Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups and Malicious Downloads in Chrome, IE, nothing found by Mwarebytes


  • This topic is locked This topic is locked
8 replies to this topic

#1 Superneato

Superneato

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 02 July 2014 - 05:57 PM

This is the FRST log from another computer infected on same LAN as this computer. Agent requested that I start this topic and post FRST log.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-07-2014
Ran by TDC2010 (administrator) on TDC2007 on 02-07-2014 18:44:04
Running from C:\Users\TDC2010\Downloads
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Carbonite, Inc. (www.carbonite.com)) C:\Program Files\Carbonite\Carbonite Backup\CarboniteService.exe
(CinemaNow, Inc.) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe
(FedEx Corporation) C:\Program Files (x86)\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe
(iAnywhere Solutions, Inc.) C:\Program Files (x86)\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
(Starfield Technologies) C:\Program Files (x86)\Workspace\offSyncService.exe
(Hainsoft.com) C:\Program Files (x86)\LanHelper\lhsrvc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
() C:\Program Files (x86)\Time Masters\AMG Attendance System Server\bin\mysqld.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe
(Famatech Corp.) C:\Windows\SysWOW64\rserver30\rserver3.exe
(ThreatTrack Security, Inc.) C:\Program Files (x86)\VIPRE\SBPIMSvc.exe
(StarWind Software) C:\Program Files (x86)\Alcohol 120\StarWind\StarWindServiceAE.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
() C:\Program Files (x86)\FedEx\ShipManager\BIN\AdminService.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Software 2000 Limited) C:\Windows\System32\spool\drivers\x64\3\HP1006MC.EXE
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2011\QBDBMgrN.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Alcor Micro Corp.) C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Starfield Technologies, LLC) C:\Program Files (x86)\Workspace\wben.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
(Starfield Technologies) C:\Program Files (x86)\Workspace\workspacestatus.exe
(Famatech Corp.) C:\Windows\SysWOW64\rserver30\FamItrfc.Exe
(Famatech Corp.) C:\Windows\SysWOW64\rserver30\FamItrfc.Exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Starfield Technologies) C:\Program Files (x86)\Workspace\workspaceupdate.exe
(Dropbox, Inc.) C:\Users\TDC2010\AppData\Roaming\Dropbox\bin\Dropbox.exe
(MagicISO, Inc.) C:\Program Files (x86)\MagicDisc\MagicDisc.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(CardScan, Inc.) C:\Program Files (x86)\CardScan\CardScan\CardScanAgent.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Carbonite, Inc.) C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Dropbox, Inc.) C:\Users\TDC2010\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(ThreatTrack Security, Inc.) C:\Program Files (x86)\VIPRE\SBAMSvc.exe
(ThreatTrack Security, Inc.) C:\Program Files (x86)\VIPRE\SBAMTray.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
() \\Filesvr\sys\RPOWER\winrun\rpower.exe
() \\Filesvr\sys\RPOWER\winrun\rpower.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Desktop.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [499608 2011-03-15] (Adobe Systems Incorporated)
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324096 2010-05-03] (Alcor Micro Corp.)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2012-06-08] (LogMeIn, Inc.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [563736 2009-10-14] (PDF Complete Inc)
HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [3761464 2013-09-30] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [CardScanAgent] => C:\Program Files (x86)\CardScan\CardScan\CardScanAgent.exe [152824 2008-08-27] (CardScan, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe [1523360 2011-01-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2010-12-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [821144 2010-12-10] (Adobe Systems Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [SBAMTray] => C:\Program Files (x86)\VIPRE\SBAMTray.exe [3216272 2013-09-05] (ThreatTrack Security, Inc.)
HKLM-x32\...\Run: [Carbonite Backup] => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe [1056264 2014-04-18] (Carbonite, Inc.)
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [wben] => C:\Program Files (x86)\Workspace\wben.exe [1569488 2013-09-16] (Starfield Technologies, LLC)
