Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Trojan.Gen.SMH and Chrome is redirected when opened


  • This topic is locked This topic is locked
10 replies to this topic

#1 Professor H

Professor H

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 27 June 2014 - 02:21 PM

After posting that Symantec Power Eraser failed to detect malware after Endpoint Protection warned that I was infected by a Trojan.Gen.SMH, I was instructed to post DDS logs.  My DDS logs are posted below.

 

Details of my original post: "I am running Windows 7 on my PC laptop. I recently tried to download WinZip.  I was directed to a website to download WinZip in order to open an archive data file with extension .7z. As I was downloading what I though was WinZip, Symantec Endpoint Protection notified me I was infected by a "Trojan.Gen.SMH".  I tried Symantec's Power Eraser Tool, but it did not detect any malware.  When I open Chrome, it does not open to my preferred home page."

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.17126  BrowserJavaVersion: 10.55.2
Run by Prof H at 15:07:54 on 2014-06-27
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3242.1484 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Services\IPT\jhi_service.exe
C:\Windows\system32\DRIVERS\o2flash.exe
c:\Windows\system32\srvany.exe
c:\Windows\system32\SDIOAssist.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Box\Box Sync\BoxSync.exe
C:\Program Files\File Association Helper\FAHWindow.exe
C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe
C:\PROGRA~1\Box\BOXSYN~1\BoxSync.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\Program Files\Box\Box Sync\BoxSyncMonitor.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Users\Kyle Haynes\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kyle Haynes\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Kyle Haynes\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\AUDIODG.EXE
C:\Users\Kyle Haynes\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://rocket-find.com/?f=1&a=rckt_wnzp01_14_26_ch&cd=2XzuyEtN2Y1L1Qzu0DtDyCyB0EyDyDtA0D0AtC0EtCyCtB0BtN0D0Tzu0SzytDzytN1L2XzutBtFtBtCtFzztFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtDtD0ByBtCzy0FtG0D0FzyyCtGyBtC0AtCtGyDyCyD0AtGtB0A0C0F0A0A0ByD0DyByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0CzytA0Czy0B0BtG0CzyzyyBtGzz0E0A0DtG0Bzz0DtAtGtB0DyCtAyDzyzztB0F0AyDyB2QtN1B1L1H1Ezu1O2U1M1B&cr=1152555187&ir=
uSearch Bar = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://rocket-find.com/?f=1&a=rckt_wnzp01_14_26_ch&cd=2XzuyEtN2Y1L1Qzu0DtDyCyB0EyDyDtA0D0AtC0EtCyCtB0BtN0D0Tzu0SzytDzytN1L2XzutBtFtBtCtFzztFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtDtD0ByBtCzy0FtG0D0FzyyCtGyBtC0AtCtGyDyCyD0AtGtB0A0C0F0A0A0ByD0DyByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0CzytA0Czy0B0BtG0CzyzyyBtGzz0E0A0DtG0Bzz0DtAtGtB0DyCtAyDzyzztB0F0AyDyB2QtN1B1L1H1Ezu1O2U1M1B&cr=1152555187&ir=
uSearchAssistant = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\symantec\symantec endpoint protection\12.1.1000.157.105\bin\ips\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Google Update] "c:\users\kyle haynes\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [DFEPApplication] c:\program files\dell\feature enhancement pack\DFEPApplication.exe
mRun: [TdmNotify] c:\program files\dell\dell data protection\access\advanced\wave\trusted drive manager\TdmNotify.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "c:\program files\roxio\oem\roxio burn\RoxioBurnLauncher.exe"
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BoxSync] "c:\program files\box\box sync\BoxSync.exe" -m
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [FAHConsole] c:\program files\file association helper\FAHConsole.exe
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\users\kyleha~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\smarts~1.lnk - c:\program files\dell\feature enhancement pack\SmartSettings.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\uvaitc~1.lnk - c:\windows\installer\{e0274560-0fb3-4928-9800-6b45aaefb506}\_39B470E5817D54F276433B.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableCAD = dword:1
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.2
TCP: Interfaces\{B0B9F683-8BA9-4645-89C1-03BFF294F3CF} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{B0B9F683-8BA9-4645-89C1-03BFF294F3CF} : DHCPNameServer = 192.168.1.2
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063} : DHCPNameServer = 192.168.1.2
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\25A47237024456C696 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\3547F627560213230313 : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\5574C46423 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\653455 : DHCPNameServer = 128.172.1.5 128.172.90.11
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\D416272796F64747D2751647562737964656 : DHCPNameServer = 4.2.2.2 4.2.2.1 8.8.8.8 8.8.4.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: SEP - c:\program files\symantec\symantec endpoint protection\12.1.1000.157.105\bin\WinLogoutNotifier.dll
Notify: spba - c:\program files\common files\spba\homefus2.dll
AppInit_DLLs=   
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages =  msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 SMR410;Symantec SMR Utility Service 4.1.0;c:\windows\system32\drivers\SMR410.SYS [2014-6-27 98392]
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2012-7-17 17904]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\sep\0c0103e8\009d.105\x86\SymDS.sys [2011-7-16 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\sep\0c0103e8\009d.105\x86\SymEFA.sys [2011-8-27 758904]
R1 BHDrvx86;BHDrvx86;c:\programdata\symantec\symantec endpoint protection\12.1.1000.157.105\data\definitions\bashdefs\20140612.012\BHDrvx86.sys [2014-6-17 1101616]
R1 IDSVix86;IDSVix86;c:\programdata\symantec\symantec endpoint protection\12.1.1000.157.105\data\definitions\ipsdefs\20140626.003\IDSvix86.sys [2014-6-27 395992]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\sep\0c0103e8\009d.105\x86\Ironx86.sys [2011-9-13 137336]
R1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\sep\0c0103e8\009d.105\x86\symnets.sys [2011-9-8 299640]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2012-7-17 81920]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2010-5-10 1803584]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2010-6-29 127488]
R2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files\skype\toolbars\autoupdate\SkypeC2CAutoUpdateSvc.exe [2014-4-11 1390720]
R2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files\skype\toolbars\pnrsvc\SkypeC2CPNRSvc.exe [2014-4-11 1764992]
R2 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\dell\feature enhancement pack\DFEPService.exe [2011-8-24 1568664]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\intel\services\ipt\jhi_service.exe [2011-9-28 212944]
R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2012-7-17 8192]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\12.1.1000.157.105\bin\ccSvcHst.exe [2011-9-20 137224]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2012-7-17 2594584]
R2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\dell\dell data protection\access\advanced\wave\authentication manager\WaveAMService.exe [2011-7-1 1131520]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys [2012-7-17 44144]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2012-7-17 349736]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2012-7-17 147360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2014-6-12 109872]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2012-7-17 269824]
R3 MEI;Intel® Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2012-7-17 41216]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2012-7-17 62440]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjw7.sys [2012-7-17 63976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 BoxSyncUpdateService;Box Sync Update Service;c:\program files\box\box sync\SyncUpdaterService.exe [2013-12-26 20992]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2012-7-17 134144]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-6-11 108032]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2012-7-17 132480]
S3 netvsc;netvsc;c:\windows\system32\drivers\netvsc60.sys [2010-11-20 126464]
S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\o2mdfw7.sys [2012-7-17 60904]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SyDvCtrl;SyDvCtrl;c:\program files\symantec\symantec endpoint protection\12.1.1000.157.105\bin\SyDvCtrl32.sys [2011-10-30 23984]
S3 SynthVid;SynthVid;c:\windows\system32\drivers\VMBusVideoM.sys [2010-11-20 19456]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-7-30 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
FileExt: .js: jsfile="c:\program files\adobe\adobe dreamweaver cs4\Dreamweaver.exe","%1"
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2014-06-27 18:04:59 -------- d-----w- C:\NPE
2014-06-27 18:02:21 98392 ----a-w- c:\windows\system32\drivers\SMR410.SYS
2014-06-27 18:02:18 -------- d-----w- c:\users\kyle haynes\appdata\local\NPE
2014-06-27 18:02:18 -------- d-----w- c:\programdata\Norton
2014-06-27 17:42:42 -------- d-----w- c:\users\kyle haynes\appdata\roaming\RocketUpdater
2014-06-27 17:42:29 -------- d-----w- c:\program files\WSE Rocket
2014-06-27 17:42:20 -------- d-----w- c:\program files\File Association Helper
2014-06-27 13:24:51 8140904 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{ff2eda78-c3b0-4829-b42f-fb457246ab43}\mpengine.dll
2014-06-18 18:11:20 -------- d-----w- c:\users\kyle haynes\appdata\roaming\DropboxMaster
2014-06-11 13:31:37 2048 ----a-w- c:\windows\system32\msxml6r.dll
2014-06-11 13:31:37 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-06-11 13:31:37 1389056 ----a-w- c:\windows\system32\msxml6.dll
2014-06-11 13:31:37 1237504 ----a-w- c:\windows\system32\msxml3.dll
2014-06-11 13:31:35 626688 ----a-w- c:\windows\system32\usp10.dll
2014-06-11 13:31:35 187840 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2014-06-11 13:31:35 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
==================== Find3M  ====================
.
2014-05-30 09:02:39 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-30 09:02:03 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-05-30 08:44:28 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-05-30 08:43:06 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-05-30 08:42:16 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-05-30 08:28:33 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-05-30 08:28:30 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-05-30 08:27:56 592896 ----a-w- c:\windows\system32\jscript9diag.dll
2014-05-30 08:21:36 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-05-30 08:10:46 32256 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-05-30 07:56:50 4244992 ----a-w- c:\windows\system32\jscript9.dll
2014-05-30 07:50:09 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-05-30 07:49:38 1964544 ----a-w- c:\windows\system32\inetcpl.cpl
2014-05-30 07:21:10 1790976 ----a-w- c:\windows\system32\wininet.dll
2014-05-14 14:29:32 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-05-14 14:29:32 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-05-09 07:06:23 369664 ----a-w- c:\windows\system32\aepdu.dll
2014-05-09 07:04:12 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-04-30 14:40:23 0 ----a-w- c:\windows\system32\serauth2.dll
2014-04-30 14:40:23 0 ----a-w- c:\windows\system32\serauth1.dll
2014-04-30 14:40:23 0 ----a-w- c:\windows\system32\nsprs.dll
2014-04-30 14:39:31 205 ----a-w- c:\windows\system32\lsprst7.dll
2014-04-30 14:39:31 1025 ----a-w- c:\windows\system32\sysprs7.dll
2014-04-15 00:13:52 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-04-12 02:15:13 67520 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:15:13 136640 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:12:09 15872 ----a-w- c:\windows\system32\sspisrv.dll
2014-04-12 02:12:09 100352 ----a-w- c:\windows\system32\sspicli.dll
2014-04-12 02:12:06 22016 ----a-w- c:\windows\system32\secur32.dll
2014-04-12 02:11:58 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-04-12 02:11:22 22528 ----a-w- c:\windows\system32\lsass.exe
2014-04-01 02:46:48 130712 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2014-04-01 02:46:48 1070232 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2014-03-31 13:35:10 231584 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 15:08:40.99 ===============
 


