Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Church computer - We had to shutdown it's email account because it was spamming


  • This topic is locked This topic is locked
15 replies to this topic

#1 Simon Mason

Simon Mason

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 23 August 2014 - 12:55 PM

We have a PC at church that is running Windows Vista Basic and Outlook 2003.  Recently we had to shutdown the email account associated with this computer because it was sending spam.  After disabling the email account the spam stopped - but I am not sure (yet) if the computer is infected and sending email or if the smtp port on the mail server was exploited - using userid and password.  So I am eliminating the possibilities.

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16545
Run by ChristianEd at 13:45:44 on 2014-08-23
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.2494.1347 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\ChristianEd\AppData\Local\{4FA1F08B-2204-1359-EFE9-9B83CFD48EA7}\syshost.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
c:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version9\TeamViewer.exe
C:\Program Files\TeamViewer\Version9\tv_w32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.stpaulschatham.org/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Veirqi] c:\users\christianed\appdata\local\temp\poawob\veirqi.exe
uRun: [syshost32] c:\users\christianed\appdata\local\{4fa1f08b-2204-1359-efe9-9b83cfd48ea7}\syshost.exe
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [DPService] "c:\program files\hp\dvdplay\DPService.exe"
mRun: [ALUAlert] c:\program files\symantec\liveupdate\ALuNotify.exe
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRunOnce: [Launcher] c:\windows\sminst\launcher.exe
StartupFolder: c:\users\christ~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\launch~1.lnk - c:\program files\microsoft office\office11\OUTLOOK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\3572475\program\Compaq Connections.exe
uPolicies-Explorer: TaskbarNoNotification = dword:0
uPolicies-Explorer: HideSCAHealth = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: TaskbarNoNotification = dword:0
mPolicies-Explorer: HideSCAHealth = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com//activex/ractrl.cab?lmi=972
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{49D35D08-3B9D-450B-A8A4-45B6E7955A1F} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{F62C4470-9CA5-4842-A9E8-DDB9838C16BC} : DHCPNameServer = 192.168.1.1
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\36.0.1985.143\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-9-26 21504]
R2 TeamViewer9;TeamViewer 9;c:\program files\teamviewer\version9\TeamViewer_Service.exe [2014-2-2 5052224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v2.sys [2007-12-26 288768]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
.
==================== Find3M  ====================
.
2014-07-08 19:12:12 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-08 19:12:12 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 13:46:41.07 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:03 PM

Posted 24 August 2014 - 08:54 AM

:welcome:

Hello Simon Mason,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Logs can take a while to research, so please be patient.
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


1. Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


2. Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.
Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.



***


Please go to one of the below sites to scan the following file(s):
Virus Total (Recommended)
jotti.org
VirScan
click on Browse, and upload the following file(s) for analysis:

C:\Users\ChristianEd\AppData\Local\{4FA1F08B-2204-1359-EFE9-9B83CFD48EA7}\syshost.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.



***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:03 PM

Posted 27 August 2014 - 05:11 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#4 Simon Mason

Simon Mason
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 07 September 2014 - 09:18 AM

Checkup.txt:

 

 Results of screen317's Security Check version 0.99.87 
 Windows Vista Service Pack 2 x86 (UAC is disabled!) 
 Internet Explorer 9 
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Reader 7 Adobe Reader out of Date!
 Google Chrome 36.0.1985.143 
 Google Chrome 37.0.2062.103 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 4 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