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59280 2012-11-28] (Apple Inc.)
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59280 2012-11-28] (Apple Inc.)
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [OfficeSyncProcess] => C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [911160 2012-01-18] (Microsoft Corporation)
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [PowerSuite] => "C:\PROGRA~2\Uniblue\POWERS~1\launcher.exe" delay 20000  -m
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [AlcoholAutomount] => C:\Program Files (x86)\Alcohol 120\AxAutoMntSrv.exe [75624 2012-01-05] (Alcohol Soft Development Team)
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [HLBackupScheduler] => C:\Program Files\Backup Assistant Plus\V CAST Backup Scheduler.exe
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [Workspace Status] => C:\Program Files (x86)\Workspace\workspacestatus.exe [694760 2013-07-26] (Starfield Technologies)
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe [1216416 2010-12-10] (Adobe Systems Incorporated)
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [SpiderOak] => C:\Program Files\SpiderOak\SpiderOak.exe --windows_startup
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [cdloader] => C:\Users\TDC2010\AppData\Roaming\mjusbsp\cdloader2.exe [51592 2013-05-06] (magicJack L.P.)
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\Run: [Starfield Updater] => C:\Program Files (x86)\Workspace\WorkspaceUpdate.exe [35008 2013-04-16] (Starfield Technologies)
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\MountPoints2: N - N:\TL-Bootstrap.exe
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\MountPoints2: {517e189d-038e-11e0-99a5-d48564ac022b} - P:\Setup.exe
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\MountPoints2: {ab02b164-134e-11e0-8499-d48564ac022b} - E:\LaunchU3.exe -a
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\MountPoints2: {b5502b04-32b8-11e0-8d0d-d48564ac022b} - M:\LaunchU3.exe -a
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\MountPoints2: {b5502b17-32b8-11e0-8d0d-d48564ac022b} - M:\LaunchU3.exe -a
HKU\S-1-5-21-2308464352-3331396735-3360041561-1000\...\MountPoints2: {e63b5160-0549-11e1-99aa-d48564ac022b} - E:\TL-Bootstrap.exe
HKU\S-1-5-21-2308464352-3331396735-3360041561-1009\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files (x86)\Intuit\QuickBooks 2011\QBW32.EXE (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish PictureMover.lnk
ShortcutTarget: Snapfish PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company)
Startup: C:\Users\Corel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk
ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass)
Startup: C:\Users\Corel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass)
Startup: C:\Users\TDC2010\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\TDC2010\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\TDC2010\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
Startup: C:\Users\TDC2010\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RPOWER.lnk
ShortcutTarget: RPOWER.lnk -> \\Filesvr\sys\RPOWER\winrun\rpower.exe ()
ShellIconOverlayIdentifiers: Carbonite.Green -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: Carbonite.Partial -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: Carbonite.Yellow -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2 (GFS Stub) -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 3 (GFS Folder) -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: off0 -> {8E33AEC3-C5F2-43C4-B048-9E3EB19B1DD5} => C:\Program Files (x86)\Workspace\offsyncext64.dll (Starfield Technologies, LLC)
ShellIconOverlayIdentifiers: off1 -> {8E33AEC4-C5F2-43C4-B048-9E3EB19B1DD5} => C:\Program Files (x86)\Workspace\offsyncext64.dll (Starfield Technologies, LLC)
ShellIconOverlayIdentifiers-x32: Carbonite.Green -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: Carbonite.Partial -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: Carbonite.Yellow -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 2 (GFS Stub) -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 3 (GFS Folder) -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM - {2C96E3F7-24F7-464A-9CEA-4BA46D59C96B} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM - {6C313D7E-0388-42C8-B43A-A9148702FAC3} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM - {AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKLM-x32 - {2C96E3F7-24F7-464A-9CEA-4BA46D59C96B} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {6C313D7E-0388-42C8-B43A-A9148702FAC3} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 - {AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {2C96E3F7-24F7-464A-9CEA-4BA46D59C96B} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKCU - {6C313D7E-0388-42C8-B43A-A9148702FAC3} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKCU - {AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: LastPass Vault - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll ()
