:35 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2014-05-15 12:28:35 2724864 ----a-w- C:\Windows\System32\mshtml.tlb

2014-05-14 12:58:10 477184 ----a-w- C:\Windows\System32\aepdu.dll

2014-05-14 12:58:10 424448 ----a-w- C:\Windows\System32\aeinv.dll

2014-05-08 13:48:42 227704 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll

2014-05-08 13:48:42 227704 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll

2014-05-07 12:16:12 -------- d-s---w- C:\Windows\System32\CompatTel

.

==================== Find3M  ====================

.

2014-05-31 04:23:06 85328 ----a-w- C:\Windows\System32\drivers\aswstm.sys

2014-05-31 04:23:06 1039096 ----a-w- C:\Windows\System32\drivers\aswsnx.sys

2014-05-31 04:22:39 93568 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys

2014-05-31 04:22:39 79184 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys

2014-05-31 04:22:39 65776 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys

2014-05-31 04:22:39 208416 ----a-w- C:\Windows\System32\drivers\aswVmm.sys

2014-05-14 17:49:06 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2014-05-14 17:49:06 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys

2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys

2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll

2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll

2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll

2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll

2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe

2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll

2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll

2014-04-01 03:46:48 130712 ----a-w- C:\Windows\SysWow64\MSSTDFMT.DLL

2014-04-01 03:46:48 1070232 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX

2014-03-31 14:35:08 270496 ------w- C:\Windows\System32\MpSigStub.exe

2014-03-06 09:31:33 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll

2014-03-06 08:59:04 66048 ----a-w- C:\Windows\System32\iesetup.dll

2014-03-06 08:57:34 548352 ----a-w- C:\Windows\System32\vbscript.dll

2014-03-06 08:57:20 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll

2014-03-06 08:29:40 139264 ----a-w- C:\Windows\System32\ieUnatt.exe

2014-03-06 08:29:14 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe

2014-03-06 08:28:15 752640 ----a-w- C:\Windows\System32\jscript9diag.dll

2014-03-06 08:15:54 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe

2014-03-06 08:11:41 5784064 ----a-w- C:\Windows\System32\jscript9.dll

2014-03-06 08:02:34 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll

2014-03-06 08:02:33 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll

2014-03-06 08:01:01 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll

2014-03-06 07:56:43 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll

2014-03-06 07:46:36 4254720 ----a-w- C:\Windows\SysWow64\jscript9.dll

2014-03-06 07:38:13 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2014-03-06 07:36:40 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll

2014-03-06 07:13:43 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll

2014-03-06 07:11:15 2043904 ----a-w- C:\Windows\System32\inetcpl.cpl

2014-03-06 06:40:39 1967104 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2014-03-06 06:22:40 2260480 ----a-w- C:\Windows\System32\wininet.dll

2014-03-06 05:41:49 1789440 ----a-w- C:\Windows\SysWow64\wininet.dll

2014-03-04 09:47:01 5550016 ----a-w- C:\Windows\System32\ntoskrnl.exe

2014-03-04 09:44:21 362496 ----a-w- C:\Windows\System32\wow64win.dll

2014-03-04 09:44:21 243712 ----a-w- C:\Windows\System32\wow64.dll

2014-03-04 09:44:21 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2014-03-04 09:44:20 39936 ----a-w- C:\Windows\System32\wincredprovider.dll

2014-03-04 09:44:10 210944 ----a-w- C:\Windows\System32\wdigest.dll

2014-03-04 09:44:08 86528 ----a-w- C:\Windows\System32\TSpkg.dll

2014-03-04 09:44:06 340992 ----a-w- C:\Windows\System32\schannel.dll

2014-03-04 09:44:03 722944 ----a-w- C:\Windows\System32\objsel.dll

2014-03-04 09:44:03 314880 ----a-w- C:\Windows\System32\msv1_0.dll

2014-03-04 09:44:03 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2014-03-04 09:44:00 728064 ----a-w- C:\Windows\System32\kerberos.dll

2014-03-04 09:44:00 424960 ----a-w- C:\Windows\System32\KernelBase.dll

2014-03-04 09:43:56 57344 ----a-w- C:\Windows\System32\cngprovider.dll

2014-03-04 09:43:56 52736 ----a-w- C:\Windows\System32\dpapiprovider.dll

2014-03-04 09:43:56 44544 ----a-w- C:\Windows\System32\dimsroam.dll

2014-03-04 09:43:56 22016 ----a-w- C:\Windows\System32\credssp.dll

2014-03-04 09:43:55 56832 ----a-w- C:\Windows\System32\adprovider.dll

2014-03-04 09:43:55 53760 ----a-w- C:\Windows\System32\capiprovider.dll

2014-03-04 09:43:50 455168 ----a-w- C:\Windows\System32\winlogon.exe

2014-03-04 09:20:11 3969984 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2014-03-04 09:20:11 3914176 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2014-03-04 09:16:54 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2014-03-04 09:16:18 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2014-03-04 09:16:18 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2014-03-04 08:09:30 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2014-03-04 08:09:29 2048 ----a-w- C:\Windows\SysWow64\user.exe

.

============= FINISH: 11:58:02.79 ===============

 

Attached File  attach.txt   11.77KB   0 downloads

Attached File  GMER-logs.rtf   1.28KB   1 downloads

 



BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:20 PM

Posted 02 June 2014 - 03:25 PM

Hi willie6973

Please take note of the following:

1. Please do not run any other tools unless instructed.
2. Please don't install or uninstall anything unless asked.
3. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean.
4. If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Most of those reports don't really tell us much as regards the infection.


For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your Desktop.
  • Double-click the downloaded icon to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator

    frsticon_zpsdc3cbdc3.png
  • When the tool opens click Yes to disclaimer.

    frstdis_zps7f598f12.png
  • Make sure that Addition.txt is selected at the bottom
  • Press Scan button.

    newfrst_zpsa63ffa3d.png
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.
Thanks

BBPP6nz.png


#3 willie6973

willie6973
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans
  • Local time:04:20 PM

Posted 03 June 2014 - 09:45 AM

thanks; will do.

 

 +—+—+—+—+—+—+—+—+—+—+—+

 +—+—+—+—+—+—+—+—+—+—+—+

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-06-2014
Ran by admin (administrator) on HP-NOTEBOOK on 03-06-2014 09:39:50
Running from C:\Users\admin\Desktop
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\System32\atiesrxx.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Roxio) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-06-08] (IDT, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3888648 2014-05-30] (AVAST Software)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [NCPluginUpdater] - "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update [21720 2014-01-28] (Hewlett-Packard)
HKU\S-1-5-21-209853449-2167449011-705526027-1001\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-209853449-2167449011-705526027-1001\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-209853449-2167449011-705526027-1001\...\MountPoints2: {d04fb994-35af-11e1-aae8-78e3b5632280} - G:\LaunchU3.exe -a
Startup: C:\Users\patsy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicyUsers\S-1-5-21-209853449-2167449011-705526027-1002\User: Group Policy restriction detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM - {3DD13FFF-344D-42DD-8164-42ED62CD7BF1} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 - {3DD13FFF-344D-42DD-8164-42ED62CD7BF1} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKCU - {3DD13FFF-344D-42DD-8164-42ED62CD7BF1} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKCU - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll No File
BHO: SteadyVideoBHO Class - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File
BHO-x32: No Name - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -  No File
BHO-x32: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {15B782AF-55D8-11D1-B477-006097098764} http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gy45imv.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_214.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1209149.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @oberon-media.com/ONCAdapter - C:\Program Files (x86)\Common Files\Oberon Media\NCAdapter\1.0.0.7\npapicomadapter.dll (Oberon-Media )
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 - C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\5\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll (Catalina Marketing Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-11-22]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2013-11-22]

Chrome:
=======
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-29]
CHR Extension: (Google Wallet) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-11]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-05-30]

==================== Services (Whitelisted) =================

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [365568 2011-07-05] (Advanced Micro Devices, Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-05-30] (AVAST Software)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)