frst.txt:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06-09-2014
Ran by ChristianEd (administrator) on CHRISTIANED-PC on 07-09-2014 10:08:00
Running from C:\Users\ChristianEd\Desktop\Cleaning
Platform: Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(LSI Corporation) C:\Program Files\LSI SoftModem\agrsmsvc.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
(Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe
(Hewlett-Packard Company) C:\hp\support\hpsysdrv.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Realtek Semiconductor Corp.) C:\Windows\SOUNDMAN.EXE
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
() C:\Users\ChristianEd\AppData\Local\{4FA1F08B-2204-1359-EFE9-9B83CFD48EA7}\syshost.exe
(Hewlett Packard) C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
(Microsoft Corporation) C:\Windows\System32\conime.exe
(Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(alch) C:\Program Files\ClamWin\bin\ClamTray.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\tv_w32.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\MSTORDB.EXE
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-19] (Microsoft Corporation)
HKLM\...\Run: [hpsysdrv] => c:\hp\support\hpsysdrv.exe [65536 2006-09-28] (Hewlett-Packard Company)
HKLM\...\Run: [ATICCC] => c:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [90112 2006-07-11] ()
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [3784704 2006-11-09] (Realtek Semiconductor)
HKLM\...\Run: [DPService] => C:\Program Files\HP\DVDPlay\DPService.exe [81920 2006-11-08] (CyberLink Corp.)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [ALUAlert] => C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
HKLM\...\Run: [ClamWin] => C:\Program Files\ClamWin\bin\ClamTray.exe [86016 2014-08-07] (alch)
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM\...\Run: [SoundMan] => C:\Windows\SOUNDMAN.EXE [604704 2009-04-14] (Realtek Semiconductor Corp.)
HKLM\...\RunOnce: [Launcher] => C:\Windows\SMINST\launcher.exe [44136 2006-11-24] (soft thinks)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3506291279-3617469437-294698084-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-3506291279-3617469437-294698084-1000\...\Run: [Veirqi] => C:\Users\ChristianEd\AppData\Local\Temp\Poawob\veirqi.exe [508416 2007-03-15] () <===== ATTENTION
HKU\S-1-5-21-3506291279-3617469437-294698084-1000\...\Run: [syshost32] => C:\Users\ChristianEd\AppData\Local\{4FA1F08B-2204-1359-EFE9-9B83CFD48EA7}\syshost.exe [104448 2014-05-13] ()
HKU\S-1-5-21-3506291279-3617469437-294698084-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe [851632 2014-07-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-3506291279-3617469437-294698084-1000\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-3506291279-3617469437-294698084-1000\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-3506291279-3617469437-294698084-1000\...\MountPoints2: {ccd3cbfe-8878-11e0-a880-001921a2929c} - G:\LaunchU3.exe -a
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Compaq Connections.lnk
ShortcutTarget: Compaq Connections.lnk -> C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe (Hewlett Packard)
Startup: C:\Users\ChristianEd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Launch Microsoft Office Outlook.lnk
ShortcutTarget: Launch Microsoft Office Outlook.lnk -> C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stpaulschatham.org/
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
SearchScopes: HKLM - DefaultScope {3E935B96-16B0-4512-8E7B-1E9632A5114D} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
SearchScopes: HKLM - {30BE9173-249A-4F0B-B775-51E6E873F9B6} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
SearchScopes: HKLM - {3E935B96-16B0-4512-8E7B-1E9632A5114D} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
SearchScopes: HKLM - {FD14B97B-A346-4E7E-B268-D48526127F0C} URL = http://search.live.com/results.aspx?q={searchTerms}&amp;entrypoint={referrer:source?}&amp;FORM=HQDUS7
SearchScopes: HKCU - DefaultScope {FBDDAD6E-79C6-431C-810C-55F934BBB810} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {30BE9173-249A-4F0B-B775-51E6E873F9B6} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
SearchScopes: HKCU - {3E935B96-16B0-4512-8E7B-1E9632A5114D} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt
SearchScopes: HKCU - {FBDDAD6E-79C6-431C-810C-55F934BBB810} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {FD14B97B-A346-4E7E-B268-D48526127F0C} URL = http://search.live.com/results.aspx?q={searchTerms}&amp;entrypoint={referrer:source?}&amp;FORM=HQDUS7
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=972
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-09-19]

Chrome:
=======
CHR HomePage: Default -> C83F494D0FE0EE9C8988672F5C94096FB4EC238E7C02F23C6FE9CB8527E640A8
CHR NewTab: Default -> "chrome-extension://oliggifnpofcibpgfmoimpfgjeidhhdp/spent.html"
CHR DefaultSearchKeyword: Default -> 0CB6FCEC6D1351683080EED39F11644BE792FE8F1B47E8E26ACD431AAD235309
CHR DefaultSearchURL: Default -> A50159984498B22B5EDBFFFF580D286F2491F86C9CD2549A0CC9477892388EB5
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\37.0.2062.103\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\37.0.2062.103\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\37.0.2062.103\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.124\npGoogleUpdate3.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR CustomProfile: C:\Users\ChristianEd\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\ChristianEd\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-02-18]
CHR Extension: (Google Drive) - C:\Users\ChristianEd\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-02-18]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\ChristianEd\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
CHR Extension: (YouTube) - C:\Users\ChristianEd\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-02-18]
CHR Extension: (Google Search) - C:\Users\ChristianEd\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-02-18]
CHR Extension: (Google Wallet) - C:\Users\ChristianEd\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-26]
CHR Extension: (KnowtheBible) - C:\Users\ChristianEd\AppData\Local\Google\Chrome\User Data\Default\Extensions\oliggifnpofcibpgfmoimpfgjeidhhdp [2014-02-04]
CHR Extension: (Gmail) - C:\Users\ChristianEd\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-02-18]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