BC AdBot (Login to Remove)

 


#2 Professor H

Professor H
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 02 July 2014 - 08:21 AM

Yesterday, I decided to run a Malwarebytes scan and it found several pieces of malware.  The problem has not been fixed however.  I find new malware every time I run Malwarebytes.  One of my logs from Malwarebytes is posted below.
 
I hope someone can help!
 
Thanks.
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 7/1/2014
Scan Time: 9:44:28 AM
Logfile: Malware bytes log.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.07.01.04
Rootkit Database: v2014.07.01.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Prof H
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 286747
Time Elapsed: 18 min, 20 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 6
PUP.Optional.MySearchDial.A, HKU\S-1-5-21-1739788951-2944234116-441127335-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}, , [95c3f5a51c5f59dd20593a0f07fb3cc4], 
PUP.Optional.MySearchDial.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}, , [95c3f5a51c5f59dd20593a0f07fb3cc4], 
PUP.Optional.RocketFind.A, HKLM\SOFTWARE\INSTALLCORE\WSE Rocket, , [45132f6beb90d363e27a238de022c23e], 
PUP.Optional.InstallCore.A, HKU\S-1-5-21-1739788951-2944234116-441127335-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE\1I1T1Q1S, , [1b3d8911e49763d3f7a95e753ec4db25], 
PUP.Optional.InstallCore.A, HKU\S-1-5-21-1739788951-2944234116-441127335-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, , [5206207a2457c670496cffea34cf6c94], 
PUP.Optional.RocketFind.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WSE Rocket, , [fa5e3c5ea6d5b18554dd7e2f18eabc44], 
 
Registry Values: 1
PUP.Optional.InstallCore.A, HKU\S-1-5-21-1739788951-2944234116-441127335-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, 0S0TzrtN0V1M1O1H, , [5206207a2457c670496cffea34cf6c94]
 
Registry Data: 2
PUP.Optional.RocketFind.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://rocket-find.com/?f=1&a=rckt_wnzp01_14_26_ch&cd=2XzuyEtN2Y1L1Qzu0DtDyCyB0EyDyDtA0D0AtC0EtCyCtB0BtN0D0Tzu0SzytDzytN1L2XzutBtFtBtCtFzztFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtDtD0ByBtCzy0FtG0D0FzyyCtGyBtC0AtCtGyDyCyD0AtGtB0A0C0F0A0A0ByD0DyByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0CzytA0Czy0B0BtG0CzyzyyBtGzz0E0A0DtG0Bzz0DtAtGtB0DyCtAyDzyzztB0F0AyDyB2QtN1B1L1H1Ezu1O2U1M1B&cr=1152555187&ir=, Good: (www.google.com), Bad: (http://rocket-find.com/?f=1&a=rckt_wnzp01_14_26_ch&cd=2XzuyEtN2Y1L1Qzu0DtDyCyB0EyDyDtA0D0AtC0EtCyCtB0BtN0D0Tzu0SzytDzytN1L2XzutBtFtBtCtFzztFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtDtD0ByBtCzy0FtG0D0FzyyCtGyBtC0AtCtGyDyCyD0AtGtB0A0C0F0A0A0ByD0DyByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0CzytA0Czy0B0BtG0CzyzyyBtGzz0E0A0DtG0Bzz0DtAtGtB0DyCtAyDzyzztB0F0AyDyB2QtN1B1L1H1Ezu1O2U1M1B&cr=1152555187&ir=),,[bc9c6139dd9ea2947705f58ed52f37c9]
PUP.Optional.RocketFind.A, HKU\S-1-5-21-1739788951-2944234116-441127335-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://rocket-find.com/?f=1&a=rckt_wnzp01_14_26_ch&cd=2XzuyEtN2Y1L1Qzu0DtDyCyB0EyDyDtA0D0AtC0EtCyCtB0BtN0D0Tzu0SzytDzytN1L2XzutBtFtBtCtFzztFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtDtD0ByBtCzy0FtG0D0FzyyCtGyBtC0AtCtGyDyCyD0AtGtB0A0C0F0A0A0ByD0DyByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0CzytA0Czy0B0BtG0CzyzyyBtGzz0E0A0DtG0Bzz0DtAtGtB0DyCtAyDzyzztB0F0AyDyB2QtN1B1L1H1Ezu1O2U1M1B&cr=1152555187&ir=, Good: (www.google.com), Bad: (http://rocket-find.com/?f=1&a=rckt_wnzp01_14_26_ch&cd=2XzuyEtN2Y1L1Qzu0DtDyCyB0EyDyDtA0D0AtC0EtCyCtB0BtN0D0Tzu0SzytDzytN1L2XzutBtFtBtCtFzztFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtDtD0ByBtCzy0FtG0D0FzyyCtGyBtC0AtCtGyDyCyD0AtGtB0A0C0F0A0A0ByD0DyByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0CzytA0Czy0B0BtG0CzyzyyBtGzz0E0A0DtG0Bzz0DtAtGtB0DyCtAyDzyzztB0F0AyDyB2QtN1B1L1H1Ezu1O2U1M1B&cr=1152555187&ir=),,[0e4a6b2fef8cfc3a7805592af60e05fb]
 
Folders: 3
PUP.Optional.RocketFind.A, C:\Users\KH\AppData\Roaming\RocketUpdater\UpdateProc, , [94c49109e299ee486cc4505dc0423ac6], 
PUP.Optional.RocketFind.A, C:\Program Files\WSE Rocket, , [fa5e3c5ea6d5b18554dd7e2f18eabc44], 
PUP.Optional.RocketFind.A, C:\Program Files\WSE Rocket\bh, , [fa5e3c5ea6d5b18554dd7e2f18eabc44], 
 