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: LastPass Vault - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
BHO-x32: VIPRE Search Guard Helper - {963C8283-AE7F-4AA6-9B3B-847A8FC62C5E} - C:\Program Files (x86)\VIPRE\VSG.dll ()
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll ()
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll ()
Toolbar: HKLM-x32 - VIPRE Search Guard Toolbar - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} - C:\Program Files (x86)\VIPRE\VSG.dll ()
Toolbar: HKCU - No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {0E5F0222-96B9-11D3-8997-00104BD12D94} http://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: HKLM-x32 {556EEC63-31E2-47C3-BF29-DFF799D2FE04} https://secure.logmein.com/activex/RACtrl.cab
DPF: HKLM-x32 {82E5DF24-51E8-47CD-864A-F4BD5005AA73} https://www.icloud.com/system/iCloud.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=1007
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} -  No File
Handler-x32: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files (x86)\Intuit\QuickBooks 2011\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Handler-x32: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} - C:\Program Files (x86)\VIPRE\VSG.dll ()
Tcpip\Parameters: [DhcpNameServer] 128.199.162.243 107.170.245.37 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\TDC2010\AppData\Roaming\Mozilla\Firefox\Profiles\flo8asrl.default
FF DefaultSearchEngine: Yahoo
FF SelectedSearchEngine: Yahoo
FF Homepage: www.google.com
FF NetworkProxy: "no_proxies_on", "*.local"
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF Plugin-x32: @adp.com/npdpfplugin,version=1.5.0.0 - C:\Program Files (x86)\ADP\npdpfplugin.dll (Automatic Data Processing Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin - C:\Users\TDC2010\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKCU: @hulu.com/Hulu Desktop - C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\npHDPlg.dll (Hulu LLC)
FF Plugin HKCU: @starfield.com/off - C:\Users\TDC2010\AppData\Roaming\Mozilla\Plugins\npoff.dll ( Starfield Technologies, LLC.)
FF Plugin HKCU: @starfield.com/off64 - C:\Users\TDC2010\AppData\Roaming\Mozilla\Plugins\npoff64.dll ( Starfield Technologies, LLC.)
FF Plugin HKCU: @starfield.com/wbe - C:\Users\TDC2010\AppData\Roaming\Mozilla\Plugins\npwbe.dll (Starfield Technology, LLC)
FF Plugin HKCU: @starfield.com/wbe64 - C:\Users\TDC2010\AppData\Roaming\Mozilla\Plugins\npwbe64.dll (Starfield Technology, LLC)
FF Plugin HKCU: tdameritrade.com/thinkorswim - C:\Users\TDC2010\AppData\Local\thinkorswim\npthinkorswim.dll (TD Ameritrade)
FF Plugin HKCU: tdameritrade.com/tossc - C:\Users\TDC2010\AppData\Local\thinkorswim\nptossc.dll (TD Ameritrade)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\TDC2010\AppData\Roaming\mozilla\plugins\npoff.dll ( Starfield Technologies, LLC.)
FF Plugin ProgramFiles/Appdata: C:\Users\TDC2010\AppData\Roaming\mozilla\plugins\npoff64.dll ( Starfield Technologies, LLC.)
FF Plugin ProgramFiles/Appdata: C:\Users\TDC2010\AppData\Roaming\mozilla\plugins\npwbe.dll (Starfield Technology, LLC)
FF Plugin ProgramFiles/Appdata: C:\Users\TDC2010\AppData\Roaming\mozilla\plugins\npwbe64.dll (Starfield Technology, LLC)
FF Extension: WBE Paste - C:\Users\TDC2010\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\wbepaste@starfield [2010-12-15]
FF Extension: Workspace Email Zoom - C:\Users\TDC2010\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\zoomext@starfield [2010-12-15]
FF Extension: No Name - C:\Users\TDC2010\AppData\Roaming\Mozilla\Firefox\Profiles\flo8asrl.default\Extensions\staged [2014-02-27]
FF Extension: LastPass - C:\Users\TDC2010\AppData\Roaming\Mozilla\Firefox\Profiles\flo8asrl.default\Extensions\support@lastpass.com [2014-02-24]
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-01-16]
FF Extension: No Name - C:\Users\TDC2010\AppData\Roaming\Mozilla\Firefox\Profiles\flo8asrl.default\extensions\addon@defaulttab.com.xpi []
 