Locked "a29e4cd9fcff2094" service could not be unlocked. <===== ATTENTION

R2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-27] (LSI Corporation)
R2 LightScribeService; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2006-10-19] (Hewlett-Packard Company) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 ALCXWDM; C:\Windows\System32\drivers\RTKVAC.SYS [4172832 2009-06-18] (Realtek Semiconductor Corp.)
S4 ntrigdigi; C:\Windows\system32\drivers\ntrigdigi.sys [20608 2006-11-02] () [File not signed]
R1 Null; C:\Windows\system32\Drivers\Null.sys [4608 2008-01-19] () [File not signed]
S4 nvraid; C:\Windows\system32\drivers\nvraid.sys [88680 2006-11-02] () [File not signed]
S4 nvstor; C:\Windows\system32\drivers\nvstor.sys [40040 2006-11-02] () [File not signed]
S3 nv_agp; C:\Windows\system32\drivers\nv_agp.sys [106600 2006-11-02] () [File not signed]
R3 ohci1394; C:\Windows\System32\DRIVERS\ohci1394.sys [62208 2009-04-11] () [File not signed]
R3 Parport; C:\Windows\System32\DRIVERS\parport.sys [79360 2008-01-19] () [File not signed]
R0 partmgr; C:\Windows\System32\drivers\partmgr.sys [53120 2012-03-20] () [File not signed]
R2 Parvdm; C:\Windows\System32\DRIVERS\parvdm.sys [8704 2008-01-19] () [File not signed]
R0 pci; C:\Windows\System32\drivers\pci.sys [149480 2009-04-11] () [File not signed]
R0 pciide; C:\Windows\System32\drivers\pciide.sys [14312 2009-04-11] () [File not signed]
S4 pcmcia; C:\Windows\system32\drivers\pcmcia.sys [167528 2006-11-02] () [File not signed]
R2 PEAUTH; C:\Windows\System32\drivers\peauth.sys [878080 2006-11-02] () [File not signed]
R3 PptpMiniport; C:\Windows\System32\DRIVERS\raspptp.sys [62976 2008-01-19] () [File not signed]
S4 Processor; C:\Windows\system32\drivers\processr.sys [38400 2006-11-02] () [File not signed]
R1 PSched; C:\Windows\System32\DRIVERS\pacer.sys [72192 2009-04-11] () [File not signed]
R0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [36528 2006-07-24] () [File not signed]
S4 ql2300; C:\Windows\system32\drivers\ql2300.sys [900712 2006-11-02] () [File not signed]
S4 ql40xx; C:\Windows\system32\drivers\ql40xx.sys [106088 2006-11-02] () [File not signed]
S3 QWAVEdrv; C:\Windows\system32\drivers\qwavedrv.sys [31232 2008-01-19] () [File not signed]
S3 R300; C:\Windows\System32\DRIVERS\atikmdag.sys [2600448 2007-06-13] () [File not signed]
R1 RasAcd; C:\Windows\System32\DRIVERS\rasacd.sys [11776 2008-01-19] () [File not signed]
R3 Rasl2tp; C:\Windows\System32\DRIVERS\rasl2tp.sys [76288 2008-01-19] () [File not signed]
R3 RasPppoe; C:\Windows\System32\DRIVERS\raspppoe.sys [41472 2009-04-11] () [File not signed]
R3 RasSstp; C:\Windows\System32\DRIVERS\rassstp.sys [69120 2009-04-11] () [File not signed]
R1 rdbss; C:\Windows\System32\DRIVERS\rdbss.sys [225280 2009-04-11] () [File not signed]
R1 RDPCDD; C:\Windows\System32\DRIVERS\RDPCDD.sys [6144 2008-01-19] () [File not signed]
S4 rdpdr; C:\Windows\system32\drivers\rdpdr.sys [242688 2006-11-02] () [File not signed]
R1 RDPENCDD; C:\Windows\System32\drivers\rdpencdd.sys [6144 2008-01-19] () [File not signed]
S3 RDPWD; C:\Windows\system32\Drivers\RDPWD.sys [180736 2012-05-01] () [File not signed]
R2 rspndr; C:\Windows\System32\DRIVERS\rspndr.sys [60416 2008-01-19] () [File not signed]
R3 RTL8023xp; C:\Windows\System32\DRIVERS\Rtnicxp.sys [50688 2007-07-13] () [File not signed]