Files: 8
PUP.Optional.RocketFind.A, C:\Users\KH\AppData\Roaming\RocketUpdater\UpdateProc\config.dat, , [94c49109e299ee486cc4505dc0423ac6], 
PUP.Optional.RocketFind.A, C:\Users\KH\AppData\Roaming\RocketUpdater\UpdateProc\info.dat, , [94c49109e299ee486cc4505dc0423ac6], 
PUP.Optional.RocketFind.A, C:\Program Files\WSE Rocket\FavIcon.ico, , [fa5e3c5ea6d5b18554dd7e2f18eabc44], 
PUP.Optional.RocketFind.A, C:\Program Files\WSE Rocket\Sqlite3.dll, , [fa5e3c5ea6d5b18554dd7e2f18eabc44], 
PUP.Optional.RocketFind.A, C:\Program Files\WSE Rocket\uninst.dat, , [fa5e3c5ea6d5b18554dd7e2f18eabc44], 
PUP.Optional.RocketFind.A, C:\Program Files\WSE Rocket\uninstall.exe, , [fa5e3c5ea6d5b18554dd7e2f18eabc44], 
PUP.Optional.RocketFind.A, C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "search_url": "http://rocket-find.com/results.php?f=4&q={searchTerms}&a=rckt_wnzp01_14_26_ch&cd=2XzuyEtN2Y1L1Qzu0DtDyCyB0EyDyDtA0D0AtC0EtCyCtB0BtN0D0Tzu0SzytDzytN1L2XzutBtFtBtCtFzztFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtDtD0ByBtCzy0FtG0D0FzyyCtGyBtC0AtCtGyDyCyD0AtGtB0A0C0F0A0A0ByD0DyByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0CzytA0Czy0B0BtG0CzyzyyBtGzz0E0A0DtG0Bzz0DtAtGtB0DyCtAyDzyzztB0F0AyDyB2QtN1B1L1H1Ezu1O2U1M1B&cr=1152555187&ir=",), ,[d68225750e6d2d092ed58735cd37f60a]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Edited by Professor H, 02 July 2014 - 08:34 AM.


#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:42 AM

Posted 02 July 2014 - 02:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/539219 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Professor H

Professor H
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 02 July 2014 - 04:44 PM

Here is my new DDS log as requested by the HelpBot.  I do not have my original Windows CD available.  Below the DDS log I have posted a recent Malwarebytes log.  It shows fewer detections of potential malware, but still picks up a couple.  When I open Chrome, it still redirects to an undesired search engine.
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 11.0.9600.17126  BrowserJavaVersion: 10.55.2
Run by Prof H at 17:33:50 on 2014-07-02
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3242.1488 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\SPBA\upeksvr.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Services\IPT\jhi_service.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\system32\DRIVERS\o2flash.exe
c:\Windows\system32\srvany.exe
c:\Windows\system32\SDIOAssist.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe
C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Box\Box Sync\BoxSync.exe
C:\Program Files\File Association Helper\FAHWindow.exe
C:\PROGRA~1\Box\BOXSYN~1\BoxSync.exe
C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe
c:\Program Files\Box\Box Sync\BoxSyncMonitor.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Users\Prof H\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Prof H\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Prof H\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Prof H\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
uSearch Bar = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
mStart Page = www.google.com
uSearchAssistant = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\symantec\symantec endpoint protection\12.1.1000.157.105\bin\ips\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Google Update] "c:\users\Prof H\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe
mRun: [FreeFallProtection] c:\program files\stmicroelectronics\accelerometerp11\FF_Protection.exe
mRun: [DFEPApplication] c:\program files\dell\feature enhancement pack\DFEPApplication.exe
mRun: [TdmNotify] c:\program files\dell\dell data protection\access\advanced\wave\trusted drive manager\TdmNotify.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "c:\program files\roxio\oem\roxio burn\RoxioBurnLauncher.exe"
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Logitech Download Assistant] c:\windows\system32\rundll32.exe c:\windows\system32\LogiLDA.dll,LogiFetch
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BoxSync] "c:\program files\box\box sync\BoxSync.exe" -m
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [FAHConsole] c:\program files\file association helper\FAHConsole.exe
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\users\kyleha~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\smarts~1.lnk - c:\program files\dell\feature enhancement pack\SmartSettings.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\uvaitc~1.lnk - c:\windows\installer\{e0274560-0fb3-4928-9800-6b45aaefb506}\_39B470E5817D54F276433B.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{b0bf7057-6869-4e4b-920c-ea2a58da07f0}\Icon3E5562ED7.ico
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: DisableCAD = dword:1
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
TCP: NameServer = 192.168.1.2
TCP: Interfaces\{B0B9F683-8BA9-4645-89C1-03BFF294F3CF} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{B0B9F683-8BA9-4645-89C1-03BFF294F3CF} : DHCPNameServer = 192.168.1.2
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063} : DHCPNameServer = 192.168.1.2
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\25A47237024456C696 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\3547F627560213230313 : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\43A5730553 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\5574C46423 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\653455 : DHCPNameServer = 128.172.1.5 128.172.90.11
TCP: Interfaces\{C6922A3D-FA9D-40C8-83E8-463A644B0063}\D416272796F64747D2751647562737964656 : DHCPNameServer = 4.2.2.2 4.2.2.1 8.8.8.8 8.8.4.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
Notify: SEP - c:\program files\symantec\symantec endpoint protection\12.1.1000.157.105\bin\WinLogoutNotifier.dll
Notify: spba - c:\program files\common files\spba\homefus2.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages =  msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\drivers\stdcfltn.sys [2012-7-17 17904]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\sep\0c0103e8\009d.105\x86\SymDS.sys [2011-7-16 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\sep\0c0103e8\009d.105\x86\SymEFA.sys [2011-8-27 758904]
R1 BHDrvx86;BHDrvx86;c:\programdata\symantec\symantec endpoint protection\12.1.1000.157.105\data\definitions\bashdefs\20140612.012\BHDrvx86.sys [2014-6-17 1101616]
R1 IDSVix86;IDSVix86;c:\programdata\symantec\symantec endpoint protection\12.1.1000.157.105\data\definitions\ipsdefs\20140630.001\IDSvix86.sys [2014-6-30 395992]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\sep\0c0103e8\009d.105\x86\Ironx86.sys [2011-9-13 137336]
R1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\sep\0c0103e8\009d.105\x86\symnets.sys [2011-9-8 299640]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2012-7-17 81920]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2010-5-10 1803584]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2010-6-29 127488]
R2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files\skype\toolbars\autoupdate\SkypeC2CAutoUpdateSvc.exe [2014-4-11 1390720]
R2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files\skype\toolbars\pnrsvc\SkypeC2CPNRSvc.exe [2014-4-11 1764992]
R2 DFEPService;Dell Feature Enhancement Pack Service;c:\program files\dell\feature enhancement pack\DFEPService.exe [2011-8-24 1568664]
R2 jhi_service;Intel® Identity Protection Technology Host Interface Service;c:\program files\intel\services\ipt\jhi_service.exe [2011-9-28 212944]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-7-1 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-7-1 860472]
R2 O2SDIOAssist;O2SDIOAssist;c:\windows\system32\srvany.exe [2012-7-17 8192]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\12.1.1000.157.105\bin\ccSvcHst.exe [2011-9-20 137224]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2012-7-17 2594584]
R2 Wave Authentication Manager Service;Wave Authentication Manager Service;c:\program files\dell\dell data protection\access\advanced\wave\authentication manager\WaveAMService.exe [2011-7-1 1131520]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\accelern.sys [2012-7-17 44144]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2012-7-17 349736]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2012-7-17 147360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2014-6-12 109872]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2012-7-17 269824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-7-1 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-7-1 110296]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-7-1 51928]
R3 MEI;Intel® Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2012-7-17 41216]
R3 O2MDRRDR;O2MDRRDR;c:\windows\system32\drivers\O2MDRw7.sys [2012-7-17 62440]
R3 O2SDJRDR;O2SDJRDR;c:\windows\system32\drivers\o2sdjw7.sys [2012-7-17 63976]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 BoxSyncUpdateService;Box Sync Update Service;c:\program files\box\box sync\SyncUpdaterService.exe [2013-12-26 20992]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2012-7-17 134144]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-6-11 108032]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2012-7-17 132480]
S3 netvsc;netvsc;c:\windows\system32\drivers\netvsc60.sys [2010-11-20 126464]
S3 O2MDFRDR;O2MDFRDR;c:\windows\system32\drivers\o2mdfw7.sys [2012-7-17 60904]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SyDvCtrl;SyDvCtrl;c:\program files\symantec\symantec endpoint protection\12.1.1000.157.105\bin\SyDvCtrl32.sys [2011-10-30 23984]
S3 SynthVid;SynthVid;c:\windows\system32\drivers\VMBusVideoM.sys [2010-11-20 19456]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-7-30 1343400]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== File Associations ===============
.
FileExt: .js: jsfile="c:\program files\adobe\adobe dreamweaver cs4\Dreamweaver.exe","%1"
ShellExec: dreamweaver.exe: Open="c:\program files\adobe\adobe dreamweaver cs4\dreamweaver.exe", "%1"
.
=============== Created Last 30 ================
.
2014-07-01 13:43:31 110296 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-01 13:43:17 74456 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-01 13:43:17 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-07-01 13:43:17 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-07-01 13:43:17 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-07-01 13:41:37 8140904 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{aab0d3a8-754d-4673-9394-7fb8c74213ee}\mpengine.dll
2014-06-27 18:04:59 -------- d-----w- C:\NPE
2014-06-27 18:02:18 -------- d-----w- c:\users\Prof H\appdata\local\NPE
2014-06-27 18:02:18 -------- d-----w- c:\programdata\Norton
2014-06-27 17:42:42 -------- d-----w- c:\users\Prof H\appdata\roaming\RocketUpdater
2014-06-27 17:42:20 -------- d-----w- c:\program files\File Association Helper
2014-06-18 18:11:20 -------- d-----w- c:\users\Prof H\appdata\roaming\DropboxMaster
2014-06-11 13:31:37 2048 ----a-w- c:\windows\system32\msxml6r.dll
2014-06-11 13:31:37 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-06-11 13:31:37 1389056 ----a-w- c:\windows\system32\msxml6.dll
2014-06-11 13:31:37 1237504 ----a-w- c:\windows\system32\msxml3.dll
2014-06-11 13:31:35 626688 ----a-w- c:\windows\system32\usp10.dll
2014-06-11 13:31:35 187840 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2014-06-11 13:31:35 1294272 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
==================== Find3M  ====================
.
2014-05-30 09:02:39 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-30 09:02:03 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-05-30 08:44:28 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-05-30 08:43:06 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-05-30 08:42:16 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-05-30 08:28:33 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-05-30 08:28:30 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-05-30 08:27:56 592896 ----a-w- c:\windows\system32\jscript9diag.dll
2014-05-30 08:21:36 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-05-30 08:10:46 32256 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-05-30 07:56:50 4244992 ----a-w- c:\windows\system32\jscript9.dll
2014-05-30 07:50:09 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-05-30 07:49:38 1964544 ----a-w- c:\windows\system32\inetcpl.cpl
2014-05-30 07:21:10 1790976 ----a-w- c:\windows\system32\wininet.dll
2014-05-14 14:29:32 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-05-14 14:29:32 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-05-09 07:06:23 369664 ----a-w- c:\windows\system32\aepdu.dll
2014-05-09 07:04:12 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-04-30 14:40:23 0 ----a-w- c:\windows\system32\serauth2.dll
2014-04-30 14:40:23 0 ----a-w- c:\windows\system32\serauth1.dll
2014-04-30 14:40:23 0 ----a-w- c:\windows\system32\nsprs.dll
2014-04-30 14:39:31 205 ----a-w- c:\windows\system32\lsprst7.dll
2014-04-30 14:39:31 1025 ----a-w- c:\windows\system32\sysprs7.dll
2014-04-15 00:13:52 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-04-12 02:15:13 67520 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2014-04-12 02:15:13 136640 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-04-12 02:12:09 15872 ----a-w- c:\windows\system32\sspisrv.dll
2014-04-12 02:12:09 100352 ----a-w- c:\windows\system32\sspicli.dll
2014-04-12 02:12:06 22016 ----a-w- c:\windows\system32\secur32.dll
2014-04-12 02:11:58 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-04-12 02:11:22 22528 ----a-w- c:\windows\system32\lsass.exe
.
============= FINISH: 17:34:50.34 ===============
 