Chrome: 
=======
CHR HomePage: 
CHR StartupUrls: "hxxp://www.yahoo.com/"
CHR Extension: (Google Docs) - C:\Users\TDC2010\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-03-23]
CHR Extension: (Google Drive) - C:\Users\TDC2010\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-03-23]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\TDC2010\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
CHR Extension: (YouTube) - C:\Users\TDC2010\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-03-23]
CHR Extension: (Google Search) - C:\Users\TDC2010\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-03-23]
CHR Extension: (Google Wallet) - C:\Users\TDC2010\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-23]
CHR Extension: (Gmail) - C:\Users\TDC2010\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-03-23]
 
==================== Services (Whitelisted) =================
 
S2 AutoProcess; C:\Program Files (x86)\Time Masters\AMG Attendance System\AMG Attendance System.exe [7694336 2012-05-29] (Time-Masters) [File not signed]
S2 AxAutoMntSrv; C:\Program Files (x86)\Alcohol 120\AxAutoMntSrv.exe [75624 2012-01-05] (Alcohol Soft Development Team)
R2 FedExAdminService; C:\Program Files (x86)\FedEx\ShipManager\BIN\AdminService.exe [24576 2012-01-17] () [File not signed]
R2 FedExLoggingService; C:\Program Files (x86)\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe [7168 2012-01-17] (FedEx Corporation) [File not signed]
R2 FedExShipnetDBService; C:\Program Files (x86)\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe [141176 2012-01-17] (iAnywhere Solutions, Inc.)
S3 FedExShipService; C:\Program Files (x86)\FedEx\ShipManager\BIN\ShipEngineService.exe [5120 2012-01-17] (FedEx Corporation) [File not signed]
S3 FedExTransactionService; C:\Program Files (x86)\FedEx\ShipManager\BIN\TransEngineService.exe [6656 2012-01-17] (FedEx Corporation) [File not signed]
R2 File Backup; C:\Program Files (x86)\Workspace\offSyncService.exe [1187040 2013-07-22] (Starfield Technologies)
R2 HP Health Check Service; C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [121344 2010-06-10] (Hewlett-Packard Company) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 lhsrvc; C:\Program Files (x86)\LanHelper\lhsrvc.exe [138752 2009-11-03] (Hainsoft.com) [File not signed]
R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-05-19] (Hewlett-Packard Company) [File not signed]
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376144 2014-06-07] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226640 2014-06-07] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2012-06-08] (LogMeIn, Inc.)
R2 MYSQL_TAM_SERVER; C:\Program Files (x86)\Time Masters\AMG Attendance System Server\bin\mysqld.exe [6464128 2009-11-17] ()
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [635416 2009-10-14] (PDF Complete Inc)
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2014-02-04] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2009-07-23] (Intuit Inc.) [File not signed]
R2 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2011-10-21] (Intuit Inc.) [File not signed]
R3 QuickBooksDB21; C:\Program Files (x86)\Intuit\QuickBooks 2011\QBDBMgrN.exe [679936 2010-04-28] (Intuit, Inc.) [File not signed]
R2 RServer3; C:\Windows\SysWOW64\rserver30\RServer3.exe [1242504 2009-10-09] (Famatech Corp.) [File not signed]
R2 SBAMSvc; C:\Program Files (x86)\VIPRE\SBAMSvc.exe [3937472 2013-09-05] (ThreatTrack Security, Inc.)
R2 SBPIMSvc; C:\Program Files (x86)\VIPRE\SBPIMSvc.exe [176016 2013-09-05] (ThreatTrack Security, Inc.)
R2 StarWindServiceAE; C:\Program Files (x86)\Alcohol 120\StarWind\StarWindServiceAE.exe [370688 2009-12-23] (StarWind Software) [File not signed]
R2 Themes; C:\Windows\system32\themeservice.dll [44544 2011-07-08] (Microsoft Corporation) [File not signed]
S2 mgService; No ImagePath
 