S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [288768 2007-12-26] () [File not signed]
S4 sbp2port; C:\Windows\system32\drivers\sbp2port.sys [76392 2006-11-02] () [File not signed]
R2 secdrv; C:\Windows\system32\Drivers\secdrv.sys [20480 2006-11-02] () [File not signed]
S3 Serenum; C:\Windows\system32\drivers\serenum.sys [17920 2006-11-02] () [File not signed]
S3 Serial; C:\Windows\system32\drivers\serial.sys [83456 2006-11-02] () [File not signed]
S4 sermouse; C:\Windows\system32\drivers\sermouse.sys [19968 2008-01-19] () [File not signed]
S4 sffdisk; C:\Windows\system32\drivers\sffdisk.sys [13312 2006-11-02] () [File not signed]
S3 sffp_mmc; C:\Windows\system32\drivers\sffp_mmc.sys [12800 2006-11-02] () [File not signed]
S3 sffp_sd; C:\Windows\system32\drivers\sffp_sd.sys [12800 2006-11-02] () [File not signed]
S4 sfloppy; C:\Windows\system32\drivers\sfloppy.sys [13312 2006-11-02] () [File not signed]
S3 sisagp; C:\Windows\system32\drivers\sisagp.sys [53352 2006-11-02] () [File not signed]
S4 SiSRaid2; C:\Windows\system32\drivers\sisraid2.sys [38504 2006-11-02] () [File not signed]
S4 SiSRaid4; C:\Windows\system32\drivers\sisraid4.sys [71784 2006-11-02] () [File not signed]
R1 Smb; C:\Windows\System32\DRIVERS\smb.sys [66560 2009-04-11] () [File not signed]
R0 spldr; C:\Windows\system32\Drivers\spldr.sys [21048 2008-01-19] () [File not signed]
R3 srv; C:\Windows\System32\DRIVERS\srv.sys [305152 2011-02-18] () [File not signed]
R3 srv2; C:\Windows\System32\DRIVERS\srv2.sys [146432 2011-04-29] () [File not signed]
R3 srvnet; C:\Windows\System32\DRIVERS\srvnet.sys [102400 2011-04-29] () [File not signed]
R3 swenum; C:\Windows\System32\DRIVERS\swenum.sys [15288 2008-01-19] () [File not signed]
S4 Symc8xx; C:\Windows\system32\drivers\symc8xx.sys [35944 2006-11-02] () [File not signed]
S4 Sym_hi; C:\Windows\system32\drivers\sym_hi.sys [31848 2006-11-02] () [File not signed]
S4 Sym_u3; C:\Windows\system32\drivers\sym_u3.sys [34920 2006-11-02] () [File not signed]
R0 Tcpip; C:\Windows\System32\drivers\tcpip.sys [905664 2013-07-05] () [File not signed]
S3 Tcpip6; C:\Windows\System32\DRIVERS\tcpip.sys [905664 2013-07-05] () [File not signed]
R2 tcpipreg; C:\Windows\System32\drivers\tcpipreg.sys [30720 2009-12-08] () [File not signed]
S3 TDPIPE; C:\Windows\System32\drivers\tdpipe.sys [17920 2008-01-19] () [File not signed]
S3 TDTCP; C:\Windows\System32\drivers\tdtcp.sys [29184 2008-01-19] () [File not signed]
R1 tdx; C:\Windows\System32\DRIVERS\tdx.sys [72192 2009-04-11] () [File not signed]
R1 TermDD; C:\Windows\System32\DRIVERS\termdd.sys [53224 2009-04-11] () [File not signed]
S3 tssecsrv; C:\Windows\System32\DRIVERS\tssecsrv.sys [24064 2013-06-15] () [File not signed]
R3 tunmp; C:\Windows\System32\DRIVERS\tunmp.sys [15360 2008-01-19] () [File not signed]
R3 tunnel; C:\Windows\System32\DRIVERS\tunnel.sys [25088 2010-02-18] () [File not signed]
S3 uagp35; C:\Windows\system32\drivers\uagp35.sys [56936 2006-11-02] () [File not signed]
S4 udfs; C:\Windows\System32\DRIVERS\udfs.sys [226816 2009-04-11] () [File not signed]
S3 uliagpkx; C:\Windows\system32\drivers\uliagpkx.sys [58472 2006-11-02] () [File not signed]
S4 uliahci; C:\Windows\system32\drivers\uliahci.sys [235112 2006-11-02] () [File not signed]
S4 UlSata; C:\Windows\system32\drivers\ulsata.sys [98408 2006-11-02] () [File not signed]
S4 ulsata2; C:\Windows\system32\drivers\ulsata2.sys [115816 2006-11-02] () [File not signed]