==================== Drivers (Whitelisted) ====================

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-05-30] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-05-30] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-05-30] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-05-30] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1039096 2014-05-30] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [423240 2014-05-30] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [85328 2014-05-30] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [208416 2014-05-30] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-06-03] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-05-12] (Malwarebytes Corporation)
S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-06-03 09:39 - 2014-06-03 09:40 - 00014512 _____ () C:\Users\admin\Desktop\FRST.txt
2014-06-03 09:39 - 2014-06-03 09:39 - 00000000 ____D () C:\FRST
2014-06-03 09:35 - 2014-06-03 09:38 - 02068992 _____ (Farbar) C:\Users\admin\Desktop\FRST64.exe
2014-06-03 09:35 - 2014-06-03 09:35 - 00000300 _____ () C:\Users\admin\Desktop\Trojan.0Access rootkit infection reported by Malwarebytes - Virus, Trojan, Spyware, and Malware Removal Logs.URL
2014-05-31 11:55 - 2014-05-31 11:55 - 00688992 ____R (Swearware) C:\Users\admin\Desktop\dds.com
2014-05-31 10:52 - 2014-05-31 10:54 - 00002040 _____ () C:\Users\admin\Desktop\Rkill.txt
2014-05-31 10:51 - 2014-05-31 10:51 - 01940216 _____ (Bleeping Computer, LLC) C:\Users\admin\Downloads\rkill.exe
2014-05-31 10:44 - 2014-05-31 10:45 - 00000000 ____D () C:\Users\admin\Documents\New folder
2014-05-31 10:34 - 2014-05-31 10:34 - 12589848 _____ (Malwarebytes Corp.) C:\Users\admin\Downloads\mbar-1.07.0.1009.exe
2014-05-31 10:08 - 2014-05-31 10:08 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\admin\Desktop\mbam-setup-2.0.2.1012.exe
2014-05-31 10:06 - 2014-05-31 10:07 - 00028648 _____ () C:\Users\admin\Downloads\Result.txt
2014-05-31 10:05 - 2014-05-31 10:05 - 00982016 _____ (Farbar) C:\Users\admin\Downloads\MiniToolBox.exe
2014-05-31 10:04 - 2014-05-31 10:04 - 00002084 _____ () C:\Users\admin\Downloads\FSS.txt
2014-05-31 10:03 - 2014-05-31 10:03 - 00410112 _____ (Farbar) C:\Users\admin\Downloads\FSS.exe
2014-05-31 09:58 - 2014-05-31 11:59 - 00000000 ____D () C:\Users\admin\Documents\VIRUS-may31
2014-05-31 09:57 - 2014-05-31 09:57 - 00854367 _____ () C:\Users\admin\Desktop\SecurityCheck.exe
2014-05-31 00:47 - 2014-05-31 00:48 - 00000000 ____D () C:\Users\admin\Pavark
2014-05-31 00:38 - 2014-05-31 00:39 - 00000000 ____D () C:\Users\admin\AppData\Local\CrashDumps
2014-05-31 00:32 - 2014-05-31 00:32 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-05-31 00:22 - 2014-05-31 12:27 - 00000000 ____D () C:\Users\admin\Documents\rootkit
2014-05-31 00:19 - 2014-05-31 00:19 - 00044923 _____ () C:\Users\admin\Documents\avast-Full system scan.txt
2014-05-30 23:22 - 2014-05-30 23:22 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-05-30 23:22 - 2014-05-30 23:22 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2014-05-30 20:16 - 2014-05-31 10:50 - 00000000 ____D () C:\Users\admin\Desktop\mbar
2014-05-30 19:20 - 2014-05-30 19:23 - 00000000 ____D () C:\Users\admin\Documents\virus 2014 - 2
2014-05-30 10:28 - 2014-05-30 10:28 - 00000000 ____D () C:\Users\patsy\New folder
2014-05-30 10:01 - 2014-05-30 10:01 - 00299390 _____ () C:\Users\patsy\Documents\bookmarks_5_30_14.html
2014-05-30 07:08 - 2014-05-30 10:04 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-05-29 12:57 - 2014-05-31 10:50 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-05-29 12:30 - 2014-06-03 09:32 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-05-29 12:30 - 2014-05-31 10:35 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-05-29 12:30 - 2014-05-31 10:09 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-05-29 12:30 - 2014-05-31 10:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-29 12:30 - 2014-05-31 10:09 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-29 12:30 - 2014-05-29 12:30 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-29 12:30 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-05-29 12:30 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-05-29 11:41 - 2014-06-03 09:35 - 00000000 ____D () C:\Users\admin\Documents\VIRUS 2014-05
2014-05-15 19:48 - 2014-05-15 19:49 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-05-15 07:28 - 2014-05-05 23:40 - 23544320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-15 07:28 - 2014-05-05 23:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-15 07:28 - 2014-05-05 22:25 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-15 07:28 - 2014-05-05 22:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-15 07:28 - 2014-05-05 22:00 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-05-15 07:28 - 2014-05-05 21:10 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-14 07:58 - 2014-05-09 01:14 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-14 07:58 - 2014-05-09 01:11 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-05-14 07:58 - 2014-03-24 21:43 - 14175744 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-05-14 07:58 - 2014-03-24 21:09 - 12874240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2014-05-14 07:57 - 2014-04-11 21:22 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-05-14 07:57 - 2014-04-11 21:22 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2014-05-14 07:57 - 2014-04-11 21:19 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-05-14 07:57 - 2014-04-11 21:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2014-05-14 07:57 - 2014-04-11 21:19 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2014-05-14 07:57 - 2014-04-11 21:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2014-05-14 07:57 - 2014-04-11 21:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2014-05-14 07:57 - 2014-04-11 21:12 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-05-14 07:57 - 2014-04-11 21:10 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-05-14 07:57 - 2014-03-04 04:47 - 05550016 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2014-05-14 07:57 - 2014-03-04 04:44 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-05-14 07:57 - 2014-03-04 04:44 - 00722944 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll
2014-05-14 07:57 - 2014-03-04 04:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2014-05-14 07:57 - 2014-03-04 04:44 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-05-14 07:57 - 2014-03-04 04:44 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-05-14 07:57 - 2014-03-04 04:44 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-05-14 07:57 - 2014-03-04 04:44 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-05-14 07:57 - 2014-03-04 04:44 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\wincredprovider.dll
2014-05-14 07:57 - 2014-03-04 04:43 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-05-14 07:57 - 2014-03-04 04:43 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\cngprovider.dll
2014-05-14 07:57 - 2014-03-04 04:43 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\adprovider.dll
2014-05-14 07:57 - 2014-03-04 04:43 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\capiprovider.dll
2014-05-14 07:57 - 2014-03-04 04:43 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\dpapiprovider.dll
2014-05-14 07:57 - 2014-03-04 04:43 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll
2014-05-14 07:57 - 2014-03-04 04:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-05-14 07:57 - 2014-03-04 04:20 - 03969984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2014-05-14 07:57 - 2014-03-04 04:20 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2014-05-14 07:57 - 2014-03-04 04:17 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cngprovider.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adprovider.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capiprovider.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpapiprovider.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wincredprovider.dll
2014-05-14 07:57 - 2014-03-04 04:17 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-05-14 07:57 - 2014-03-04 04:16 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2014-05-07 07:16 - 2014-05-15 07:37 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-05 13:02 - 2014-05-05 13:12 - 00000000 ____D () C:\Users\patsy\Documents\travel

==================== One Month Modified Files and Folders =======

2014-06-03 09:40 - 2014-06-03 09:39 - 00014512 _____ () C:\Users\admin\Desktop\FRST.txt
2014-06-03 09:40 - 2012-01-02 14:15 - 00000000 ____D () C:\Users\admin\AppData\Local\Temp
2014-06-03 09:39 - 2014-06-03 09:39 - 00000000 ____D () C:\FRST
2014-06-03 09:38 - 2014-06-03 09:35 - 02068992 _____ (Farbar) C:\Users\admin\Desktop\FRST64.exe
2014-06-03 09:38 - 2011-12-14 18:42 - 01129902 _____ () C:\Windows\WindowsUpdate.log