==================== Drivers (Whitelisted) ====================
 
S3 CH375_A64; C:\Windows\System32\Drivers\CH375W64.SYS [29056 2011-03-13] (www.winchiphead.com)
R3 gfiark; C:\Windows\System32\drivers\gfiark.sys [41032 2013-05-23] (ThreatTrack Security)
R3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [31264 2013-09-04] (ThreatTrack Security)
S2 GIVEIO; C:\Windows\SysWOW64\GIVEIO.SYS [5248 1996-04-03] () [File not signed]
R1 kl1; C:\Windows\System32\DRIVERS\kl1.sys [157712 2009-09-01] (Kaspersky Lab)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-06-03] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
R3 mirrorv3; C:\Windows\System32\DRIVERS\rminiv3.sys [5632 2010-04-21] (Famatech International Corp.)
S3 Netaapl; C:\Windows\System32\DRIVERS\netaapl64.sys [22528 2010-04-19] (Apple Inc.) [File not signed]
R3 PaniniUSB; C:\Windows\System32\DRIVERS\PaniniUSB.sys [266752 2012-10-22] (Jungo)
R3 PaniniUSB; C:\Windows\SysWOW64\DRIVERS\PaniniUSB.sys [266752 2012-10-22] (Jungo)
R1 raddrvv3; C:\Windows\SysWOW64\rserver30\raddrvv3.sys [68704 2009-10-09] (Famatech Corp.)
R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [88928 2013-06-18] (ThreatTrack Security, Inc.)
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [560184 2012-05-30] (Duplex Secure Ltd.)
S1 SuperMounter; No ImagePath
S3 TfNetMon; No ImagePath
U5 TMUSB; C:\Windows\System32\DRIVERS\TMUSB64.SYS [61216 2008-10-30] (SEIKO EPSON CORPORATION)
U3 aw7b0ypt; C:\Windows\System32\Drivers\aw7b0ypt.sys [0 ] (Microsoft Corporation)
S4 NVHDA; system32\drivers\nvhda64v.sys [X]
S0 TfFsMon; system32\drivers\TfFsMon.sys [X]
S0 TFSysMon; system32\drivers\TfSysMon.sys [X]
S3 WinDriver6; system32\DRIVERS\Windrvr6.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-07-02 18:44 - 2014-07-02 18:44 - 00036354 _____ () C:\Users\TDC2010\Downloads\FRST.txt
2014-07-02 18:43 - 2014-07-02 18:44 - 00000000 ____D () C:\FRST
2014-07-02 18:43 - 2014-07-02 18:43 - 02083840 _____ (Farbar) C:\Users\TDC2010\Downloads\FRST64.exe
2014-07-01 07:53 - 2014-07-01 07:53 - 00514704 _____ () C:\Users\TDC2010\Downloads\Attachments_201471.zip
2014-06-29 09:23 - 2014-06-29 09:23 - 01103354 _____ () C:\Users\TDC2010\Downloads\Attachments_2014629.zip
2014-06-28 10:25 - 2014-06-28 10:25 - 00230176 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome (5).exe
2014-06-26 20:01 - 2014-06-26 20:01 - 00002002 _____ () C:\Users\TDC2010\Desktop\RPower.RDP
2014-06-25 09:32 - 2014-06-25 09:32 - 00225568 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome (4).exe
2014-06-22 13:21 - 2014-06-22 13:21 - 00232736 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome (3).exe
2014-06-17 08:39 - 2014-06-17 08:39 - 00228136 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome (2).exe
2014-06-17 06:51 - 2014-06-17 06:51 - 00103711 _____ () C:\Users\TDC2010\Downloads\Payroll_Detail (4).xls
2014-06-16 21:42 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-06-16 21:41 - 2014-06-16 21:45 - 00000000 ____D () C:\AdwCleaner
2014-06-16 21:40 - 2014-06-16 21:40 - 01333465 _____ () C:\Users\TDC2010\Downloads\AdwCleaner.exe
2014-06-15 13:01 - 2014-06-15 13:01 - 00107620 _____ () C:\Users\TDC2010\Downloads\Payroll_Detail (3).xls
2014-06-15 12:59 - 2014-06-15 12:59 - 00109238 _____ () C:\Users\TDC2010\Downloads\Payroll_Detail (1).xls
2014-06-15 12:59 - 2014-06-15 12:59 - 00107032 _____ () C:\Users\TDC2010\Downloads\Payroll_Detail (2).xls
2014-06-15 09:22 - 2014-06-15 09:22 - 00001184 _____ () C:\Users\TDC2010\Downloads\transactions.csv
2014-06-15 08:51 - 2014-06-15 08:51 - 00226088 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome (1).exe
2014-06-15 08:45 - 2014-06-15 08:45 - 00226088 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome.exe
2014-06-15 06:00 - 2014-06-15 06:00 - 00998800 _____ () C:\Users\TDC2010\Downloads\Player.exe
2014-06-06 10:09 - 2014-06-06 10:09 - 00000000 ____D () C:\Windows\Offline Address Books
 