R3 umbus; C:\Windows\System32\DRIVERS\umbus.sys [34816 2008-01-19] () [File not signed]
S4 usbccgp; C:\Windows\system32\drivers\usbccgp.sys [73216 2006-11-02] () [File not signed]
S4 usbcir; C:\Windows\system32\drivers\usbcir.sys [68608 2006-11-02] () [File not signed]
R3 usbehci; C:\Windows\System32\DRIVERS\usbehci.sys [39936 2011-05-05] () [File not signed]
R3 usbhub; C:\Windows\System32\DRIVERS\usbhub.sys [197632 2013-06-28] () [File not signed]
R3 usbohci; C:\Windows\System32\DRIVERS\usbohci.sys [19456 2011-05-05] () [File not signed]
S3 usbprint; C:\Windows\System32\DRIVERS\usbprint.sys [18944 2008-01-19] () [File not signed]
S3 USBSTOR; C:\Windows\System32\DRIVERS\USBSTOR.SYS [65536 2009-04-11] () [File not signed]
S4 usbuhci; C:\Windows\System32\DRIVERS\usbuhci.sys [22528 2006-11-02] () [File not signed]
S3 vga; C:\Windows\System32\DRIVERS\vgapnp.sys [26112 2006-11-02] () [File not signed]
R1 VgaSave; C:\Windows\System32\drivers\vga.sys [25088 2008-01-19] () [File not signed]
S3 viaagp; C:\Windows\system32\drivers\viaagp.sys [54376 2006-11-02] () [File not signed]
S4 ViaC7; C:\Windows\system32\drivers\viac7.sys [39424 2006-11-02] () [File not signed]
S4 viaide; C:\Windows\system32\drivers\viaide.sys [17512 2006-11-02] () [File not signed]
R0 volmgr; C:\Windows\System32\drivers\volmgr.sys [52792 2008-01-19] () [File not signed]
R0 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [292840 2009-04-11] () [File not signed]
R0 volsnap; C:\Windows\System32\drivers\volsnap.sys [224640 2012-08-21] () [File not signed]
S4 vsmraid; C:\Windows\system32\drivers\vsmraid.sys [112232 2006-11-02] () [File not signed]
S4 WacomPen; C:\Windows\system32\drivers\wacompen.sys [20608 2006-11-02] () [File not signed]
S3 Wanarp; C:\Windows\System32\DRIVERS\wanarp.sys [62464 2008-01-19] () [File not signed]
R1 Wanarpv6; C:\Windows\System32\DRIVERS\wanarp.sys [62464 2008-01-19] () [File not signed]
S4 Wd; C:\Windows\system32\drivers\wd.sys [19560 2006-11-02] () [File not signed]
R0 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [527064 2013-06-26] () [File not signed]
S3 winachsf; C:\Windows\System32\DRIVERS\HSX_CNXT.sys [657920 2006-08-29] () [File not signed]
S4 WmiAcpi; C:\Windows\system32\drivers\wmiacpi.sys [11264 2006-11-02] () [File not signed]
S3 WpdUsb; C:\Windows\System32\DRIVERS\wpdusb.sys [40448 2009-09-30] () [File not signed]
S4 ws2ifsl; C:\Windows\system32\drivers\ws2ifsl.sys [15872 2008-01-19] () [File not signed]
R3 WudfPf; C:\Windows\System32\drivers\WudfPf.sys [66560 2012-07-25] () [File not signed]
S3 WUDFRd; C:\Windows\System32\DRIVERS\WUDFRd.sys [155136 2012-07-25] () [File not signed]
R2 XAudio; C:\Windows\System32\DRIVERS\xaudio.sys [8192 2006-08-04] () [File not signed]
U5 a29e4cd9fcff2094; C:\Windows\System32\Drivers\a29e4cd9fcff2094.sys [65408 2014-05-13] () <===== ATTENTION Necurs Rootkit?
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 lmimirr; system32\DRIVERS\lmimirr.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
U3 mbr; \??\C:\Users\CHRIST~1\AppData\Local\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-07 10:07 - 2014-09-07 10:08 - 00000000 ____D () C:\FRST
2014-09-06 14:30 - 2014-09-06 14:30 - 00000000 ____D () C:\Users\ChristianEd\Documents\SPLASH VBS
2014-08-23 13:48 - 2014-08-23 13:48 - 00688992 _____ (Swearware) C:\Users\ChristianEd\Downloads\dds (1).com