 
 
LOG FROM RECENT MALWARE BYTES LOG:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 7/1/2014
Scan Time: 5:25:23 PM
Logfile: Malware byes log 2.txt
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.07.01.07
Rootkit Database: v2014.07.01.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Prof H
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 287349
Time Elapsed: 22 min, 34 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 2
PUP.Optional.RocketFind.A, C:\Users\Prof H\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "search_url": "http://rocket-find.com/results.php?f=4&q={searchTerms}&a=rckt_wnzp01_14_26_ch&cd=2XzuyEtN2Y1L1Qzu0DtDyCyB0EyDyDtA0D0AtC0EtCyCtB0BtN0D0Tzu0SzytDzytN1L2XzutBtFtBtCtFzztFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtDtD0ByBtCzy0FtG0D0FzyyCtGyBtC0AtCtGyDyCyD0AtGtB0A0C0F0A0A0ByD0DyByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0CzytA0Czy0B0BtG0CzyzyyBtGzz0E0A0DtG0Bzz0DtAtGtB0DyCtAyDzyzztB0F0AyDyB2QtN1B1L1H1Ezu1O2U1M1B&cr=1152555187&ir=",), ,[1645dcbe2f4cf4426b5eab1138cc4db3]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 03 July 2014 - 09:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Let me know what problem persists.

#6 Professor H

Professor H
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 03 July 2014 - 12:20 PM

Thanks for helping nasdaq!  I am noticing that Chrome still opens to an unwanted homepage.  The URL on the homepage does not display.  So, I don't know exactly where it is sending me.

 

# AdwCleaner v3.214 - Report created 03/07/2014 at 12:45:46
# Updated 29/06/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : Prof H - K2012
# Running from : C:\Users\Prof H\Desktop\adwcleaner_3.214.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\KH\AppData\Local\Zoom_Downloader
Folder Deleted : C:\Users\KH\AppData\Roaming\RocketUpdater
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1EC9510D-A439-4950-9399-B6399EDF9EA7}
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\datamngrUI_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\datamngrUI_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\WSE Rocket
Key Deleted : HKLM\Software\InstallCore
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17126
 
 
-\\ Google Chrome v
 
[ File : C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted [Search Provider] : hxxp://dts.search-results.com/sr?src=crb&appid=367&systemid=406&sr=0&q={searchTerms}
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://rocket-find.com/results.php?f=4&q={searchTerms}&a=rckt_wnzp01_14_26_ch&cd=2XzuyEtN2Y1L1Qzu0DtDyCyB0EyDyDtA0D0AtC0EtCyCtB0BtN0D0Tzu0SzytDzytN1L2XzutBtFtBtCtFzztFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtDtD0ByBtCzy0FtG0D0FzyyCtGyBtC0AtCtGyDyCyD0AtGtB0A0C0F0A0A0ByD0DyByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0CzytA0Czy0B0BtG0CzyzyyBtGzz0E0A0DtG0Bzz0DtAtGtB0DyCtAyDzyzztB0F0AyDyB2QtN1B1L1H1Ezu1O2U1M1B&cr=1152555187&ir=
 