==================== One Month Modified Files and Folders =======
 
2014-07-02 18:44 - 2014-07-02 18:44 - 00036354 _____ () C:\Users\TDC2010\Downloads\FRST.txt
2014-07-02 18:44 - 2014-07-02 18:43 - 00000000 ____D () C:\FRST
2014-07-02 18:43 - 2014-07-02 18:43 - 02083840 _____ (Farbar) C:\Users\TDC2010\Downloads\FRST64.exe
2014-07-02 18:07 - 2014-03-23 12:44 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-07-02 13:37 - 2014-01-02 10:45 - 00000000 ____D () C:\Users\TDC2010\AppData\Roaming\Dropbox
2014-07-02 13:32 - 2011-01-13 08:31 - 00000000 ____D () C:\Users\TDC2010\Documents\Outlook Files
2014-07-02 12:57 - 2010-12-25 09:04 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-07-02 10:59 - 2010-09-04 16:45 - 01202756 _____ () C:\Windows\WindowsUpdate.log
2014-07-02 10:00 - 2010-12-08 16:04 - 00000450 ____H () C:\Windows\Tasks\PVC BAKERY, INC 1291838693.job
2014-07-02 10:00 - 2010-12-08 15:13 - 00000000 ____D () C:\Users\TDC2010\Documents\Quickbooks Files
2014-07-02 09:56 - 2014-04-13 08:27 - 00000000 ___RD () C:\Users\TDC2010\Dropbox (H&H Bagels East)
2014-07-02 08:01 - 2013-01-17 13:53 - 00000000 ____D () C:\Users\Public\QUICKBOOKS
2014-07-02 04:20 - 2014-03-23 12:44 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-07-01 07:53 - 2014-07-01 07:53 - 00514704 _____ () C:\Users\TDC2010\Downloads\Attachments_201471.zip
2014-06-30 00:53 - 2010-09-04 16:46 - 00000000 ____D () C:\ProgramData\PDFC
2014-06-29 11:11 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-06-29 09:23 - 2014-06-29 09:23 - 01103354 _____ () C:\Users\TDC2010\Downloads\Attachments_2014629.zip
2014-06-29 09:16 - 2014-04-13 10:17 - 00000000 ____D () C:\Users\TDC2010\AppData\Roaming\Dropbox2
2014-06-28 10:25 - 2014-06-28 10:25 - 00230176 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome (5).exe
2014-06-27 10:30 - 2013-02-19 12:54 - 00001680 _____ () C:\Users\TDC2010\Desktop\RPOWER.lnk
2014-06-26 20:01 - 2014-06-26 20:01 - 00002002 _____ () C:\Users\TDC2010\Desktop\RPower.RDP
2014-06-26 08:37 - 2010-12-08 18:57 - 00000000 ___RD () C:\Users\TDC2010\Desktop\TED
2014-06-25 09:32 - 2014-06-25 09:32 - 00225568 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome (4).exe
2014-06-25 06:58 - 2010-12-08 18:55 - 00000000 ___RD () C:\Users\TDC2010\Desktop\CLAY
2014-06-22 13:21 - 2014-06-22 13:21 - 00232736 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome (3).exe
2014-06-20 08:50 - 2013-01-17 13:39 - 00000000 ____D () C:\Quickbooks
2014-06-17 08:39 - 2014-06-17 08:39 - 00228136 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome (2).exe
2014-06-17 06:51 - 2014-06-17 06:51 - 00103711 _____ () C:\Users\TDC2010\Downloads\Payroll_Detail (4).xls
2014-06-17 03:02 - 2014-03-23 12:44 - 00003896 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-06-17 03:02 - 2014-03-23 12:44 - 00003644 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-06-16 22:02 - 2014-04-13 10:17 - 00000000 ___RD () C:\Users\TDC2010\Dropbox (Personal)
2014-06-16 22:02 - 2014-04-13 08:23 - 00000000 ____D () C:\Users\TDC2010\AppData\Roaming\DropboxMaster
2014-06-16 21:55 - 2009-07-14 00:45 - 00015792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-16 21:55 - 2009-07-14 00:45 - 00015792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-16 21:54 - 2009-07-14 01:13 - 00796186 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-06-16 21:47 - 2014-01-23 09:52 - 00001006 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2014-06-16 21:47 - 2014-01-23 09:52 - 00000990 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-06-16 21:47 - 2011-09-14 16:17 - 00000204 _____ () C:\Windows\Tasks\AutoKMS.job
2014-06-16 21:47 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-16 21:47 - 2009-07-14 00:51 - 00133779 _____ () C:\Windows\setupact.log
2014-06-16 21:46 - 2010-09-04 19:00 - 01097522 _____ () C:\Windows\PFRO.log
2014-06-16 21:45 - 2014-06-16 21:41 - 00000000 ____D () C:\AdwCleaner
2014-06-16 21:40 - 2014-06-16 21:40 - 01333465 _____ () C:\Users\TDC2010\Downloads\AdwCleaner.exe
2014-06-15 13:01 - 2014-06-15 13:01 - 00107620 _____ () C:\Users\TDC2010\Downloads\Payroll_Detail (3).xls
2014-06-15 12:59 - 2014-06-15 12:59 - 00109238 _____ () C:\Users\TDC2010\Downloads\Payroll_Detail (1).xls
2014-06-15 12:59 - 2014-06-15 12:59 - 00107032 _____ () C:\Users\TDC2010\Downloads\Payroll_Detail (2).xls
2014-06-15 09:22 - 2014-06-15 09:22 - 00001184 _____ () C:\Users\TDC2010\Downloads\transactions.csv
2014-06-15 08:51 - 2014-06-15 08:51 - 00226088 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome (1).exe
2014-06-15 08:45 - 2014-06-15 08:45 - 00226088 _____ (Premium Installer ) C:\Users\TDC2010\Downloads\Player-Chrome.exe
2014-06-15 06:00 - 2014-06-15 06:00 - 00998800 _____ () C:\Users\TDC2010\Downloads\Player.exe
2014-06-13 04:07 - 2014-03-23 12:45 - 00002185 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-06-12 12:41 - 2014-03-03 15:08 - 00001515 _____ () C:\Users\TDC2010\Desktop\Pandora.website
2014-06-11 08:47 - 2010-12-17 14:33 - 00000000 ____D () C:\RPOWER
2014-06-10 13:15 - 2013-01-17 12:34 - 00000000 ____D () C:\Users\QBDataServiceUser21
2014-06-07 13:11 - 2012-05-12 18:10 - 00107368 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIRfsClientNP.dll
2014-06-07 13:11 - 2012-05-12 18:10 - 00092488 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIinit.dll
2014-06-07 13:11 - 2012-05-12 18:10 - 00035656 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIport.dll
2014-06-07 13:11 - 2012-05-12 18:10 - 00000000 ____D () C:\Program Files (x86)\LogMeIn
2014-06-06 10:09 - 2014-06-06 10:09 - 00000000 ____D () C:\Windows\Offline Address Books
2014-06-03 12:51 - 2012-10-25 13:30 - 00000000 ____D () C:\Temp
2014-06-03 11:09 - 2010-12-08 18:56 - 00000000 ____D () C:\Users\TDC2010\Desktop\HH FILES
 