2014-08-23 13:47 - 2014-09-07 10:08 - 00000000 ____D () C:\Users\ChristianEd\Desktop\Cleaning
2014-08-23 13:46 - 2014-08-23 13:46 - 00006867 _____ () C:\Users\ChristianEd\Desktop\dds.txt
2014-08-23 13:46 - 2014-08-23 13:46 - 00004590 _____ () C:\Users\ChristianEd\Desktop\attach.txt
2014-08-23 13:40 - 2014-08-23 13:40 - 06267504 _____ (TeamViewer GmbH) C:\Users\ChristianEd\Downloads\TeamViewer_Setup_en.exe
2014-08-23 13:39 - 2014-08-23 13:39 - 08472669 _____ (alch ) C:\Users\ChristianEd\Downloads\clamwin-0.98.4.1-setup-nodb.exe
2014-08-20 11:11 - 2014-08-20 11:11 - 00115576 _____ () C:\Users\ChristianEd\Downloads\ImageSearch_ui_setup.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-07 10:08 - 2014-09-07 10:07 - 00000000 ____D () C:\FRST
2014-09-07 10:08 - 2014-08-23 13:47 - 00000000 ____D () C:\Users\ChristianEd\Desktop\Cleaning
2014-09-07 10:07 - 2006-11-02 08:45 - 00006336 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-07 10:07 - 2006-11-02 08:45 - 00006336 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-07 09:21 - 2013-02-18 12:05 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-09-07 09:11 - 2012-07-26 11:45 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-07 06:21 - 2013-02-18 12:05 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-09-07 01:49 - 2006-12-15 08:02 - 02142688 _____ () C:\Windows\WindowsUpdate.log
2014-09-06 18:00 - 2012-09-13 15:29 - 00000452 _____ () C:\Windows\Tasks\SyncBack Document Backup.job
2014-09-06 15:26 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\tracing
2014-09-06 14:37 - 2012-09-11 11:53 - 00000000 ____D () C:\Users\ChristianEd\Documents\SS 2012-13
2014-09-06 14:37 - 2011-03-07 15:57 - 00002609 _____ () C:\Users\ChristianEd\Desktop\Microsoft Office Word 2003.lnk
2014-09-06 14:30 - 2014-09-06 14:30 - 00000000 ____D () C:\Users\ChristianEd\Documents\SPLASH VBS
2014-09-06 14:03 - 2014-04-28 11:55 - 00000000 ____D () C:\Users\ChristianEd\Documents\Admin
2014-08-23 13:48 - 2014-08-23 13:48 - 00688992 _____ (Swearware) C:\Users\ChristianEd\Downloads\dds (1).com
2014-08-23 13:46 - 2014-08-23 13:46 - 00006867 _____ () C:\Users\ChristianEd\Desktop\dds.txt
2014-08-23 13:46 - 2014-08-23 13:46 - 00004590 _____ () C:\Users\ChristianEd\Desktop\attach.txt
2014-08-23 13:42 - 2014-06-18 10:16 - 00000000 ____D () C:\Users\ChristianEd\Documents\SS 2014-15
2014-08-23 13:40 - 2014-08-23 13:40 - 06267504 _____ (TeamViewer GmbH) C:\Users\ChristianEd\Downloads\TeamViewer_Setup_en.exe
2014-08-23 13:40 - 2014-02-02 10:55 - 00000973 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-08-23 13:40 - 2014-01-26 11:51 - 00000000 ____D () C:\Users\ChristianEd\AppData\Roaming\TeamViewer
2014-08-23 13:39 - 2014-08-23 13:39 - 08472669 _____ (alch ) C:\Users\ChristianEd\Downloads\clamwin-0.98.4.1-setup-nodb.exe
2014-08-23 13:39 - 2012-07-26 11:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClamWin Antivirus
2014-08-23 13:39 - 2012-07-26 11:37 - 00000000 ____D () C:\Program Files\ClamWin
2014-08-21 13:51 - 2014-04-28 11:30 - 00000000 ____D () C:\Users\ChristianEd\Documents\Godly Play
2014-08-20 12:51 - 2010-09-20 16:56 - 00000000 ____D () C:\Users\ChristianEd\Documents\SS 2013-14
2014-08-20 11:11 - 2014-08-20 11:11 - 00115576 _____ () C:\Users\ChristianEd\Downloads\ImageSearch_ui_setup.exe
2014-08-11 12:14 - 2007-09-12 10:00 - 00000000 ____D () C:\Users\ChristianEd\Documents\Christmas Bazaar 2013