2014-06-03 09:35 - 2014-06-03 09:35 - 00000300 _____ () C:\Users\admin\Desktop\Trojan.0Access rootkit infection reported by Malwarebytes - Virus, Trojan, Spyware, and Malware Removal Logs.URL
2014-06-03 09:35 - 2014-05-29 11:41 - 00000000 ____D () C:\Users\admin\Documents\VIRUS 2014-05
2014-06-03 09:35 - 2012-01-02 14:19 - 00003938 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{D9499CB0-8BE4-4371-B45D-94A6660209E6}
2014-06-03 09:33 - 2013-05-29 12:08 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-06-03 09:32 - 2014-05-29 12:30 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-06-03 09:32 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-03 09:32 - 2009-07-13 23:51 - 00053797 _____ () C:\Windows\setupact.log
2014-05-31 19:22 - 2013-05-29 12:08 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-31 19:14 - 2012-04-02 16:10 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-05-31 17:03 - 2009-07-13 23:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-31 17:03 - 2009-07-13 23:45 - 00032064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-31 12:27 - 2014-05-31 00:22 - 00000000 ____D () C:\Users\admin\Documents\rootkit
2014-05-31 11:59 - 2014-05-31 09:58 - 00000000 ____D () C:\Users\admin\Documents\VIRUS-may31
2014-05-31 11:55 - 2014-05-31 11:55 - 00688992 ____R (Swearware) C:\Users\admin\Desktop\dds.com
2014-05-31 10:54 - 2014-05-31 10:52 - 00002040 _____ () C:\Users\admin\Desktop\Rkill.txt
2014-05-31 10:51 - 2014-05-31 10:51 - 01940216 _____ (Bleeping Computer, LLC) C:\Users\admin\Downloads\rkill.exe
2014-05-31 10:50 - 2014-05-30 20:16 - 00000000 ____D () C:\Users\admin\Desktop\mbar
2014-05-31 10:50 - 2014-05-29 12:57 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-05-31 10:45 - 2014-05-31 10:44 - 00000000 ____D () C:\Users\admin\Documents\New folder
2014-05-31 10:35 - 2014-05-29 12:30 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-05-31 10:34 - 2014-05-31 10:34 - 12589848 _____ (Malwarebytes Corp.) C:\Users\admin\Downloads\mbar-1.07.0.1009.exe
2014-05-31 10:09 - 2014-05-29 12:30 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-05-31 10:09 - 2014-05-29 12:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-05-31 10:09 - 2014-05-29 12:30 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-31 10:08 - 2014-05-31 10:08 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\admin\Desktop\mbam-setup-2.0.2.1012.exe
2014-05-31 10:07 - 2014-05-31 10:06 - 00028648 _____ () C:\Users\admin\Downloads\Result.txt
2014-05-31 10:05 - 2014-05-31 10:05 - 00982016 _____ (Farbar) C:\Users\admin\Downloads\MiniToolBox.exe
2014-05-31 10:04 - 2014-05-31 10:04 - 00002084 _____ () C:\Users\admin\Downloads\FSS.txt
2014-05-31 10:03 - 2014-05-31 10:03 - 00410112 _____ (Farbar) C:\Users\admin\Downloads\FSS.exe
2014-05-31 09:57 - 2014-05-31 09:57 - 00854367 _____ () C:\Users\admin\Desktop\SecurityCheck.exe
2014-05-31 00:48 - 2014-05-31 00:47 - 00000000 ____D () C:\Users\admin\Pavark
2014-05-31 00:47 - 2012-01-02 14:15 - 00000000 ____D () C:\Users\admin
2014-05-31 00:39 - 2014-05-31 00:38 - 00000000 ____D () C:\Users\admin\AppData\Local\CrashDumps
2014-05-31 00:32 - 2014-05-31 00:32 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-05-31 00:24 - 2009-07-14 00:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-05-31 00:19 - 2014-05-31 00:19 - 00044923 _____ () C:\Users\admin\Documents\avast-Full system scan.txt
2014-05-30 23:25 - 2010-11-20 22:47 - 00931460 _____ () C:\Windows\PFRO.log
2014-05-30 23:23 - 2014-01-21 13:41 - 00085328 _____ (AVAST Software) C:\Windows\system32\Drivers\aswstm.sys
2014-05-30 23:23 - 2013-11-22 17:17 - 01039096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2014-05-30 23:23 - 2013-11-22 17:17 - 00423240 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2014-05-30 23:23 - 2013-11-22 17:17 - 00001966 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-05-30 23:22 - 2014-05-30 23:22 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2014-05-30 23:22 - 2014-05-30 23:22 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2014-05-30 23:22 - 2013-11-22 17:17 - 00334648 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2014-05-30 23:22 - 2013-11-22 17:17 - 00208416 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2014-05-30 23:22 - 2013-11-22 17:17 - 00093568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2014-05-30 23:22 - 2013-11-22 17:17 - 00079184 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2014-05-30 23:22 - 2013-11-22 17:17 - 00065776 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2014-05-30 23:22 - 2013-11-22 17:17 - 00003924 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2014-05-30 19:23 - 2014-05-30 19:20 - 00000000 ____D () C:\Users\admin\Documents\virus 2014 - 2
2014-05-30 12:00 - 2012-01-02 15:14 - 00000000 ____D () C:\Users\patsy\AppData\Local\Temp
2014-05-30 11:50 - 2012-08-26 08:04 - 00000000 ____D () C:\Windows\Minidump
2014-05-30 11:50 - 2012-01-02 21:08 - 00357696 ____N () C:\Windows\Minidump\053014-19796-01.dmp
2014-05-30 11:47 - 2013-11-16 12:13 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-05-30 10:28 - 2014-05-30 10:28 - 00000000 ____D () C:\Users\patsy\New folder
2014-05-30 10:28 - 2012-01-02 15:14 - 00000000 ____D () C:\Users\patsy
2014-05-30 10:04 - 2014-05-30 07:08 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0
2014-05-30 10:01 - 2014-05-30 10:01 - 00299390 _____ () C:\Users\patsy\Documents\bookmarks_5_30_14.html
2014-05-30 09:54 - 2012-01-02 21:08 - 00355968 ____N () C:\Windows\Minidump\053014-23010-01.dmp
2014-05-29 20:59 - 2012-01-02 15:14 - 00003938 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{04ABCBF4-E69E-4099-9725-B71CB562EBFB}
2014-05-29 12:30 - 2014-05-29 12:30 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-05-29 11:18 - 2012-01-02 14:19 - 00000000 ___RD () C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-05-29 11:18 - 2012-01-02 14:19 - 00000000 ___RD () C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-05-29 11:17 - 2013-11-22 18:24 - 00000000 ____D () C:\Users\jim\AppData\Local\Temp
2014-05-29 11:17 - 2012-01-02 14:22 - 00000632 __RSH () C:\Users\admin\ntuser.pol
2014-05-28 17:27 - 2013-08-18 16:29 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-05-28 09:41 - 2013-11-22 18:24 - 00003930 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{21008E25-4BA7-4F74-8461-6454C9F51396}
2014-05-27 17:09 - 2013-11-22 18:24 - 00000632 __RSH () C:\Users\jim\ntuser.pol
2014-05-27 17:09 - 2013-11-22 18:24 - 00000000 ___RD () C:\Users\jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-05-27 17:09 - 2013-11-22 18:24 - 00000000 ___RD () C:\Users\jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-05-27 17:09 - 2013-11-22 18:24 - 00000000 ____D () C:\Users\jim
2014-05-15 19:49 - 2014-05-15 19:48 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-05-15 19:35 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-05-15 08:06 - 2012-01-02 15:14 - 00001232 __RSH () C:\Users\patsy\ntuser.pol
2014-05-15 08:06 - 2012-01-02 15:14 - 00000000 ___RD () C:\Users\patsy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-05-15 08:06 - 2012-01-02 15:14 - 00000000 ___RD () C:\Users\patsy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2014-05-15 07:37 - 2014-05-07 07:16 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-15 07:28 - 2012-10-24 17:32 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-05-15 07:26 - 2013-08-15 07:25 - 00000000 ____D () C:\Windows\system32\MRT
2014-05-15 07:24 - 2012-01-02 21:23 - 93223848 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-05-14 12:49 - 2012-04-02 16:10 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-05-14 12:49 - 2012-04-02 16:10 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-05-14 12:49 - 2011-07-20 23:31 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-05-12 07:26 - 2014-05-29 12:30 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-05-12 07:25 - 2014-05-29 12:30 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-05-09 01:14 - 2014-05-14 07:58 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-09 01:11 - 2014-05-14 07:58 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-05-07 07:17 - 2013-05-29 12:08 - 00003892 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-05-07 07:17 - 2013-05-29 12:08 - 00003640 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-05-05 23:40 - 2014-05-15 07:28 - 23544320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-05 23:17 - 2014-05-15 07:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-05 22:25 - 2014-05-15 07:28 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-05 22:07 - 2014-05-15 07:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-05 22:00 - 2014-05-15 07:28 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-05-05 21:10 - 2014-05-15 07:28 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-05 13:12 - 2014-05-05 13:02 - 00000000 ____D () C:\Users\patsy\Documents\travel
ZeroAccess:
C:\Users\patsy\AppData\Local\Google\Desktop\Install