Some content of TEMP:
====================
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2yxtcm.dll
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp4vekqw.dll
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppxvxec.dll
C:\Users\TDC2010\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\TDC2010\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\TDC2010\AppData\Local\Temp\LPPlugin.dll
C:\Users\TDC2010\AppData\Local\Temp\nvStInst.exe
C:\Users\TDC2010\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-06-28 00:16
 
==================== End Of Log ============================


BC AdBot (Login to Remove)

 


#2 Superneato

Superneato
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 02 July 2014 - 06:03 PM

Correction: I attached the addition file from the previous infection. Please see the correct file, now attached.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 03 July 2014 - 08:04 AM

Welcome to BleepingComputer

Here is the fix for your other computer.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKLM-x32 - {AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
Toolbar: HKCU - No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} -  No File
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Extension: No Name - C:\Users\TDC2010\AppData\Roaming\Mozilla\Firefox\Profiles\flo8asrl.default\extensions\addon@defaulttab.com.xpi []
S2 mgService; No ImagePath
S4 NVHDA; system32\drivers\nvhda64v.sys [X]
S0 TfFsMon; system32\drivers\TfFsMon.sys [X]
S0 TFSysMon; system32\drivers\TfSysMon.sys [X]
S3 WinDriver6; system32\DRIVERS\Windrvr6.sys [X]
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2yxtcm.dll
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp4vekqw.dll
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppxvxec.dll
C:\Users\TDC2010\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\TDC2010\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\TDC2010\AppData\Local\Temp\LPPlugin.dll
C:\Users\TDC2010\AppData\Local\Temp\nvStInst.exe
C:\Users\TDC2010\AppData\Local\Temp\Quarantine.ex

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/
===

Let me know what problem persists.

#4 Superneato

Superneato
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 03 July 2014 - 08:25 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-07-2014
Ran by TDC2010 at 2014-07-03 20:59:45 Run:1
Running from C:\Users\TDC2010\Downloads
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
 
HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt1 -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt2 -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt3 -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: DropboxExt4 -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKLM-x32 - {AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
Toolbar: HKCU - No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} -  No File
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Extension: No Name - C:\Users\TDC2010\AppData\Roaming\Mozilla\Firefox\Profiles\flo8asrl.default\extensions\addon@defaulttab.com.xpi []
S2 mgService; No ImagePath
S4 NVHDA; system32\drivers\nvhda64v.sys [X]
S0 TfFsMon; system32\drivers\TfFsMon.sys [X]
S0 TFSysMon; system32\drivers\TfSysMon.sys [X]
S3 WinDriver6; system32\DRIVERS\Windrvr6.sys [X]
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2yxtcm.dll
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp4vekqw.dll
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppxvxec.dll
C:\Users\TDC2010\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\TDC2010\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe
C:\Users\TDC2010\AppData\Local\Temp\LPPlugin.dll
C:\Users\TDC2010\AppData\Local\Temp\nvStInst.exe
C:\Users\TDC2010\AppData\Local\Temp\Quarantine.ex
 