Files to move or delete:
====================
C:\Users\ChristianEd\AppData\Local\Temp\Poawob\veirqi.exe

Some content of TEMP:
====================
C:\Users\ChristianEd\AppData\Local\Temp\ICReinstall_CodecPack (1).exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys
[2013-03-04 12:06] - [2012-08-21 07:47] - 0224640 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\Windows\system32\Drivers\volsnap.sys No Company Name <===== ATTENTION!

 

LastRegBack: 2014-05-15 02:13

==================== End Of Log ============================

 

addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 06-09-2014
Ran by ChristianEd at 2014-09-07 10:08:58
Running from C:\Users\ChristianEd\Desktop\Cleaning
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 14 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader 7.0.8 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A70800000002}) (Version: 7.0.8 - Adobe Systems Incorporated)
ATI Catalyst Control Center Ex (Version: 2.0.2488.36465 - ATI Technologies Inc.) Hidden
ATI Catalyst Install Manager (HKLM\...\{4160DC5B-4C56-D0C3-C5FD-F5BDAD3C882B}) (Version: 3.0.641.0 - ATI Technologies, Inc.)
ClamWin Free Antivirus 0.98.4.1 (HKLM\...\ClamWin Free Antivirus_is1) (Version:  - alch)
Compaq Connections (remove only) (HKLM\...\HPOOVClient-3572475 Uninstaller) (Version:  - )
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
DVD Play (HKLM\...\{45D707E9-F3C4-11D9-A373-0050BAE317E1}) (Version:  - )
Google Chrome (HKLM\...\Google Chrome) (Version: 37.0.2062.103 - Google Inc.)
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
Hardware Diagnostic Tools (HKLM\...\PC-Doctor 5 for Windows) (Version: 5.00.4262.12 - PC-Doctor, Inc.)
HP Customer Experience Enhancements (HKLM\...\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}) (Version: 1.00.0000 - Hewlett-Packard)
HP Customer Feedback (Version: 1.0.0 - Hewlett-Packard) Hidden
HP Easy Setup - Core (HKLM\...\{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}) (Version: 1.00.0000 - Hewlett-Packard)
HP Easy Setup - Frontend (HKLM\...\{40F7AED3-0C7D-4582-99F6-484A515C73F2}) (Version: 5.00.0000 - Hewlett-Packard)
HP Total Care Advisor (HKLM\...\{0373779B-A362-4B2E-B8E9-7442F19F9394}) (Version: 1.0.90 - Hewlett-Packard)
HP Update (HKLM\...\{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}) (Version: 5.003.001.001 - Hewlett-Packard)
LightScribe  1.4.124.1 (Version: 1.4.124.1 - http://www.lightscribe.com) Hidden
LSI PCI Soft Modem (HKLM\...\LSI Soft Modem) (Version: 2.2.98 - LSI Corporation)
Magical Jelly Bean KeyFinder (HKLM\...\KeyFinder_is1) (Version: 2.0.10.9 - Magical Jelly Bean)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Works (HKLM\...\{6D52C408-B09A-4520-9B18-475B81D393F1}) (Version: 08.05.0818 - Microsoft Corporation)
Move Networks Media Player for Internet Explorer (HKCU\...\Move Networks Player - IE) (Version:  - )
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB941833) (HKLM\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
My HP Games (HKLM\...\WildTangent hpdesktop Master Uninstall) (Version: HPCMPQ1505 - WildTangent)
Python 2.4.3 (HKLM\...\{75E71ADD-042C-4F30-BFAC-A9EC42351313}) (Version: 2.4.3150 - Martin v. Löwis)
Realtek AC'97 Audio (HKLM\...\{FB08F381-6533-4108-B7DD-039E11FBC27E}) (Version:  - )
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5322 - Realtek Semiconductor Corp.)
Roxio Creator Audio (HKLM\...\{83FFCFC7-88C6-41c6-8752-958A45325C82}) (Version: 3.3.0 - Roxio)
Roxio Creator Basic v9 (HKLM\...\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}) (Version: 3.3.0 - Roxio)
Roxio Creator Copy (HKLM\...\{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}) (Version: 3.3.0 - Roxio)
Roxio Creator Data (HKLM\...\{0D397393-9B50-4c52-84D5-77E344289F87}) (Version: 3.3.0 - Roxio)
Roxio Creator EasyArchive (HKLM\...\{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}) (Version: 3.3.0 - Roxio)
Roxio Creator Tools (HKLM\...\{0394CDC8-FABD-4ed8-B104-03393876DFDF}) (Version: 3.3.0 - Roxio)
Roxio Express Labeler 3 (HKLM\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 2.1.0 - Roxio)
Soft Data Fax Modem with SmartCP (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1) (Version:  - )
SyncBack (HKLM\...\SyncBack_is1) (Version:  - 2BrightSparks)
TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.31064 - TeamViewer)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2836939) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2836939v3) (Version: 3 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3506291279-3617469437-294698084-1000_Classes\CLSID\{e3e02f12-2adb-478c-8742-5f0819f9f0f4}\InprocServer32 -> C:\Users\ChristianEd\AppData\Roaming\Move Networks\ie_bin\qsp2ie07074039.dll (Move Networks)
CustomCLSID: HKU\S-1-5-21-3506291279-3617469437-294698084-1000_Classes\CLSID\{e473a65c-8087-49a3-affd-c5bc4a10669b}\InprocServer32 -> C:\Users\ChristianEd\AppData\Roaming\Move Networks\ie_bin\qsp2ie07074039.dll (Move Networks)