*************************
 
AdwCleaner[R0].txt - [3741 octets] - [03/07/2014 12:43:49]
AdwCleaner[S0].txt - [3730 octets] - [03/07/2014 12:45:46]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3790 octets] ##########
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-07-2014
Ran by Prof H (administrator) on K2012 on 03-07-2014 12:55:02
Running from C:\Users\KH\Desktop
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(AuthenTec, Inc.) C:\Program Files\Fingerprint Sensor\AtService.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\BCMWLTRY.EXE
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AEstSrv.exe
(Broadcom Corporation) C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Cisco Systems, Inc.) C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
(Intel Corporation) C:\Program Files\Intel\Services\IPT\jhi_service.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(O2Micro International) C:\Windows\System32\drivers\o2flash.exe
() C:\Windows\System32\srvany.exe
(O2Micro.) C:\Windows\System32\SDIOAssist.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe
() C:\Program Files\MATLAB\R2013b\bin\win32\MATLABStartupAccelerator.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Dell Inc.) C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
() C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe
(Dell Inc.) C:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe
(Creative Technology Ltd) C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
() C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
(Dell Computer Corporation) C:\dell\DBRM\Reminder\DbrmTrayicon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
(Adobe Systems Inc.) C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Box, Inc.) C:\Program Files\Box\Box Sync\BoxSync.exe
(Nico Mak Computing) C:\Program Files\File Association Helper\FAHWindow.exe
(Microsoft) C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Box, Inc.) C:\Program Files\Box\Box Sync\BoxSync.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
() C:\Program Files\Box\Box Sync\BoxSyncMonitor.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Users\KH\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\KH\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\KH\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\KH\AppData\Local\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [505720 2011-07-20] (Alps Electric Co., Ltd.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [536668 2011-01-25] (IDT, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5955072 2011-01-15] (Dell Inc.)
HKLM\...\Run: [FreeFallProtection] => C:\Program Files\STMicroelectronics\AccelerometerP11\FF_Protection.exe [686704 2011-07-25] ()
HKLM\...\Run: [DFEPApplication] => c:\Program Files\Dell\Feature Enhancement Pack\DFEPApplication.exe [6306712 2011-08-24] (Dell Inc.)
HKLM\...\Run: [TdmNotify] => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmNotify.exe [214384 2011-05-27] (Wave Systems Corp.)
HKLM\...\Run: [Dell Webcam Central] => C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [462974 2011-12-16] (Creative Technology Ltd)
HKLM\...\Run: [RemoteControl9] => C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] => C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [RoxWatchTray] => C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM\...\Run: [Desktop Disc Tool] => C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM\...\Run: [DBRMTray] => C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [44128 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] => C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [642664 2013-05-08] (Adobe Systems Inc.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\System32\LogiLDA.dll [1246544 2010-11-03] (Logitech, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [BoxSync] => c:\Program Files\Box\Box Sync\BoxSync.exe [12532392 2014-06-25] (Box, Inc.)
HKLM\...\Run: [AdobeCS4ServiceManager] => C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe [611712 2008-08-14] (Adobe Systems Incorporated)
HKLM\...\Run: [FAHConsole] => C:\Program Files\File Association Helper\FAHConsole.exe [616632 2014-01-28] (Nico Mak Computing)
HKLM\...\RunOnce: [DBRMTray] - C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
Winlogon\Notify\SEP: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\WinLogoutNotifier.dll [X]
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKU\S-1-5-21-1739788951-2944234116-441127335-1001\...\Run: [Google Update] => C:\Users\KH\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-07-30] (Google Inc.)
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\UVA ITC Network Setup Tool Cert Checker.lnk
ShortcutTarget: UVA ITC Network Setup Tool Cert Checker.lnk -> C:\Windows\Installer\{E0274560-0FB3-4928-9800-6B45AAEFB506}\_39B470E5817D54F276433B.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
ShortcutTarget: VPN Client.lnk -> C:\Windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico ()
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
Startup: C:\Users\KH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk
ShortcutTarget: Smart Settings.lnk -> C:\Program Files\Dell\Feature Enhancement Pack\SmartSettings.exe (Microsoft)
ShellIconOverlayIdentifiers: 0000BoxSyncFileLocked -> {1b9c95e1-ce36-3737-81c8-1ec9807f03c1} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: 0000BoxSyncNotSynced -> {e22ccf16-2db6-3de8-9a2c-acb66b571b69} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: 0000BoxSyncProblem -> {84878798-e5c4-3e6b-b7c4-b51c4ac4e7dc} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: 0000BoxSyncSynced -> {01fcd170-7f0a-3b6a-b992-66a7a20289b5} => C:\Windows\system32\mscoree.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: EnabledUnlockedFDEIconOverlay -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.)
ShellIconOverlayIdentifiers: UninitializedFdeIconOverlay -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM - DefaultScope value is missing.
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\bin\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.2
Tcpip\..\Interfaces\{B0B9F683-8BA9-4645-89C1-03BFF294F3CF}: [NameServer]8.8.8.8,8.8.4.4
 
FireFox:
========
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=1.2.22 - C:\Program Files\Intel\Services\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files\Intel\Services\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin: @java.com/DTPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Acrobat - C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\KH\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\KH\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\IPSFF
FF Extension: Symantec Intrusion Prevention - C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\IPSFF [2013-10-03]
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com/
CHR NewTab: "chrome-extension://ibnjmihbbanannlbobkbmnmckjnmdnom/newtab.html"
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\KH\AppData\Local\Google\Chrome\Application\35.0.1916.153\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\KH\AppData\Local\Google\Chrome\Application\35.0.1916.153\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Users\KH\AppData\Local\Google\Chrome\Application\35.0.1916.153\gcswf32.dll No File
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files\Intel\Services\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files\Intel\Services\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Users\KH\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll No File
CHR Extension: (Google Drive) - C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-03-29]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-21]
CHR Extension: (YouTube) - C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-07-30]
CHR Extension: (Google Search) - C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-07-30]
CHR Extension: (Rocket New Tab) - C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnjmihbbanannlbobkbmnmckjnmdnom [2014-06-27]
CHR Extension: (Skype Click to Call) - C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2012-09-25]
CHR Extension: (Google Wallet) - C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-30]
CHR Extension: (Gmail) - C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-07-30]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-04-11]
CHR StartMenuInternet: Google Chrome - C:\Users\KH\AppData\Local\Google\Chrome\Application\chrome.exe
 