Some content of TEMP:
====================
C:\Users\admin\AppData\Local\Temp\ose00000.exe
C:\Users\admin\AppData\Local\Temp\SP54714.exe
C:\Users\admin\AppData\Local\Temp\SP56215.exe
C:\Users\admin\AppData\Local\Temp\SP56878.exe
C:\Users\admin\AppData\Local\Temp\SP56929.exe
C:\Users\admin\AppData\Local\Temp\WLQADRSV.exe
C:\Users\admin\AppData\Local\Temp\WPRKRF.exe
C:\Users\patsy\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit-1.exe
C:\Users\patsy\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe
C:\Users\patsy\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih.exe
C:\Users\patsy\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih_1.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-05-29 06:40

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-06-2014
Ran by admin at 2014-06-03 09:40:37
Running from C:\Users\admin\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

Adobe Flash Player 13 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 13.0.0.214 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.9.149 - Adobe Systems, Inc.)
Agatha Christie - Peril at End House (x32 Version: 2.2.0.95 - WildTangent) Hidden
AMD APP SDK Runtime (Version: 2.4.650.9 - Advanced Micro Devices Inc.) Hidden
AMD Fuel (Version: 2011.0705.1115.18310 - AMD) Hidden
AMD Media Foundation Decoders (Version: 1.0.60705.1113 - ATI Technologies Inc.) Hidden
AMD Steady Video Plug-In  (Version: 1.00.0000 - AMD) Hidden
AMD VISION Engine Control Center (x32 Version: 2011.0705.1115.18310 - ATI) Hidden
Apple Application Support (HKLM-x32\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ATI Catalyst Install Manager (HKLM\...\{6153098B-60DB-6A9F-EA0F-B006A96B57D5}) (Version: 3.0.829.0 - ATI Technologies, Inc.)
avast! Free Antivirus (HKLM-x32\...\Avast) (Version: 9.0.2018 - Avast Software)
Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blasterball 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Blio (HKLM-x32\...\{9368DDD5-CE7F-4BD7-A83A-F00FABE338EC}) (Version: 2.2.6699 - K-NFB Reading Technology, Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bonjour Print Services (HKLM\...\{0DA20600-6130-443B-9D4B-F30520315FA6}) (Version: 2.0.2.0 - Apple Inc.)
Bounce Symphony (x32 Version: 2.2.0.97 - WildTangent) Hidden
Cake Mania (x32 Version: 2.2.0.95 - WildTangent) Hidden
Catalyst Control Center - Branding (x32 Version: 1.00.0000 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Graphics Previews Common (x32 Version: 2011.0705.1115.18310 - ATI) Hidden
Catalyst Control Center InstallProxy (x32 Version: 2011.0705.1115.18310 - ATI Technologies, Inc.) Hidden
Catalyst Control Center Localization All (x32 Version: 2011.0705.1115.18310 - ATI) Hidden
CCC Help Chinese Standard (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Chinese Traditional (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Czech (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Danish (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Dutch (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help English (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Finnish (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help French (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help German (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Greek (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Hungarian (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Italian (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Japanese (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Korean (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Norwegian (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Polish (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Portuguese (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Russian (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Spanish (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Swedish (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Thai (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
CCC Help Turkish (x32 Version: 2011.0705.1114.18310 - ATI) Hidden
ccc-utility64 (Version: 2011.0705.1115.18310 - ATI) Hidden
Chronicles of Albian (x32 Version: 2.2.0.95 - WildTangent) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Cradle of Rome 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.5.1.4119 - CyberLink Corp.)
CyberLink YouCam (x32 Version: 3.5.1.4119 - CyberLink Corp.) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
ESU for Microsoft Windows 7 SP1 (HKLM-x32\...\{E96CAA2A-0244-4A2A-8403-0C3C9534778B}) (Version: 2.1.1 - Hewlett-Packard)
Evernote v. 4.2.3 (HKLM-x32\...\{F761359C-9CED-45AE-9A51-9D6605CD55C4}) (Version: 4.2.3.22 - Evernote Corp.)
Farm Frenzy (x32 Version: 2.2.0.95 - WildTangent) Hidden
FATE (x32 Version: 2.2.0.97 - WildTangent) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 35.0.1916.114 - Google Inc.)
Google Update Helper (x32 Version: 1.3.24.7 - Google Inc.) Hidden
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.1.1.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
HP Auto (Version: 1.0.12935.3667 - Hewlett-Packard Company) Hidden
HP Client Services (Version: 1.1.12938.3539 - Hewlett-Packard) Hidden
HP Customer Experience Enhancements (x32 Version: 6.0.1.7 - Hewlett-Packard) Hidden
HP Documentation (HKLM-x32\...\{E56E5D38-5972-420A-9BAF-0F84471E0142}) (Version: 1.1.0.0 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.5 - WildTangent)
HP Launch Box (HKLM\...\{9CAB2212-0732-4827-8EC4-61D8EF0AA65B}) (Version: 1.0.11 - Hewlett-Packard Company)
HP MovieStore (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard Company)
HP MovieStore (x32 Version: 1.0.057 - Hewlett-Packard) Hidden
HP On Screen Display (HKLM-x32\...\{D7670221-BF9B-4DFF-B26B-5BE55A87329F}) (Version: 1.2.2 - Hewlett-Packard Company)
HP Power Manager (HKLM-x32\...\{872B1C80-38EC-4A31-A25C-980820593900}) (Version: 1.2.3 - Hewlett-Packard Company)
HP Quick Launch (HKLM-x32\...\{ABEF00D0-FCAE-4E47-8D4E-D4AE5FD72B15}) (Version: 2.4.3 - Hewlett-Packard Company)
HP QuickWeb (HKLM-x32\...\{999164B6-5B78-4DD3-BACE-7292640AD0DD}) (Version: 3.1.0.9760 - Hewlett-Packard Company)
HP Setup (HKLM-x32\...\{5036764A-435D-40C9-869C-31085A3D741D}) (Version: 8.7.4751.3798 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.1.13476.3753 - Hewlett-Packard Company)
HP Software Framework (HKLM-x32\...\{6C302296-6129-4125-9FD6-2188ECD8814E}) (Version: 4.1.6.1 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}) (Version: 6.0.5.4 - Hewlett-Packard Company)
iCloud (HKLM\...\{81E20D41-C277-4526-934D-F2380AF91B78}) (Version: 3.1.0.40 - Apple Inc.)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6341.0 - IDT)
iTunes (HKLM\...\{B8BA155B-1E75-405F-9CB4-8A99615D09DC}) (Version: 11.1.5.5 - Apple Inc.)
Jewel Quest: The Sleepless Star - Collector's Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (x32 Version:  - Microsoft) Hidden
Microsoft Office Access MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISER) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Groove MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (x32 Version:  - Microsoft) Hidden
Microsoft Office Publisher MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft WSE 3.0 Runtime (x32 Version: 3.0.5305.0 - Microsoft Corp.) Hidden
Mozilla Firefox 29.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 29.0.1 (x86 en-US)) (Version: 29.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery of Mortlake Mansion (x32 Version: 2.2.0.97 - WildTangent) Hidden
Namco All-Stars: PAC-MAN (x32 Version: 2.2.0.95 - WildTangent) Hidden
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Ralink RT5390 802.11b/g/n WiFi Adapter (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309B0}) (Version: 3.02.01.0 - Ralink)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.45.516.2011 - Realtek)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.81 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 2.0.0 - Hewlett-Packard) Hidden
RoxioNow Player (HKLM-x32\...\{0EDEB615-1A60-425E-8306-0E10519C7B55}) (Version: 1.9.5.103 - RoxioNow)
Shape Shifter (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110177810}) (Version:  - Oberon Media)
Slingo Supreme (x32 Version: 2.2.0.97 - WildTangent) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics TouchPad Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.29.0 - Synaptics Incorporated)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for Microsoft Office 2007 Help for Common Features (KB963673) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{AB365889-0395-4FAD-B702-CA5985D53D42}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM-x32\...\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM-x32\...\{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISER_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM-x32\...\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (HKLM-x32\...\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{E9A82945-BA29-4EE8-8F2A-2F49545E9CF2}) (Version:  - Microsoft)
Update for Microsoft Office Access 2007 Help (KB963663) (HKLM-x32\...\{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISER_{6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}) (Version:  - Microsoft)
Update for Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISER_{199DF7B6-169C-448C-B511-1054101BE9C9}) (Version:  - Microsoft)
Update for Microsoft Office Infopath 2007 Help (KB963662) (HKLM-x32\...\{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISER_{716B81B8-B13C-41DF-8EAC-7A2F656CAB63}) (Version:  - Microsoft)
Update for Microsoft Office OneNote 2007 Help (KB963670) (HKLM-x32\...\{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISER_{2744EF05-38E1-4D5D-B333-E021EDAEA245}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (HKLM-x32\...\{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{ED38F8A3-4F61-494E-8BCA-E3AC7760C924}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition (HKLM-x32\...\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{53DEC068-4690-4F6B-9946-7D21EF02236B}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISER_{0451F231-E3E3-4943-AB9F-58EB96171784}) (Version:  - Microsoft)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2880505) 32-Bit Edition (HKLM-x32\...\{91120000-0030-0000-0000-0000000FF1CE}_ENTERPRISER_{2720451F-5D04-43EC-AB1F-26D948FD971B}) (Version:  - Microsoft)
Update for Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISER_{397B1D4F-ED7B-4ACA-A637-43B670843876}) (Version:  - Microsoft)
Update for Microsoft Office Publisher 2007 Help (KB963667) (HKLM-x32\...\{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISER_{2E40DE55-B289-4C8B-8901-5D369B16814F}) (Version:  - Microsoft)
Update for Microsoft Office Script Editor Help (KB963671) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISER_{CD11C6A2-FFC6-4271-8EAB-79C3582F505C}) (Version:  - Microsoft)
Update for Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISER_{80E762AA-C921-4839-9D7D-DB62A72C0726}) (Version:  - Microsoft)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Vacation Quest - The Hawaiian Islands (x32 Version: 2.2.0.97 - WildTangent) Hidden
Virtual Villagers 5 - New Believers (x32 Version: 2.2.0.97 - WildTangent) Hidden
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WildTangent Games App (HP Games) (x32 Version: 4.0.10.5 - WildTangent) Hidden
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Messenger (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden

==================== Restore Points  =========================

13-05-2014 12:46:19 Windows Update
15-05-2014 12:20:36 Windows Update
21-05-2014 12:56:48 Windows Update
29-05-2014 00:56:16 Scheduled Checkpoint
30-05-2014 14:59:52 Windows Update
30-05-2014 16:36:56 Removed Java 7 Update 51
31-05-2014 04:20:46 avast! antivirus system restore point
03-06-2014 14:36:39 Windows Update

==================== Hosts content: ==========================

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {1576F74E-DA07-465E-8FF0-69B65C5C9390} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-05-14] (Adobe Systems Incorporated)
Task: {18A0BECE-15A5-4822-8FCF-ABC182FF6DE7} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-05-29] (Google Inc.)
Task: {32E116E1-82F7-4034-9432-0ECB6E94B205} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2011-06-21] (Hewlett-Packard Company)
Task: {384888DA-E54C-496C-8A35-87AF57E5AF5E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2013-11-22] (Hewlett-Packard)
Task: {449C5860-8B3C-4B7C-A358-1A9D2FE4BBA1} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFMsgr.exe [2011-06-21] (Hewlett-Packard Company)
Task: {450D8C44-3E09-43E7-89F8-A0C3DBA86538} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
Task: {589ECB76-4A3B-4A6C-86FB-2749B9A1069F} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2013-11-22] (Hewlett-Packard)
Task: {81FF7AD6-A2C9-4B77-AF42-A40527CCBAB0} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {8AD3C7AA-1149-4F6D-AB61-F9976C2F1436} - System32\Tasks\HPCeeScheduleForHP-NOTEBOOK$ => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14] (Hewlett-Packard)
Task: {8B00FBC6-4F98-4CD4-8200-9ED33096E969} - System32\Tasks\SetupManager => C:\Program Files (x86)\Hewlett-Packard\Setup Manager\toaster.exe [2011-05-13] (Microsoft)
Task: {B49350A2-8B43-42B0-9B5B-C93AB7F46F9E} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {B4A60195-10AC-4909-9991-2C2A29D1682C} - System32\Tasks\Apple Diagnostics => C:\Program Files (x86)\Common Files\Apple\Internet Services\EReporter.exe [2013-11-20] (Apple Inc.)
Task: {B6C4CF40-C1C6-4317-BC0C-E12897D8B700} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater\HPSFUpdater.exe [2013-02-19] (Hewlett-Packard)
Task: {C0888BEE-7951-4CEF-BFB6-12458A299614} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2014-05-30] (AVAST Software)
Task: {C127014C-52E3-4E32-8420-D525F3964F1C} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2011-06-21] (Hewlett-Packard Company)
Task: {DA00A27E-0F62-4EE3-80D6-AA29ED6994B6} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [2011-06-15] (CyberLink)
Task: {DABB7533-69E7-43D0-ACB9-2EF43596EC0C} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP SoftPaq Installer => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF_Tasks.exe [2011-06-21] (Hewlett-Packard Company)
Task: {EEB37E2A-C802-4961-B862-65A9DD00CFAE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-05-29] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForHP-NOTEBOOK$.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe

==================== Loaded Modules (whitelisted) =============

2011-07-05 14:27 - 2011-07-05 14:27 - 00073728 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2014-05-31 11:04 - 2014-05-31 11:04 - 02259456 _____ () C:\Program Files\AVAST Software\Avast\defs\14053101\algo.dll
2014-06-03 09:34 - 2014-06-03 09:34 - 02260480 _____ () C:\Program Files\AVAST Software\Avast\defs\14060300\algo.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2013-11-22 17:16 - 2013-11-22 17:16 - 19336120 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2014-05-15 19:48 - 2014-05-15 19:49 - 03839088 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\Temp:E50BC565

==================== Safe Mode (whitelisted) ===================


==================== EXE Association (whitelisted) =============


==================== Disabled items from MSCONFIG ==============

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: HP Quick Launch => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
MSCONFIG\startupreg: HPOSD => C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
MSCONFIG\startupreg: HPQuickWebProxy => "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: SetDefault => C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe
MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (06/03/2014 09:33:15 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/31/2014 05:47:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 666608

Error: (05/31/2014 05:47:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 666608

Error: (05/31/2014 05:47:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (05/31/2014 04:57:23 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/31/2014 11:52:41 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/31/2014 11:05:00 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/31/2014 09:54:27 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/31/2014 00:39:26 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Exception code: 0xc0000005
Fault offset: 0x000040cd
Faulting process id: 0x16e4
Faulting application start time: 0xRootkitRevealer.exe0
Faulting application path: RootkitRevealer.exe1
Faulting module path: RootkitRevealer.exe2
Report Id: RootkitRevealer.exe3

Error: (05/31/2014 00:38:38 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa
Exception code: 0xc0000005
Fault offset: 0x000040cd
Faulting process id: 0xe78
Faulting application start time: 0xRootkitRevealer.exe0
Faulting application path: RootkitRevealer.exe1
Faulting module path: RootkitRevealer.exe2
Report Id: RootkitRevealer.exe3


System errors:
=============
Error: (06/03/2014 09:34:03 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (05/31/2014 11:53:25 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (05/31/2014 11:05:41 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (05/31/2014 00:51:38 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\SysWow64\drivers\ajbovv8x.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (05/30/2014 11:27:29 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (05/30/2014 07:20:09 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (05/30/2014 00:04:29 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Server service terminated with the following error:
%%1062

Error: (05/30/2014 00:04:27 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The AMD FUEL Service service terminated with the following error:
%%21

Error: (05/30/2014 11:55:57 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (05/30/2014 11:50:56 AM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x000000fe (0x0000000000000008, 0x0000000000000006, 0x0000000000000006, 0xfffffa80054a8000)C:\Windows\Minidump\053014-19796-01.dmp053014-19796-01


Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Percentage of memory in use: 46%
Total physical RAM: 3562.91 MB
Available physical RAM: 1910.48 MB
Total Pagefile: 7123.99 MB
Available Pagefile: 5071.71 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:447.21 GB) (Free:388.81 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (Recovery) (Fixed) (Total:14.39 GB) (Free:1.6 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:1.1 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 38DAC283)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=447 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=14 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=4 GB) - (Type=0C)

==================== End Of Log ============================



#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:20 PM

Posted 03 June 2014 - 11:10 AM

Hi willie6973

There is still signs of ZA showing in the report.
Let's take care of this.......