End
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4' => Key deleted successfully.
'HKLM\Software\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1' => Key deleted successfully.
'HKLM\Software\Wow6432Node\Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2' => Key deleted successfully.
'HKLM\Software\Wow6432Node\Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3' => Key deleted successfully.
'HKLM\Software\Wow6432Node\Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4' => Key deleted successfully.
'HKLM\Software\Wow6432Node\Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}'=> Key not found.
'HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}' => Key deleted successfully.
'HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}'=> Key not found.
'HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B}' => Key deleted successfully.
'HKCR\CLSID\{AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B}'=> Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
'HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B}' => Key deleted successfully.
'HKCR\Wow6432Node\CLSID\{AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B}'=> Key not found.
'HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B}' => Key deleted successfully.
'HKCR\CLSID\{AFD06CA5-C02A-4FA8-B5CE-7CBCE745522B}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} => value deleted successfully.
'HKCR\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}'=> Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
'HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}'=> Key not found.
'HKCR\PROTOCOLS\Handler\intu-help-qb4' => Key deleted successfully.
'HKCR\CLSID\{ACE22922-D07C-4860-B51B-8CF472FEC2CB}'=> Key not found.
'HKCR\PROTOCOLS\Handler\qbwc' => Key deleted successfully.
'HKCR\CLSID\{FC598A64-626C-4447-85B8-53150405FD57}'=> Key not found.
'HKCR\PROTOCOLS\Handler\vipresg' => Key deleted successfully.
'HKCR\CLSID\{47BE2E5B-703B-444F-ABD3-05717D2191C6}'=> Key not found.
'HKLM\Software\MozillaPlugins\FF Plugin: @microsoft.com/GENUINE - disabled No File'=> Key not found.
"FF Plugin: @microsoft.com/GENUINE - disabled No File" => not found.
'HKLM\Software\Wow6432Node\MozillaPlugins\FF Plugin-x32: @microsoft.com/GENUINE - disabled No File'=> Key not found.
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File not found.
C:\Users\TDC2010\AppData\Roaming\Mozilla\Firefox\Profiles\flo8asrl.default\extensions\addon@defaulttab.com.xpi not found.
mgService => Service deleted successfully.
NVHDA => Service deleted successfully.
TfFsMon => Service deleted successfully.
TFSysMon => Service deleted successfully.
WinDriver6 => Service deleted successfully.
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp2yxtcm.dll => Moved successfully.
C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp4vekqw.dll => Moved successfully.
"C:\Users\TDC2010\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmppxvxec.dll" => File/Directory not found.
C:\Users\TDC2010\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.
C:\Users\TDC2010\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exe => Moved successfully.
C:\Users\TDC2010\AppData\Local\Temp\LPPlugin.dll => Moved successfully.
C:\Users\TDC2010\AppData\Local\Temp\nvStInst.exe => Moved successfully.
"C:\Users\TDC2010\AppData\Local\Temp\Quarantine.ex" => File/Directory not found.
 
==== End of Fixlog ====
 
 
 
 

 Results of screen317's Security Check version 0.99.85  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
ThreatTrack Security VIPRE   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java™ 6 Update 29  
 Java version out of Date! 
  Adobe Flash Player 11.5.502.146 Flash Player out of Date!  
 Mozilla Firefox 27.0.1 Firefox out of Date!  
 Google Chrome 35.0.1916.114  
 Google Chrome 35.0.1916.153  
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 18% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
 


#5 Superneato

Superneato
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 03 July 2014 - 08:32 PM

I reset Chrome and also flushed dns per the instructions from the previous thread - yet I'm still getting the same popup tabs/malicious downloads...



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 04 July 2014 - 10:23 AM

Clean the Java Cache. Tutorial here.
http://www.java.com/en/download/help/plugin_cache.xml
<<<>>>

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u60.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 6 Update 29
===

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine

===

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
 

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
===

If the popups are still around then it may be that your router is compromised.
How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html


How To Set Up a Network Router
http://compnetworking.about.com/od/homenetworking/ht/routerconfigure.htm

Keep me posted.

#7 Superneato

Superneato
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:08 PM

Posted 04 July 2014 - 03:40 PM

Nasdaq,

 

Thanks for your help here. Another computer on the network was experiencing the same issue which led me to investigate your suggestion about my router being infected. I ended up finding this article which applies directly to my router (linksys e1200, firmware version, remote management enabled, etc.). I have since disabled remote management and changed the DNS servers back to the DNS servers provided by my ISP, I plan to update the firmware asap. So far, the popups have been eliminated.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 05 July 2014 - 06:49 AM

Glad we could help.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:08 PM

Posted 11 July 2014 - 10:01 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users