========================== Services (Whitelisted) =================
 
R2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1803584 2010-05-10] (AuthenTec, Inc.)
S3 BoxSyncUpdateService; C:\Program Files\Box\Box Sync\SyncUpdaterService.exe [20992 2013-12-26] (Box Inc.) [File not signed]
R2 BrcmMgmtAgent; C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [127488 2010-06-29] (Broadcom Corporation) [File not signed]
R2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390720 2014-04-11] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1764992 2014-04-11] (Microsoft Corporation)
R2 CVPND; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [1528616 2010-03-23] (Cisco Systems, Inc.)
R2 DFEPService; c:\Program Files\Dell\Feature Enhancement Pack\DFEPService.exe [1568664 2011-08-24] (Dell Inc.)
R2 jhi_service; C:\Program Files\Intel\Services\IPT\jhi_service.exe [212944 2011-09-28] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-01-18] (Hewlett-Packard) [File not signed]
R2 O2FLASH; C:\Windows\system32\DRIVERS\o2flash.exe [72296 2010-02-10] (O2Micro International)
R2 O2SDIOAssist; c:\Windows\system32\srvany.exe [8192 2003-04-18] () [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-01-18] (Hewlett-Packard) [File not signed]
S3 RoxMediaDB12OEM; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [1116656 2010-11-25] (Sonic Solutions)
S2 RoxWatch12; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [219632 2010-11-25] (Sonic Solutions)
S3 SecureStorageService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe [1508232 2011-05-24] (Wave Systems Corp.)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\ccSvcHst.exe [137224 2011-09-20] (Symantec Corporation)
R3 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\Smc.exe [1667328 2011-10-30] (Symantec Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\snac.exe [280496 2011-10-30] (Symantec Corporation)
R2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [274514 2011-01-25] (IDT, Inc.)
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1633280 2011-02-17] () [File not signed]
R2 TdmService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe [2605424 2011-05-27] (Wave Systems Corp.)
R2 Wave Authentication Manager Service; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Authentication Manager\WaveAMService.exe [1131520 2011-07-01] (Wave Systems Corp.) [File not signed]
R2 wltrysvc; C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe [5210112 2011-01-15] (Dell Inc.) [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
R3 Acceler; C:\Windows\System32\DRIVERS\accelern.sys [44144 2011-07-22] (ST Microelectronics)
R3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18496 2011-01-15] (Broadcom Corporation)
R1 BHDrvx86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\BASHDefs\20140612.012\BHDrvx86.sys [1101616 2014-05-09] (Symantec Corporation)
S3 Blfp; C:\Windows\System32\DRIVERS\basp.sys [88064 2010-09-03] (Broadcom Corporation)
S3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA.sys [5275 2007-01-18] (Cisco Systems, Inc.)
R2 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [308859 2010-03-23] (Cisco Systems, Inc.) [File not signed]
R3 DNE; C:\Windows\System32\DRIVERS\dne2000.sys [131984 2008-11-16] (Deterministic Networks, Inc.)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [377648 2014-06-12] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [109872 2014-06-12] (Symantec Corporation)
S3 HBtnKey; C:\Windows\system32\drivers\HBtnKey.sys [11008 2011-07-19] (Dell Inc.)
R1 IDSVix86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\IPSDefs\20140630.001\IDSvix86.sys [395992 2014-05-12] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-07-03] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41216 2011-09-22] (Intel Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\VirusDefs\20140630.008\NAVENG.SYS [93272 2014-06-10] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Data\Definitions\VirusDefs\20140630.008\NAVEX15.SYS [1612376 2014-06-10] (Symantec Corporation)
S3 netvsc; C:\Windows\System32\DRIVERS\netvsc60.sys [126464 2010-11-20] (Microsoft Corporation)
S3 O2MDFRDR; C:\Windows\system32\drivers\O2MDFw7.sys [60904 2011-01-04] (O2Micro )
R3 O2MDRRDR; C:\Windows\System32\DRIVERS\O2MDRw7.sys [62440 2011-01-04] (O2Micro )
R3 O2SDJRDR; C:\Windows\System32\DRIVERS\o2sdjw7.sys [63976 2011-03-23] (O2Micro )
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2010-07-21] (Dell Inc)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C0103E8\009D.105\x86\SRTSP.SYS [522872 2011-09-27] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C0103E8\009D.105\x86\SRTSPX.SYS [31864 2011-09-27] (Symantec Corporation)
R0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17904 2011-07-16] (ST Microelectronics)
S3 SyDvCtrl; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\SyDvCtrl32.sys [23984 2011-10-30] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C0103E8\009D.105\x86\SYMDS.SYS [340088 2011-07-16] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C0103E8\009D.105\x86\SYMEFA.SYS [758904 2011-08-27] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [127096 2012-07-30] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C0103E8\009D.105\x86\Ironx86.SYS [137336 2011-09-13] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C0103E8\009D.105\x86\SYMNETS.SYS [299640 2011-09-08] (Symantec Corporation)
S3 SynthVid; C:\Windows\System32\DRIVERS\VMBusVideoM.sys [19456 2010-11-20] (Microsoft Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [90032 2012-07-30] (Symantec Corporation)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [51632 2011-08-16] (Symantec Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-07-03 12:55 - 2014-07-03 12:55 - 00026664 _____ () C:\Users\KH\Desktop\FRST.txt
2014-07-03 12:54 - 2014-07-03 12:55 - 00000000 ____D () C:\FRST
2014-07-03 12:54 - 2014-07-03 12:54 - 01073664 _____ (Farbar) C:\Users\KH\Desktop\FRST.exe
2014-07-03 12:53 - 2014-07-03 12:54 - 01073664 _____ (Farbar) C:\Users\KH\Downloads\FRST.exe
2014-07-03 12:44 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll
2014-07-03 12:43 - 2014-07-03 12:52 - 00000000 ____D () C:\AdwCleaner
2014-07-03 12:42 - 2014-07-03 12:41 - 01346519 _____ () C:\Users\KH\Desktop\adwcleaner_3.214.exe
2014-07-03 12:40 - 2014-07-03 12:41 - 01346519 _____ () C:\Users\KH\Downloads\adwcleaner_3.214.exe
2014-07-02 17:35 - 2014-07-02 17:37 - 00022903 _____ () C:\Users\KH\Desktop\DDS July 2.txt
2014-07-02 17:35 - 2014-07-02 17:35 - 00010613 _____ () C:\Users\KH\Desktop\Attach July 2.txt
2014-07-02 17:33 - 2014-07-02 17:33 - 00688992 ____R (Swearware) C:\Users\KH\Downloads\dds (1).com
2014-07-01 09:43 - 2014-07-03 12:49 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-01 09:43 - 2014-07-01 09:43 - 00001062 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-07-01 09:43 - 2014-07-01 09:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-07-01 09:43 - 2014-07-01 09:43 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-07-01 09:43 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-07-01 09:43 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-07-01 09:43 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-07-01 09:42 - 2014-07-01 09:42 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\KH\Downloads\mbam-setup-2.0.2.1012.exe
2014-06-30 17:38 - 2014-06-30 17:38 - 01457838 _____ () C:\Users\KH\Downloads\EMGNCS testing information.zip
2014-06-27 15:33 - 2014-06-27 15:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2014-06-27 15:33 - 2014-06-27 15:33 - 00000000 ____D () C:\Program Files\7-Zip
2014-06-27 15:32 - 2014-06-27 15:33 - 01138397 _____ () C:\Users\KH\Downloads\7z922.exe
2014-06-27 15:08 - 2014-07-02 17:35 - 00010613 _____ () C:\Users\KH\Desktop\attach.txt
2014-06-27 15:08 - 2014-07-02 17:34 - 00022948 _____ () C:\Users\KH\Desktop\dds.txt
2014-06-27 15:07 - 2014-06-27 15:07 - 00688992 ____R (Swearware) C:\Users\KH\Downloads\dds.com
2014-06-27 14:04 - 2014-06-27 14:05 - 00000000 ____D () C:\NPE
2014-06-27 14:02 - 2014-06-27 14:09 - 00000000 ____D () C:\Users\KH\AppData\Local\NPE
2014-06-27 14:02 - 2014-06-27 14:02 - 00000000 ____D () C:\ProgramData\Norton
2014-06-27 14:01 - 2014-06-27 14:02 - 03077584 ____N (Symantec Corporation) C:\Users\KH\Downloads\NPE.exe
2014-06-27 13:42 - 2014-07-03 12:42 - 00000310 _____ () C:\Windows\Tasks\Rocket Updater.job
2014-06-27 13:42 - 2014-06-27 13:42 - 00000000 ____D () C:\Program Files\File Association Helper
2014-06-27 13:40 - 2014-06-27 13:40 - 00858832 _____ ( ) C:\Users\KH\Downloads\winzip18-lan_en.exe
2014-06-18 14:11 - 2014-06-18 14:11 - 00000000 ____D () C:\Users\KH\AppData\Roaming\DropboxMaster
2014-06-11 16:12 - 2014-06-12 09:42 - 00000000 ____D () C:\Program Files\Mozilla Thunderbird
2014-06-11 09:35 - 2014-05-30 05:18 - 17271296 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-06-11 09:35 - 2014-05-30 05:02 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-06-11 09:35 - 2014-05-30 05:02 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-06-11 09:35 - 2014-05-30 04:44 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-06-11 09:35 - 2014-05-30 04:43 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-06-11 09:35 - 2014-05-30 04:42 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-06-11 09:35 - 2014-05-30 04:38 - 02179072 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-06-11 09:35 - 2014-05-30 04:34 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-06-11 09:35 - 2014-05-30 04:33 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-06-11 09:35 - 2014-05-30 04:30 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-06-11 09:35 - 2014-05-30 04:28 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-06-11 09:35 - 2014-05-30 04:28 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-06-11 09:35 - 2014-05-30 04:27 - 00592896 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-06-11 09:35 - 2014-05-30 04:21 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-06-11 09:35 - 2014-05-30 04:16 - 00368128 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-06-11 09:35 - 2014-05-30 04:10 - 00032256 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-06-11 09:35 - 2014-05-30 04:06 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-06-11 09:35 - 2014-05-30 04:04 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-06-11 09:35 - 2014-05-30 04:02 - 00242688 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-06-11 09:35 - 2014-05-30 03:57 - 00595968 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-06-11 09:35 - 2014-05-30 03:56 - 04244992 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-06-11 09:35 - 2014-05-30 03:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-06-11 09:35 - 2014-05-30 03:50 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-06-11 09:35 - 2014-05-30 03:49 - 01964544 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-06-11 09:35 - 2014-05-30 03:40 - 11725312 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-06-11 09:35 - 2014-05-30 03:21 - 01790976 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-06-11 09:35 - 2014-05-30 03:15 - 01143296 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-06-11 09:35 - 2014-05-30 03:13 - 00704512 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-06-11 09:31 - 2014-04-24 22:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2014-06-11 09:31 - 2014-04-04 22:25 - 01294272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-06-11 09:31 - 2014-04-04 22:24 - 00187840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2014-06-11 09:31 - 2014-03-26 10:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2014-06-11 09:31 - 2014-03-26 10:27 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-06-11 09:31 - 2014-03-26 10:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2014-06-11 09:31 - 2014-03-26 10:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-06-05 14:59 - 2014-06-05 14:59 - 00000672 _____ () C:\Users\KH\Downloads\analyze.txt
2014-06-04 17:40 - 2014-07-02 17:31 - 00000000 ____D () C:\Users\KH\Documents\Materials
2014-06-03 17:32 - 2014-06-20 13:16 - 00000000 ____D () C:\Users\KH\Desktop\CM
 