Step 1
Please download the attached fixlist.txt file (bottom of this post) and save it to: C:\Users\admin\Desktop.
NOTE.
It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Re-run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.



Step 2
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

CF_download_FF.gif


CF_download_rename.gif

This is an example, you may rename ComboFix to anything you want.Then:

Double click on Combo-Fix.exe & follow the prompts.

Vista/Win7 users should right click on the icon and select Run as Administrator.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    If running Vista/Win7, you will not see the recovery console screens as they are Win XP related
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    cf1.png

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png

    Click on Yes, to continue scanning for malware.

    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall


    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.



    In your next reply, please submit:
    Fixlog.txt
    Combofix.txt


    Thanks.

Attached Files


BBPP6nz.png


#5 willie6973

willie6973
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans
  • Local time:04:20 PM

Posted 03 June 2014 - 12:25 PM

FRST64  ran, produced log (posted below) and wants to restart.

 

Do I restart before download & run combofix?

 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-06-2014
Ran by admin at 2014-06-03 12:17:38 Run:1
Running from C:\Users\admin\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
GroupPolicyUsers\S-1-5-21-209853449-2167449011-705526027-1002\User: Group Policy restriction detected <======= ATTENTION
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll No File
BHO-x32: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File
BHO-x32: No Name - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -  No File
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File
C:\Users\patsy\AppData\Local\Google\Desktop\Install
C:\Users\admin\AppData\Local\Temp\ose00000.exe
C:\Users\admin\AppData\Local\Temp\SP54714.exe
C:\Users\admin\AppData\Local\Temp\SP56215.exe
C:\Users\admin\AppData\Local\Temp\SP56878.exe
C:\Users\admin\AppData\Local\Temp\SP56929.exe
C:\Users\admin\AppData\Local\Temp\WLQADRSV.exe
C:\Users\admin\AppData\Local\Temp\WPRKRF.exe
C:\Users\patsy\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit-1.exe
C:\Users\patsy\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe
C:\Users\patsy\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih.exe
C:\Users\patsy\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih_1.exe
AlternateDataStreams: C:\ProgramData\Temp:E50BC565
Hosts:
Reboot:

*****************

C:\Windows\system32\GroupPolicyUsers\S-1-5-21-209853449-2167449011-705526027-1002\User => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} => Key deleted successfully.
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} => Key deleted successfully.
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.
HKCR\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C680BAE-655C-4E3D-8FC4-E6A520C3D928} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{6C680BAE-655C-4E3D-8FC4-E6A520C3D928} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => Value deleted successfully.
HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Value deleted successfully.
HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
HKCR\PROTOCOLS\Handler\linkscanner => Key deleted successfully.
HKCR\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} => Key deleted successfully.
HKCR\Wow6432Node\PROTOCOLS\Handler\linkscanner => Key not found.
HKCR\Wow6432Node\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} => Key deleted successfully.
C:\Users\patsy\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Users\admin\AppData\Local\Temp\ose00000.exe => Moved successfully.
C:\Users\admin\AppData\Local\Temp\SP54714.exe => Moved successfully.
C:\Users\admin\AppData\Local\Temp\SP56215.exe => Moved successfully.
C:\Users\admin\AppData\Local\Temp\SP56878.exe => Moved successfully.
C:\Users\admin\AppData\Local\Temp\SP56929.exe => Moved successfully.
C:\Users\admin\AppData\Local\Temp\WLQADRSV.exe => Moved successfully.
C:\Users\admin\AppData\Local\Temp\WPRKRF.exe => Moved successfully.
C:\Users\patsy\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit-1.exe => Moved successfully.
C:\Users\patsy\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe => Moved successfully.
C:\Users\patsy\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih.exe => Moved successfully.
C:\Users\patsy\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih_1.exe => Moved successfully.
C:\ProgramData\Temp => ":E50BC565" ADS removed successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.


The system needed a reboot.

==== End of Fixlog ====



#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:20 PM

Posted 03 June 2014 - 12:49 PM

Yes, please reboot the system and then continue with Combofix.

BBPP6nz.png


#7 willie6973

willie6973
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans
  • Local time:04:20 PM

Posted 03 June 2014 - 02:31 PM

combo-fix run posted below.

NOTE -Windows Firewall was NOT turned off. (my mistake).

MBAM, Avast AV and Win Defender were turned off.

 

Also combo-fix ran WITHOUT stopping to install Windows Recovery Console. 

Even though this is Win7 system.

The machine does have extra partitions" recovery and hp_tools.

 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

ComboFix 14-06-03.01 - admin 06/03/2014  13:21:40.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3563.2175 [GMT -5:00]
Running from: c:\users\admin\Desktop\Combo-Fix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-05-03 to 2014-06-03  )))))))))))))))))))))))))))))))
.
.
2014-06-03 19:13 . 2014-06-03 19:13    --------    d-----w-    c:\users\patsy\AppData\Local\temp
2014-06-03 19:13 . 2014-06-03 19:13    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-06-03 19:13 . 2014-06-03 19:13    --------    d-----w-    c:\users\jim\AppData\Local\temp
2014-06-03 14:39 . 2014-06-03 17:17    --------    d-----w-    C:\FRST
2014-06-03 14:37 . 2014-04-30 23:20    10702536    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{3AA24CD2-922E-4B19-A57A-3DAC3B010247}\mpengine.dll
2014-05-31 05:47 . 2014-05-31 05:48    --------    d-----w-    c:\users\admin\Pavark
2014-05-31 05:38 . 2014-05-31 05:39    --------    d-----w-    c:\users\admin\AppData\Local\CrashDumps
2014-05-31 05:32 . 2014-05-31 05:32    --------    d-----w-    c:\programdata\RogueKiller
2014-05-31 04:22 . 2014-05-31 04:22    29208    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2014-05-31 04:22 . 2014-05-31 04:22    43152    ----a-w-    c:\windows\avastSS.scr
2014-05-30 15:28 . 2014-05-30 15:28    --------    d-----w-    c:\users\patsy\New folder
2014-05-30 12:08 . 2014-05-30 15:04    --------    d---a-w-    C:\Kaspersky Rescue Disk 10.0
2014-05-29 17:57 . 2014-05-31 15:50    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-05-29 17:30 . 2014-06-03 17:54    122584    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-29 17:30 . 2014-05-31 15:35    91352    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-05-29 17:30 . 2014-05-31 15:09    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-05-29 17:30 . 2014-05-29 17:30    --------    d-----w-    c:\programdata\Malwarebytes
2014-05-29 17:30 . 2014-05-12 12:26    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-05-29 17:30 . 2014-05-12 12:25    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-05-29 17:29 . 2014-05-29 17:29    --------    d-----w-    c:\users\admin\AppData\Local\Programs
2014-05-15 12:28 . 2014-05-06 04:40    23544320    ----a-w-    c:\windows\system32\mshtml.dll
2014-05-15 12:28 . 2014-05-06 03:00    84992    ----a-w-    c:\windows\system32\mshtmled.dll
2014-05-15 12:28 . 2014-05-06 04:17    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-05-15 12:28 . 2014-05-06 03:07    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2014-05-14 12:58 . 2014-03-25 02:43    14175744    ----a-w-    c:\windows\system32\shell32.dll
2014-05-14 12:58 . 2014-05-09 06:14    477184    ----a-w-    c:\windows\system32\aepdu.dll
2014-05-14 12:58 . 2014-05-09 06:11    424448    ----a-w-    c:\windows\system32\aeinv.dll
2014-05-08 13:48 . 2014-05-08 13:48    227704    ----a-w-    c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2014-05-07 12:16 . 2014-05-15 12:37    --------    d-s---w-    c:\windows\system32\CompatTel
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-31 04:23 . 2014-01-21 18:41    85328    ----a-w-    c:\windows\system32\drivers\aswstm.sys
2014-05-31 04:23 . 2013-11-22 22:17    1039096    ----a-w-    c:\windows\system32\drivers\aswsnx.sys
2014-05-31 04:23 . 2013-11-22 22:17    423240    ----a-w-    c:\windows\system32\drivers\aswsp.sys
2014-05-31 04:22 . 2013-11-22 22:17    208416    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2014-05-31 04:22 . 2013-11-22 22:17    65776    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2014-05-31 04:22 . 2013-11-22 22:17    79184    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2014-05-31 04:22 . 2013-11-22 22:17    93568    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2014-05-31 04:22 . 2013-11-22 22:17    334648    ----a-w-    c:\windows\system32\aswBoot.exe
2014-05-15 12:24 . 2012-01-03 02:23    93223848    ----a-w-    c:\windows\system32\MRT.exe
2014-05-14 17:49 . 2012-04-02 21:10    692400    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-14 17:49 . 2011-07-21 04:31    70832    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-01 03:46 . 2014-04-01 03:46    130712    ----a-w-    c:\windows\SysWow64\MSSTDFMT.DLL
2014-04-01 03:46 . 2014-04-01 03:46    1070232    ----a-w-    c:\windows\SysWow64\MSCOMCTL.OCX
2014-03-31 14:35 . 2010-11-21 03:27    270496    ------w-    c:\windows\system32\MpSigStub.exe
2014-03-06 09:31 . 2014-04-18 12:32    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-06 08:59 . 2014-04-18 12:32    66048    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-06 08:57 . 2014-04-18 12:32    548352    ----a-w-    c:\windows\system32\vbscript.dll
2014-03-06 08:57 . 2014-04-18 12:31    48640    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-06 08:53 . 2014-04-18 12:31    2767360    ----a-w-    c:\windows\system32\iertutil.dll
2014-03-06 08:40 . 2014-04-18 12:32    51200    ----a-w-    c:\windows\system32\jsproxy.dll
2014-03-06 08:39 . 2014-04-18 12:32    33792    ----a-w-    c:\windows\system32\iernonce.dll
2014-03-06 08:32 . 2014-04-18 12:32    574976    ----a-w-    c:\windows\system32\ieui.dll
2014-03-06 08:29 . 2014-04-18 12:32    139264    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-06 08:29 . 2014-04-18 12:31    111616    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-06 08:28 . 2014-04-18 12:32    752640    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-06 08:15 . 2014-04-18 12:31    940032    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-06 08:11 . 2014-04-18 12:31    5784064    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-06 08:09 . 2014-04-18 12:32    453120    ----a-w-    c:\windows\system32\dxtmsft.dll
2014-03-06 08:03 . 2014-04-18 12:32    586240    ----a-w-    c:\windows\system32\ie4uinit.exe
2014-03-06 08:02 . 2014-04-18 12:32    61952    ----a-w-    c:\windows\SysWow64\iesetup.dll
2014-03-06 08:02 . 2014-04-18 12:32    455168    ----a-w-    c:\windows\SysWow64\vbscript.dll
2014-03-06 08:01 . 2014-04-18 12:31    51200    ----a-w-    c:\windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56 . 2014-04-18 12:32    38400    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2014-03-06 07:48 . 2014-04-18 12:32    195584    ----a-w-    c:\windows\system32\msrating.dll
2014-03-06 07:46 . 2014-04-18 12:31    4254720    ----a-w-    c:\windows\SysWow64\jscript9.dll
2014-03-06 07:42 . 2014-04-18 12:32    296960    ----a-w-    c:\windows\system32\dxtrans.dll
2014-03-06 07:38 . 2014-04-18 12:32    112128    ----a-w-    c:\windows\SysWow64\ieUnatt.exe
2014-03-06 07:36 . 2014-04-18 12:31    592896    ----a-w-    c:\windows\SysWow64\jscript9diag.dll
2014-03-06 07:21 . 2014-04-18 12:32    628736    ----a-w-    c:\windows\system32\msfeeds.dll
2014-03-06 07:13 . 2014-04-18 12:32    32256    ----a-w-    c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11 . 2014-04-18 12:31    2043904    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-06 06:53 . 2014-04-18 12:31    13551104    ----a-w-    c:\windows\system32\ieframe.dll
2014-03-06 06:40 . 2014-04-18 12:31    1967104    ----a-w-    c:\windows\SysWow64\inetcpl.cpl
2014-03-06 06:22 . 2014-04-18 12:31    2260480    ----a-w-    c:\windows\system32\wininet.dll
2014-03-06 05:58 . 2014-04-18 12:31    1400832    ----a-w-    c:\windows\system32\urlmon.dll
2014-03-06 05:50 . 2014-04-18 12:31    846336    ----a-w-    c:\windows\system32\ieapfltr.dll
2014-03-06 05:41 . 2014-04-18 12:31    1789440    ----a-w-    c:\windows\SysWow64\wininet.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-05-31 3888648]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [x]
S2 RoxioNow Service;RoxioNow Service;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe;c:\program files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys;c:\windows\SYSNATIVE\DRIVERS\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-05-22 21:04    1091912    ----a-w-    c:\program files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-06-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 17:49]
.
2014-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-05-29 17:08]
.
2014-06-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-05-29 17:08]
.
2014-05-04 c:\windows\Tasks\HPCeeScheduleForHP-NOTEBOOK$.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 05:15]
.
2013-01-30 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-23 21:16]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-05-31 04:22    290888    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-06-08 1128448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCPluginUpdater"="c:\program files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" [2014-01-29 21720]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\4gy45imv.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-06-03  14:16:24
ComboFix-quarantined-files.txt  2014-06-03 19:16
.
Pre-Run: 418,653,298,688 bytes free
Post-Run: 419,553,824,768 bytes free
.
- - End Of File - - 08746E68767F5F1EAEE626F301EA74AA
A36C5E4F47E84449FF07ED3517B43A31
 



#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:20 PM

Posted 03 June 2014 - 04:30 PM

Hi willie6973
 

NOTE -Windows Firewall was NOT turned off. (my mistake).

Not a problem.... Combofix ran fine.
 

combo-fix ran WITHOUT stopping to install Windows Recovery Console.

The Recovery Console is only needed on Win XP systems..... that's why Combofix didn't mention it.

The report looks good.
The FRST fix ran as it should and has removed the leftovers that we could see.

I'd like to double check everything now.

I'd like you to do an ESET OnlineScan
64Bit users, please see note at the bottom.

You may find it beneficial to close your resident AV program before running the scan.

It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% )
To prevent this happening:
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

eset.png
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Click esetExport.png, and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the esetBack.png button.
  • Click esetFinish.png
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Note:
As you are running a 64bit system:
The ESET Online Scanner is a 32-bit application, which means it must be run through in the 32-bit version of Internet Explorer, and as an Administrator. To do so, right-click on the Internet Explorer (32-bit) icon in the Start Menu and select "Run as administrator" from the context menu.


In your next reply, please submit:
Eset scan report ( if anything is found )
also let me know of any outstanding problems with the system.


Thanks.

BBPP6nz.png


#9 willie6973

willie6973
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans
  • Local time:04:20 PM

Posted 04 June 2014 - 04:08 PM

ESET log below
reported - 1 potentially unsafe application deleted - quarantined - google toolbar
System seems fine otherwise.  shut down / restart ok.
 
I did have some issues getting it to run.  Probably just slight change in UI QA&A.
    Used blue button "Run ESET Online Scanner" to start.
    options:
        Enable detection of potentially unsafe applications
        Remove found threats
        scan for potentially unsafe applications
        Enable anti stealth technology
        Current scan targets:  Operating Memory, Local drives (I left the default unchanged)
 
      Had to change IE allow active x on the ESET online scan loader web page
 
 
Restarted all anti AV/malware.
Browed internet a little.
 
I pulled the file reported by ESET out of quarantine and submitted to virustotal.
reports  - Probably harmless! There are strong indicators suggesting that this file is safe to use.
 
re ran the initial AM I Infected tools. All non itrusive mode.
Security Check, FSS, MiniToolBox, MBAM, MBAR, RKILL.
Only one think jumped out at me - MBAM reports reg Key Trojan.Zaccess.
The rest I am not able to fully understand / identify problems.
 
 
Should I just let MBAM fix the reg key?
Other?
 
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
 
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=8
# IEXPLORE.EXE=11.00.9600.16428 (winblue_gdr.131013-1700)
# OnlineScanner.ocx=1.0.0.7587
# api_version=3.0.2
# EOSSerial=c664e1c2ccf9d14988f05c824a22e59e
# engine=18546
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-06-04 01:56:44
# local_time=2014-06-04 08:56:44 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='avast! Antivirus'
# compatibility_mode=783 16777213 100 97 0 16648786 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 0 153433654 0 0
# scanned=171440
# found=1
# cleaned=1
# scan_time=36161
sh=0F97FB08E6FC4500F86E64D3285C171C6462BD61 ft=1 fh=acbbffe185c36761 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\admin\Downloads\ccsetup410.exe"


#10 willie6973

willie6973
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans
  • Local time:04:20 PM

Posted 04 June 2014 - 04:13 PM

OK the previous post just went live with out any review / approval.  Must have fumble fingered a hot key to POST.

It looks good.  almost complete.

 

re ESET issue - in order to get it to run I had to allow active x filtering per MS

 http://windows.microsoft.com/en-US/internet-explorer/use-activex-filtering?ocid=IE10_infobar_activex#ie=ie-11-win-7

 

 

here are log from Security Check, FSS, MiniToolBox, MBAM, MBAR, RKILL.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
 
 Results of screen317's Security Check version 0.99.83  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Adobe Flash Player 13.0.0.214  
 Adobe Reader XI  
 Mozilla Firefox (29.0.1) 
 Google Chrome 34.0.1847.137  
 Google Chrome 35.0.1916.114  
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamscheduler.exe   
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
 
 
 
Farbar Service Scanner Version: 21-05-2014
Ran by admin (administrator) on 04-06-2014 at 12:09:57
Running from "C:\Users\admin\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
 
 
**** End of log ****
 
 
MiniToolBox by Farbar  Version: 23-01-2014
Ran by admin (administrator) on 04-06-2014 at 12:11:19
Running from "C:\Users\admin\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
========================= FF Proxy Settings: ============================== 
 
========================= Hosts content: =================================
 
 
========================= IP Configuration: ================================
 
Realtek PCIe FE Family Controller = Local Area Connection (Connected)
Ralink RT5390 802.11b/g/n WiFi Adapter = Wireless Network Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : HP-notebook
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : gateway.2wire.net
 
Wireless LAN adapter Wireless Network Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 60-D8-19-39-D6-9D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : gateway.2wire.net
   Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
   Physical Address. . . . . . . . . : 78-E3-B5-63-22-80
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1cea:53da:a087:2be4%12(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.73(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, June 04, 2014 11:40:28 AM
   Lease Expires . . . . . . . . . . : Thursday, June 05, 2014 11:40:28 AM
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 343466933
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-7A-ED-5A-60-D8-19-39-D6-9C
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Wireless LAN adapter Wireless Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : gateway.2wire.net
   Description . . . . . . . . . . . : Ralink RT5390 802.11b/g/n WiFi Adapter
   Physical Address. . . . . . . . . : 60-D8-19-39-D6-9C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter isatap.gateway.2wire.net:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : gateway.2wire.net
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:90d7:2c2a:12c2:93b7:c9f8(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::2c2a:12c2:93b7:c9f8%13(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  homeportal
Address:  192.168.1.254
 