==================== One Month Modified Files and Folders =======
 
2014-07-03 12:55 - 2014-07-03 12:55 - 00026664 _____ () C:\Users\KH\Desktop\FRST.txt
2014-07-03 12:55 - 2014-07-03 12:54 - 00000000 ____D () C:\FRST
2014-07-03 12:54 - 2014-07-03 12:54 - 01073664 _____ (Farbar) C:\Users\KH\Desktop\FRST.exe
2014-07-03 12:54 - 2014-07-03 12:53 - 01073664 _____ (Farbar) C:\Users\KH\Downloads\FRST.exe
2014-07-03 12:53 - 2012-07-17 16:28 - 01058316 _____ () C:\Windows\WindowsUpdate.log
2014-07-03 12:52 - 2014-07-03 12:43 - 00000000 ____D () C:\AdwCleaner
2014-07-03 12:51 - 2013-06-11 17:21 - 00000000 ____D () C:\Users\KH\AppData\Local\Box Sync
2014-07-03 12:49 - 2014-07-01 09:43 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-07-03 12:49 - 2014-01-23 17:05 - 00000558 _____ () C:\Windows\Tasks\MATLAB R2013b Startup Accelerator.job
2014-07-03 12:49 - 2012-08-30 15:21 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-07-03 12:48 - 2010-11-20 17:48 - 00135812 _____ () C:\Windows\PFRO.log
2014-07-03 12:48 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-07-03 12:48 - 2009-07-14 00:39 - 00081310 _____ () C:\Windows\setupact.log
2014-07-03 12:42 - 2014-06-27 13:42 - 00000310 _____ () C:\Windows\Tasks\Rocket Updater.job
2014-07-03 12:41 - 2014-07-03 12:42 - 01346519 _____ () C:\Users\KH\Desktop\adwcleaner_3.214.exe
2014-07-03 12:41 - 2014-07-03 12:40 - 01346519 _____ () C:\Users\KH\Downloads\adwcleaner_3.214.exe
2014-07-03 12:33 - 2012-07-30 14:15 - 00000932 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1739788951-2944234116-441127335-1001UA.job
2014-07-03 12:27 - 2012-07-17 14:34 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-07-03 11:57 - 2012-08-30 15:21 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-07-03 09:49 - 2009-07-14 00:34 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-07-03 09:49 - 2009-07-14 00:34 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-07-02 17:37 - 2014-07-02 17:35 - 00022903 _____ () C:\Users\KH\Desktop\DDS July 2.txt
2014-07-02 17:35 - 2014-07-02 17:35 - 00010613 _____ () C:\Users\KH\Desktop\Attach July 2.txt
2014-07-02 17:35 - 2014-06-27 15:08 - 00010613 _____ () C:\Users\KH\Desktop\attach.txt
2014-07-02 17:34 - 2014-06-27 15:08 - 00022948 _____ () C:\Users\KH\Desktop\dds.txt
2014-07-02 17:33 - 2014-07-02 17:33 - 00688992 ____R (Swearware) C:\Users\KH\Downloads\dds (1).com
2014-07-02 17:31 - 2014-06-04 17:40 - 00000000 ____D () C:\Users\KH\Documents\Materials
2014-07-02 10:30 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-07-02 09:33 - 2012-07-30 14:15 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1739788951-2944234116-441127335-1001Core.job
2014-07-02 09:14 - 2012-07-17 15:07 - 00000000 ____D () C:\ProgramData\Sonic
2014-07-01 17:24 - 2014-01-09 14:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Box Sync
2014-07-01 13:13 - 2014-01-08 12:03 - 00000000 ____D () C:\Users\KH\Documents\FTC data
2014-07-01 11:06 - 2012-07-31 14:59 - 00000000 ____D () C:\Users\KH\Documents\Bl
2014-07-01 10:05 - 2012-07-17 15:02 - 00000000 ____D () C:\Windows\PCHEALTH
2014-07-01 09:43 - 2014-07-01 09:43 - 00001062 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-07-01 09:43 - 2014-07-01 09:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-07-01 09:43 - 2014-07-01 09:43 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-07-01 09:43 - 2012-09-07 15:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-07-01 09:42 - 2014-07-01 09:42 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\KH\Downloads\mbam-setup-2.0.2.1012.exe
2014-06-30 18:03 - 2012-11-03 14:52 - 00000000 ____D () C:\JRT
2014-06-30 17:38 - 2014-06-30 17:38 - 01457838 _____ () C:\Users\KH\Downloads\EMGNCS testing information.zip
2014-06-30 10:00 - 2012-07-17 14:49 - 00000390 __RSH () C:\ProgramData\ntuser.pol
2014-06-27 17:00 - 2012-07-31 16:28 - 00000000 ____D () C:\Users\KH\AppData\Roaming\Tinn-R
2014-06-27 15:33 - 2014-06-27 15:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2014-06-27 15:33 - 2014-06-27 15:33 - 00000000 ____D () C:\Program Files\7-Zip
2014-06-27 15:33 - 2014-06-27 15:32 - 01138397 _____ () C:\Users\KH\Downloads\7z922.exe
2014-06-27 15:07 - 2014-06-27 15:07 - 00688992 ____R (Swearware) C:\Users\KH\Downloads\dds.com
2014-06-27 14:09 - 2014-06-27 14:02 - 00000000 ____D () C:\Users\KH\AppData\Local\NPE
2014-06-27 14:05 - 2014-06-27 14:04 - 00000000 ____D () C:\NPE
2014-06-27 14:02 - 2014-06-27 14:02 - 00000000 ____D () C:\ProgramData\Norton
2014-06-27 14:02 - 2014-06-27 14:01 - 03077584 ____N (Symantec Corporation) C:\Users\KH\Downloads\NPE.exe
2014-06-27 13:42 - 2014-06-27 13:42 - 00000000 ____D () C:\Program Files\File Association Helper
2014-06-27 13:40 - 2014-06-27 13:40 - 00858832 _____ ( ) C:\Users\KH\Downloads\winzip18-lan_en.exe
2014-06-26 15:12 - 2014-01-17 14:45 - 00000000 ____D () C:\Users\KH\Documents\adobe papers
2014-06-26 12:53 - 2013-04-04 13:52 - 00000000 ____D () C:\Users\KH\Documents\ECN
2014-06-24 10:18 - 2012-07-31 14:56 - 00000000 ____D () C:\Users\KH\Desktop\AA
2014-06-22 16:57 - 2012-07-31 15:08 - 00000000 ____D () C:\Users\KH\Documents\Manuscript reviews
2014-06-22 12:51 - 2009-07-14 00:53 - 00032628 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-06-20 13:16 - 2014-06-03 17:32 - 00000000 ____D () C:\Users\KH\Desktop\M
2014-06-18 14:39 - 2013-01-28 09:43 - 00000000 ___RD () C:\Users\KH\Dropbox
2014-06-18 14:11 - 2014-06-18 14:11 - 00000000 ____D () C:\Users\KH\AppData\Roaming\DropboxMaster
2014-06-18 14:11 - 2013-01-28 09:41 - 00000000 ____D () C:\Users\KH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-06-18 14:11 - 2013-01-28 09:41 - 00000000 ____D () C:\Users\KH\AppData\Roaming\Dropbox
2014-06-18 14:09 - 2012-07-31 14:57 - 00000000 ____D () C:\Users\KH\Desktop\JW
2014-06-16 09:36 - 2012-08-17 11:14 - 00000000 ____D () C:\Users\KH\Documents\MATLAB
2014-06-13 09:06 - 2012-10-15 09:15 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-06-12 10:50 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\rescache
2014-06-12 09:42 - 2014-06-11 16:12 - 00000000 ____D () C:\Program Files\Mozilla Thunderbird
2014-06-11 13:05 - 2012-07-30 15:49 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-06-11 13:04 - 2013-08-15 18:10 - 00000000 ____D () C:\Windows\system32\MRT
2014-06-11 13:01 - 2012-07-30 14:54 - 92708840 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-06-10 12:21 - 2014-05-29 12:51 - 00000000 ____D () C:\Users\KH\Documents\Seminar
2014-06-09 17:02 - 2013-05-11 14:41 - 00000000 ____D () C:\Users\KH\Desktop\CK
2014-06-05 14:59 - 2014-06-05 14:59 - 00000672 _____ () C:\Users\KH\Downloads\analyze.txt
 