Name:    google.com
Addresses:  2607:f8b0:4002:c07::71
 74.125.196.113
 74.125.196.138
 74.125.196.101
 74.125.196.100
 74.125.196.102
 74.125.196.139
 
 
Pinging google.com [74.125.196.102] with 32 bytes of data:
Reply from 74.125.196.102: bytes=32 time=36ms TTL=43
Reply from 74.125.196.102: bytes=32 time=34ms TTL=43
 
Ping statistics for 74.125.196.102:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 34ms, Maximum = 36ms, Average = 35ms
Server:  homeportal
Address:  192.168.1.254
 
Name:    yahoo.com
Addresses:  98.139.183.24
 98.138.253.109
 206.190.36.45
 
 
Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=93ms TTL=46
Reply from 98.138.253.109: bytes=32 time=81ms TTL=46
 
Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 81ms, Maximum = 93ms, Average = 87ms
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 14...60 d8 19 39 d6 9d ......Microsoft Virtual WiFi Miniport Adapter
 12...78 e3 b5 63 22 80 ......Realtek PCIe FE Family Controller
 11...60 d8 19 39 d6 9c ......Ralink RT5390 802.11b/g/n WiFi Adapter
  1...........................Software Loopback Interface 1
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.73     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link      192.168.1.73    276
     192.168.1.73  255.255.255.255         On-link      192.168.1.73    276
    192.168.1.255  255.255.255.255         On-link      192.168.1.73    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.1.73    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.1.73    276
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 13     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 13     58 2001::/32                On-link
 13    306 2001:0:9d38:90d7:2c2a:12c2:93b7:c9f8/128
                                    On-link
 12    276 fe80::/64                On-link
 13    306 fe80::/64                On-link
 12    276 fe80::1cea:53da:a087:2be4/128
                                    On-link
 13    306 fe80::2c2a:12c2:93b7:c9f8/128
                                    On-link
  1    306 ff00::/8                 On-link
 13    306 ff00::/8                 On-link
 12    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 09 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (06/04/2014 11:40:18 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/04/2014 10:03:27 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error: (06/04/2014 09:24:55 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error: (06/04/2014 08:35:43 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 29221296
 
Error: (06/04/2014 08:35:43 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 29221296
 
Error: (06/04/2014 08:35:43 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (06/04/2014 08:35:41 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 29218769
 
Error: (06/04/2014 08:35:41 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 29218769
 
Error: (06/04/2014 08:35:40 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (06/04/2014 00:28:53 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 12027
 
 
System errors:
=============
Error: (06/04/2014 11:41:02 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (06/03/2014 10:49:32 PM) (Source: Service Control Manager) (User: )
Description: The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: 
%%31
 
Error: (06/03/2014 04:09:15 PM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}
 
Error: (06/03/2014 02:14:09 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (06/03/2014 02:01:19 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (06/03/2014 00:55:09 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (06/03/2014 09:34:03 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (05/31/2014 11:53:25 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (05/31/2014 11:05:41 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)
 
Error: (05/31/2014 00:51:38 AM) (Source: Application Popup) (User: )
Description: \??\C:\Windows\SysWow64\drivers\ajbovv8x.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
 
Microsoft Office Sessions:
=========================
 
=========================== Installed Programs ============================
 
Adobe Flash Player 13 Plugin (Version: 13.0.0.214)
Adobe Reader XI (11.0.07) (Version: 11.0.07)
Adobe Shockwave Player 12.0 (Version: 12.0.9.149)
Agatha Christie - Peril at End House (Version: 2.2.0.95)
AMD APP SDK Runtime (Version: 2.4.650.9)
AMD Fuel (Version: 2011.0705.1115.18310)
AMD Media Foundation Decoders (Version: 1.0.60705.1113)
AMD Steady Video Plug-In  (Version: 1.00.0000)
AMD VISION Engine Control Center (Version: 2011.0705.1115.18310)
Apple Application Support (Version: 3.0.1)
Apple Mobile Device Support (Version: 7.1.1.3)
Apple Software Update (Version: 2.1.3.127)
ATI Catalyst Install Manager (Version: 3.0.829.0)
avast! Free Antivirus (Version: 9.0.2018)
Bejeweled 3 (Version: 2.2.0.97)
Blackhawk Striker 2 (Version: 2.2.0.95)
Blasterball 3 (Version: 2.2.0.97)
Blio (Version: 2.2.6699)
Bonjour (Version: 3.0.0.10)
Bonjour Print Services (Version: 2.0.2.0)
Bounce Symphony (Version: 2.2.0.97)
Cake Mania (Version: 2.2.0.95)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center Graphics Previews Common (Version: 2011.0705.1115.18310)
Catalyst Control Center InstallProxy (Version: 2011.0705.1115.18310)
Catalyst Control Center Localization All (Version: 2011.0705.1115.18310)
CCC Help Chinese Standard (Version: 2011.0705.1114.18310)
CCC Help Chinese Traditional (Version: 2011.0705.1114.18310)
CCC Help Czech (Version: 2011.0705.1114.18310)
CCC Help Danish (Version: 2011.0705.1114.18310)
CCC Help Dutch (Version: 2011.0705.1114.18310)
CCC Help English (Version: 2011.0705.1114.18310)
CCC Help Finnish (Version: 2011.0705.1114.18310)
CCC Help French (Version: 2011.0705.1114.18310)
CCC Help German (Version: 2011.0705.1114.18310)
CCC Help Greek (Version: 2011.0705.1114.18310)
CCC Help Hungarian (Version: 2011.0705.1114.18310)
CCC Help Italian (Version: 2011.0705.1114.18310)
CCC Help Japanese (Version: 2011.0705.1114.18310)
CCC Help Korean (Version: 2011.0705.1114.18310)
CCC Help Norwegian (Version: 2011.0705.1114.18310)
CCC Help Polish (Version: 2011.0705.1114.18310)
CCC Help Portuguese (Version: 2011.0705.1114.18310)
CCC Help Russian (Version: 2011.0705.1114.18310)
CCC Help Spanish (Version: 2011.0705.1114.18310)
CCC Help Swedish (Version: 2011.0705.1114.18310)
CCC Help Thai (Version: 2011.0705.1114.18310)
CCC Help Turkish (Version: 2011.0705.1114.18310)
ccc-utility64 (Version: 2011.0705.1115.18310)
Chronicles of Albian (Version: 2.2.0.95)
Chuzzle Deluxe (Version: 2.2.0.95)
Cradle of Rome 2 (Version: 2.2.0.95)
CyberLink YouCam (Version: 3.5.1.4119)
D3DX10 (Version: 15.4.2368.0902)
ESET Online Scanner v3
ESU for Microsoft Windows 7 SP1 (Version: 2.1.1)
Evernote v. 4.2.3 (Version: 4.2.3.22)
Farm Frenzy (Version: 2.2.0.95)
FATE (Version: 2.2.0.97)
Google Chrome (Version: 35.0.1916.114)
Google Update Helper (Version: 1.3.24.7)
Governor of Poker 2 Premium Edition (Version: 2.2.0.95)
Hewlett-Packard ACLM.NET v1.1.1.0 (Version: 1.00.0000)
HP Auto (Version: 1.0.12935.3667)
HP Client Services (Version: 1.1.12938.3539)
HP Customer Experience Enhancements (Version: 6.0.1.7)
HP Documentation (Version: 1.1.0.0)
HP Games (Version: 1.0.2.5)
HP Launch Box (Version: 1.0.11)
HP MovieStore (Version: 1.0.057)
HP MovieStore (Version: 2.0)
HP On Screen Display (Version: 1.2.2)
HP Power Manager (Version: 1.2.3)
HP Quick Launch (Version: 2.4.3)
HP QuickWeb (Version: 3.1.0.9760)
HP Setup (Version: 8.7.4751.3798)
HP Setup Manager (Version: 1.1.13476.3753)
HP Software Framework (Version: 4.1.6.1)
HP Support Assistant (Version: 6.0.5.4)
iCloud (Version: 3.1.0.40)
IDT Audio (Version: 1.0.6341.0)
iTunes (Version: 11.1.5.5)
Jewel Quest: The Sleepless Star - Collector's Edition (Version: 2.2.0.95)
Junk Mail filter update (Version: 15.4.3502.0922)
Mah Jong Medley (Version: 2.2.0.95)
Malwarebytes Anti-Malware version 2.0.2.1012 (Version: 2.0.2.1012)
Mesh Runtime (Version: 15.4.5722.2)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Enterprise 2007 (Version: 12.0.6612.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Groove MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Groove Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000)
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000)
Microsoft Silverlight (Version: 5.1.30214.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (Version: 10.0.30319)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft WSE 3.0 Runtime (Version: 3.0.5305.0)
Mozilla Firefox 29.0.1 (x86 en-US) (Version: 29.0.1)
Mozilla Maintenance Service (Version: 29.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Mystery of Mortlake Mansion (Version: 2.2.0.97)
Namco All-Stars: PAC-MAN (Version: 2.2.0.95)
Penguins! (Version: 2.2.0.95)
Plants vs. Zombies - Game of the Year (Version: 2.2.0.95)
PlayReady PC Runtime x86 (Version: 1.3.0)
Poker Superstars III (Version: 2.2.0.95)
Polar Bowler (Version: 2.2.0.97)
Polar Golfer (Version: 2.2.0.95)
QuickTime 7 (Version: 7.75.80.95)
Ralink RT5390 802.11b/g/n WiFi Adapter (Version: 3.02.01.0)
Realtek Ethernet Controller Driver (Version: 7.45.516.2011)
Realtek PCIE Card Reader (Version: 6.1.7601.81)
Recovery Manager (Version: 2.0.0)
RoxioNow Player (Version: 1.9.5.103)
Shape Shifter
Slingo Supreme (Version: 2.2.0.97)
swMSM (Version: 12.0.0.1)
Synaptics TouchPad Driver (Version: 15.3.29.0)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2880505) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update Installer for WildTangent Games App
Vacation Quest - The Hawaiian Islands (Version: 2.2.0.97)
Virtual Villagers 5 - New Believers (Version: 2.2.0.97)
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
Visual Studio 2010 x64 Redistributables (Version: 13.0.0.1)
Visual Studio 2012 x64 Redistributables (Version: 14.0.0.1)
Visual Studio 2012 x86 Redistributables (Version: 14.0.0.1)
WildTangent Games App (HP Games) (Version: 4.0.10.5)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3508.1109)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Zuma Deluxe (Version: 2.2.0.95)
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 41%
Total physical RAM: 3562.91 MB
Available physical RAM: 2070.42 MB
Total Pagefile: 7123.99 MB
Available Pagefile: 5576.17 MB
Total Virtual: 4095.88 MB
Available Virtual: 3967.54 MB
 