Some content of TEMP:
====================
C:\Users\KH\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2mzqap.dll
C:\Users\KH\AppData\Local\Temp\ICReinstall_winzip18-lan_en.exe
C:\Users\KH\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\KH\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\KH\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\KH\AppData\Local\Temp\log4net.dll
C:\Users\KH\AppData\Local\Temp\Quarantine.exe
C:\Users\KH\AppData\Local\Temp\ShellLink.dll
C:\Users\KH\AppData\Local\Temp\SyncRestarter.exe
C:\Users\KH\AppData\Local\Temp\sync_upgrader.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-06-30 13:55
 
==================== End Of Log ============================

Edited by Professor H, 03 July 2014 - 12:28 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 04 July 2014 - 08:58 AM


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start

HKLM\...\Run: [] => [X]
Winlogon\Notify\SEP: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\WinLogoutNotifier.dll [X]
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://rocket-find.com/results.php?f=4&q={searchTerms}&a=rckt_wnzp01_14_26_ch&cd=2XzuyEtN2Y1L1Qzu0DtDyCyB0EyDyDtA0D0AtC0EtCyCtB0BtN0D0Tzu0SzytDzytN1L2XzutBtFtBtCtFzztFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StDtDtD0ByBtCzy0FtG0D0FzyyCtGyBtC0AtCtGyDyCyD0AtGtB0A0C0F0A0A0ByD0DyByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyE0CzytA0Czy0B0BtG0CzyzyyBtGzz0E0A0DtG0Bzz0DtAtGtB0DyCtAyDzyzztB0F0AyDyB2QtN1B1L1H1Ezu1O2U1M1B&cr=1152555187&ir=
FF Plugin: @microsoft.com/GENUINE - disabled No File
CHR NewTab: "chrome-extension://ibnjmihbbanannlbobkbmnmckjnmdnom/newtab.html"
CHR Plugin: (Shockwave Flash) - C:\Users\KH\AppData\Local\Google\Chrome\Application\35.0.1916.153\gcswf32.dll No File
CHR Plugin: (Google Update) - C:\Users\KH\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll No File
CHR Extension: (Rocket New Tab) - C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnjmihbbanannlbobkbmnmckjnmdnom [2014-06-27]
C:\Users\KH\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2mzqap.dll
C:\Users\KH\AppData\Local\Temp\ICReinstall_winzip18-lan_en.exe
C:\Users\KH\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\KH\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\KH\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\KH\AppData\Local\Temp\log4net.dll
C:\Users\KH\AppData\Local\Temp\Quarantine.exe
C:\Users\KH\AppData\Local\Temp\ShellLink.dll
C:\Users\KH\AppData\Local\Temp\SyncRestarter.exe
C:\Users\KH\AppData\Local\Temp\sync_upgrader.exe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/
===

Let me know if the problem persists.

#8 Professor H

Professor H
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 04 July 2014 - 03:05 PM

Thanks! The problem with Chrome redirects seems to be fixed!  Here are the logs:
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:01-07-2014
Ran by Prof H at 2014-07-04 15:41:51 Run:1
Running from C:\Users\KH\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
 
HKLM\...\Run: [] => [X]
Winlogon\Notify\SEP: C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1000.157.105\Bin\WinLogoutNotifier.dll [X]
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
SearchScopes: HKLM - DefaultScope value is missing.
FF Plugin: @microsoft.com/GENUINE - disabled No File
CHR NewTab: "chrome-extension://ibnjmihbbanannlbobkbmnmckjnmdnom/newtab.html"
CHR Plugin: (Shockwave Flash) - C:\Users\KH\AppData\Local\Google\Chrome\Application\35.0.1916.153\gcswf32.dll No File
CHR Plugin: (Google Update) - C:\Users\KH\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll No File
CHR Extension: (Rocket New Tab) - C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnjmihbbanannlbobkbmnmckjnmdnom [2014-06-27]
C:\Users\KH\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2mzqap.dll
C:\Users\KH\AppData\Local\Temp\ICReinstall_winzip18-lan_en.exe
C:\Users\KH\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\KH\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\KH\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\KH\AppData\Local\Temp\log4net.dll
C:\Users\KH\AppData\Local\Temp\Quarantine.exe
C:\Users\KH\AppData\Local\Temp\ShellLink.dll
C:\Users\KH\AppData\Local\Temp\SyncRestarter.exe
C:\Users\KH\AppData\Local\Temp\sync_upgrader.exe
 
End
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP' => Key deleted successfully.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}'=> Key not found.
'HKLM\Software\MozillaPlugins\FF Plugin: @microsoft.com/GENUINE - disabled No File'=> Key not found.
FF Plugin: @microsoft.com/GENUINE - disabled No File not found.
CHR NewTab: "chrome-extension://ibnjmihbbanannlbobkbmnmckjnmdnom/newtab.html" ==> The Chrome "Settings" can be used to fix the entry.
C:\Users\KH\AppData\Local\Google\Chrome\Application\35.0.1916.153\gcswf32.dll not found.
C:\Users\KH\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll not found.
c:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll not found.
C:\Users\KH\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnjmihbbanannlbobkbmnmckjnmdnom => Moved successfully.
C:\Users\KH\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2mzqap.dll => Moved successfully.
C:\Users\KH\AppData\Local\Temp\ICReinstall_winzip18-lan_en.exe => Moved successfully.
C:\Users\KH\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\KH\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Users\KH\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.
C:\Users\KH\AppData\Local\Temp\log4net.dll => Moved successfully.
C:\Users\KH\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\KH\AppData\Local\Temp\ShellLink.dll => Moved successfully.
C:\Users\KH\AppData\Local\Temp\SyncRestarter.exe => Moved successfully.
C:\Users\KH\AppData\Local\Temp\sync_upgrader.exe => Moved successfully.
 
==== End of Fixlog ====
 
 
 

 Results of screen317's Security Check version 0.99.85  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Symantec Endpoint Protection   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 55  
 Java version out of Date!
 Mozilla Thunderbird (24.6.0) 
 Google Chrome 35.0.1916.114  
 Google Chrome 35.0.1916.153  
````````Process Check: objlist.exe by Laurent````````
 Norton ccSvcHst.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log``````````````````````
 

Edited by Professor H, 04 July 2014 - 03:08 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 05 July 2014 - 06:48 AM

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u60.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 55

===

If all is well:

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Having an effective antivirus is a must for everyone.
In addition to many excellent commercial products there are plenty of good free antivirus programs available. I can recommend:

If you are satisfied with your current protection programs you can ignore the instructions on Antivirus or Firewall listed below.In addition to an antivirus I recommend using a firewall. A software firewall is a software program that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet. I can recommend one of the following free products:Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Malwarebytes Anti-Malware (MBAM)
The free version of MBAM can be used to scan the system for traces of malware. Scanning your system regularly will make it harder for malware to reside on your system.
A tutorial on using MBAM can be found here.
Please Note: Only the paid for version has real time capabilities.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please keep your programs up to date. This applies to Java, Adobe Flashplayer, Adobe Reader and your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC. Visiting a prepared web page suffices to infect your system.

In general Firefox, Opera and Google Chrome are considered to be more secure than Internet Explorer. In addition there are many useful add-ons that can protect you from possible risks:
  • WOT will warn you when you try to visit sites with poor reputation. The reputation is based on user ratings and is usually very accurate.
  • Script Blocker can help blocking many attempts to infect your system via malicious websites by only allowing scripts at sites you trust.
  • NoScript is a popular Firefox addon,
  • ScriptNo a popular Google Chrome addon.
For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
===

#10 Professor H

Professor H
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:09:42 AM

Posted 07 July 2014 - 11:33 AM

Wonderful!  Thanks!



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,245 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 07 July 2014 - 12:21 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users