========================= Partitions: =====================================
 
1 Drive c: () (Fixed) (Total:447.21 GB) (Free:386.83 GB) NTFS
2 Drive d: (Recovery) (Fixed) (Total:14.39 GB) (Free:1.6 GB) NTFS
3 Drive e: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:1.1 GB) FAT32
 
========================= Users: ========================================
 
User accounts for \\HP-NOTEBOOK
 
admin                    Administrator            Guest                    
jim                      patsy                    
 
========================= Restore Points ==================================
 
13-05-2014 12:46:19 Windows Update
15-05-2014 12:20:36 Windows Update
21-05-2014 12:56:48 Windows Update
29-05-2014 00:56:16 Scheduled Checkpoint
30-05-2014 14:59:52 Windows Update
30-05-2014 16:36:56 Removed Java 7 Update 51
31-05-2014 04:20:46 avast! antivirus system restore point
03-06-2014 14:36:39 Windows Update
 
**** End of log ****
 
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 6/4/2014
Scan Time: 12:14:52 PM
Logfile: mbam.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.06.04.07
Rootkit Database: v2014.06.02.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: admin
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 349222
Time Elapsed: 17 min, 1 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 1
Trojan.Zaccess, HKU\S-1-5-21-209853449-2167449011-705526027-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Update^‚?Æ‚ù§, , [49690f64bfbc8caacf6e956da45c10f0], 
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org
 
Database version: v2014.06.04.07
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17107
admin :: HP-NOTEBOOK [administrator]
 
6/4/2014 12:45:48 PM
mbar-log-2014-06-04 (12-45-48).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 342687
Time elapsed: 12 minute(s), 3 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 11.0.9600.17107
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 1.397000 GHz
Memory total: 3735977984, free: 2270355456
 
=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 38DAC283
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 407552
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 409600  Numsec = 937871360
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 938280960  Numsec = 30169088
 
    Partition 3 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 968450048  Numsec = 8321072
 
Disk Size: 500107862016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Scan Interrupted
Scan was aborted.
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 11.0.9600.17107
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 1.397000 GHz
Memory total: 3735977984, free: 2000404480
 
Downloaded database version: v2014.05.31.07
Downloaded database version: v2014.05.21.01
=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 38DAC283
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 407552
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 409600  Numsec = 937871360
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 938280960  Numsec = 30169088
 
    Partition 3 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 968450048  Numsec = 8321072
 
Disk Size: 500107862016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\??? --> [Trojan.0Access]
Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\???\??? --> [Trojan.0Access]
Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\???\???\??? --> [Trojan.0Access]
Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\???\???\???\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3} --> [Trojan.0Access]
Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\???\???\???\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\@ --> [Trojan.0Access]
Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\???\???\???\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\L --> [Trojan.0Access]
Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\???\???\???\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3}\U --> [Trojan.0Access]
Infected: C:\Users\patsy\AppData\Local\Google\Desktop\Install\{c09ca9f8-9c91-b1a9-5255-93be2a2fcea3} --> [Trojan.0Access]
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1009
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 11.0.9600.17107
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 1.397000 GHz
Memory total: 3735977984, free: 1999572992
 
Downloaded database version: v2014.06.04.07
Downloaded database version: v2014.06.02.01
=======================================
Initializing...
Done!
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 38DAC283
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 407552
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 409600  Numsec = 937871360
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 938280960  Numsec = 30169088
 
    Partition 3 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 968450048  Numsec = 8321072
 
Disk Size: 500107862016 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 
 
Rkill 2.6.6 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 06/04/2014 03:45:35 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 06/04/2014 03:47:26 PM
Execution time: 0 hours(s), 1 minute(s), and 51 seconds(s)


#11 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:20 PM

Posted 04 June 2014 - 05:06 PM

Hi willie6973
 

Had to change IE allow active x on the ESET online scan loader web page

Thanks for pointing that out.
I checked my other Eset speeches and they do say.... When asked, allow the activex control to install
But for some reason that part is missing from the 64bit speech.
I will correct that for future use. :)

reported - 1 potentially unsafe application deleted - quarantined - google toolbar
sh=0F97FB08E6FC4500F86E64D3285C171C6462BD61 ft=1 fh=acbbffe185c36761 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\admin\Downloads\ccsetup410.exe"

Basically Eset is telling you that the download for CCleaner contains a 3rd party program ( Google Toolbar) that may be installed without your permission.
So it just removed the Google Toolbar part of the install.
Nothing to worry about at all.
 

Only one think jumped out at me - MBAM reports reg Key Trojan.Zaccess.

The actual infection has been removed, so this is just a registry leftover.
It won't cause any harm, but let MBAM remove it.
It's always good practise to let MBAM remove anything that it finds.

Combofix found nothing.
Eset only found that one harmless entry.
RKill says everything looks good.
once that reg entry has been removed with MBAM ..... that scan will be clean.

So all we need to do now is remove the tools that have been used and perform a couple of cleanup steps.
We'll also clear your old restore points as they may well be infected.


Step 1
Restart MBAM.
Click on the History tab >> Quarantine
Tick to select any items and then click the Delete button.
Close MBAM.


Step 2
Please uninstall ComboFix by
Clicking on Start ...then run ... and type in combofix /uninstall (don't forget there's is a gap between x and /) Then press Ok
cfu.png

This action will uninstall Combofix and also perform a few cleanup measures

By default, Windows 7 does not have the "Run" command on the start menu. It's easy to get this back.

1. Open the start menu.
2. Right click on a non-icon area and select "Properties".
3. Press the "Customize" button.
4. Scroll down and find the "Run command" checkbox.
5. Check it and press OK.
6. Press OK.

You now have your run command on the start menu.



Step 3
Download Delfix and save it to your desktop.
  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
  • Create registry backup
  • Purge system restore

    delf_zpsb39a5ff3.png
    .
  • Click the Run button.
When the tool has finished, a log will open in notepad.... but i don't actually need this report

Eset can be removed using the Remove Programs feature in Control Panel.

To find out how you may have been infected....read this topic:
How did i get infected?


Not all of the following information will be applicable to you, but it's still best to read it all.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Use an AntiVirus Software

Only install one AntiVirus program

Update your AntiVirus Software regularly

Use a Firewall

Only install one software Firewall

Scan regularly with a 'Stand Alone' Anti-Malware scanner:
Installing another scanner that you can run once or twice a week is always beneficial.
Something like:
Malwarebytes Anti-Malware
SUPERAntiSypware
Remember to update these programs each time before running.
You can install more than one of these if you only run them as stand alone programs.

Use an alternative browser to Internet Explorer:
Some excellent alternatives to MS Internet Explorer are:

Firefox
For added security, add the NoScript extension to this browser:
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks
also consider adding:
WOT - Safe Browsing Tool

Web of Trust warns you about risky sites that cheat customers, deliver malware or send spam. Millions of members of the WOT community rate sites based on their experience, giving you an extra layer of protection when browsing or searching the Web.
Btw: you don't have to make a contribution.

Opera

Keep a backup of your registry
Keeping a regular backup of your registry will help when something goes wrong.
Use a program like:
Erunt

A full tutorial on how to set up and use Erunt can be found here:
Erunt tutorial

Keep your system clean of temp files etc, using a 'Cleaner':

Cleaners are programs that will help to clean out your:
Windows temp files
Current user temp files
Cookies
Temporary Internet flies
Browser history
Recycle bin
Etc.......
In other words.... all the rubbish that you accumalate over the course of your browsing and day to day usage of your pc.
Programs like:
TFC by OldTimer
ATF Cleaner

Visit Microsoft's Windows Update Site Frequently - It is important that you visit Windowsupdate regularly.
Alternatively, turn on the Automatic Updates.

Peer to Peer programs
Don't be tempted to use Peer to Peer programs.
Many of the downloads are bundled with malware.

Update all your 'Security' programs regularly - Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.

Safe surfing. Computer_addict__by_Sinister_Starfeesh.g

BBPP6nz.png


#12 willie6973

willie6973
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Orleans
  • Local time:04:20 PM

Posted 05 June 2014 - 01:27 PM

thanks

 

I have finished your last set of instructions thru and including use alternate browser.    (I have convinced my entire family to avoid IE and we have done so for several years.)  I will finish all of the instructions you provided, especially on how to stay clean.

 

Have re booted once or twice, surfed the web, opened a few documents and all looks ok.

 

The primary user of this computer asks Is their any way to determine which web site caused this infection?

 

Otherwise it is time to close this ticket/incident right? (if not already closed?)

 

PS

The quality, professionalism, tact, thoroughness, and overall delivery of the assistance you have provided to me ranks in the top 1% of what I have experienced in my 45+ years using and managing computers.

 

I have been a end user since the mid 60's and been the technical lead and/or project manager on multi million dollar hardware, software and service contracts and have experienced a wide variety of Help Desk service.  As a retired IT professional I can only say very well done and thank you.



#13 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:20 PM

Posted 05 June 2014 - 04:39 PM

Hi willie6973

Is their any way to determine which web site caused this infection?

Unfortunately, no there isn't.
I wish it was that easy.
It could be by clicking a link within an email or simply browsing the net.
Or exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows Media Player and the Windows operating system itself.
I wish i could be more specific.

The quality, professionalism, tact, thoroughness, and overall delivery of the assistance you have provided to me ranks in the top 1% of what I have experienced in my 45+ years using and managing computers.

Thank you for that comment.
Comments like that make every thing worthwhile.

Otherwise it is time to close this ticket/incident right? (if not already closed?)

If there are no further questions, i will close this topic.

Take care.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users