==================== Restore Points  =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 06:23 - 2006-09-18 17:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {18DFD9FC-082E-4E9B-8285-5F21D2B4EDAE} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {210CC133-2B35-4E1E-98D2-C15ACE4508CE} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\netsh.exe [2006-11-02] (Microsoft Corporation)
Task: {278FBC78-FFAE-4066-9884-FD458710341F} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Signature Update => c:\program files\windows defender\MpCmdRun.exe [2008-01-19] (Microsoft Corporation)
Task: {3A494CF2-0BA8-46EC-BE24-8EE9942F2D8A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-02-18] (Google Inc.)
Task: {5916F864-469C-4391-8604-E4EA141A2699} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-05] ()
Task: {7474FF5E-F893-4EE7-9555-F1EC799D4A1A} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-02-18] (Google Inc.)
Task: {7AA47DED-D735-488D-B7C8-0AC0EC7F44C1} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-07-08] (Adobe Systems Incorporated)
Task: {8B0E6FAB-F43A-4988-AF0A-A21646C212F0} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {9ED703A9-5FFD-40D5-895A-4385EE1509DE} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-19] (Microsoft Corporation)
Task: {A7DF96FF-EDE8-49FD-9680-995800C0AFE3} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP => C:\Windows\servicing\vsp1ceip.exe [2008-01-19] (Microsoft Corporation)
Task: {AD65CB6F-2B29-4883-85F4-17B015005C8C} - System32\Tasks\SyncBack Document Backup => C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe [2010-11-08] (2BrightSparks)
Task: {C9ABD443-CAA0-4AEC-84AA-F3E3EB466352} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\SyncBack Document Backup.job => C:\Program Files\2BrightSparks\SyncBackChristianEdTask created by SyncBack.exe

==================== Loaded Modules (whitelisted) =============

2013-04-09 14:28 - 2013-03-08 23:45 - 00049152 _____ () C:\Windows\system32\CSRSRV.dll
2006-11-02 06:25 - 2007-06-13 20:18 - 00159744 _____ () C:\Windows\system32\atitmmxx.dll
2012-07-26 11:37 - 2008-04-19 16:35 - 00081920 _____ () C:\Program Files\ClamWin\bin\ExpShell.dll
2014-05-13 14:11 - 2014-05-13 14:11 - 00104448 _____ () C:\Users\ChristianEd\AppData\Local\{4FA1F08B-2204-1359-EFE9-9B83CFD48EA7}\syshost.exe
2006-12-11 16:31 - 2006-12-11 16:31 - 00061496 _____ () C:\Program Files\Compaq Connections\3572475\6.3.2.139-3572475\Program\clntutil.dll
2006-12-11 16:31 - 2006-12-11 16:31 - 00151589 _____ () C:\Program Files\Compaq Connections\3572475\6.3.2.139-3572475\Program\BWfiles.dll
2006-12-11 16:31 - 2006-12-11 16:31 - 00098339 _____ () C:\Program Files\Compaq Connections\3572475\6.3.2.139-3572475\Program\frext.dll
2006-12-11 16:31 - 2006-12-11 16:31 - 00135168 _____ () C:\Program Files\Compaq Connections\3572475\Program\HPClientExt.dll
2006-11-02 06:25 - 2007-06-13 19:55 - 03773952 _____ () C:\Windows\system32\atiumdva.dll
2012-07-26 11:37 - 2005-02-08 16:23 - 00979005 _____ () C:\Program Files\ClamWin\bin\python23.dll
2012-07-26 11:37 - 2004-11-20 02:27 - 00069632 _____ () C:\Program Files\ClamWin\lib\win32api.pyd
2012-07-26 11:37 - 2004-10-11 19:21 - 00094208 _____ () C:\Program Files\ClamWin\lib\pywintypes23.dll
2012-07-26 11:37 - 2004-05-25 20:18 - 00057401 _____ () C:\Program Files\ClamWin\lib\_sre.pyd
2012-07-26 11:37 - 2004-11-20 02:27 - 00086016 _____ () C:\Program Files\ClamWin\lib\win32gui.pyd
2012-07-26 11:37 - 2004-11-20 02:27 - 00024576 _____ () C:\Program Files\ClamWin\lib\win32event.pyd
2012-07-26 11:37 - 2004-11-20 02:27 - 00036864 _____ () C:\Program Files\ClamWin\lib\win32process.pyd
2012-07-26 11:37 - 2004-05-25 20:18 - 00049212 _____ () C:\Program Files\ClamWin\lib\_socket.pyd
2012-07-26 11:37 - 2004-05-25 20:18 - 00495616 _____ () C:\Program Files\ClamWin\lib\_ssl.pyd
2012-07-26 11:37 - 2004-05-25 20:20 - 00036864 _____ () C:\Program Files\ClamWin\lib\_winreg.pyd
2012-07-26 11:37 - 2004-10-11 19:22 - 00315392 _____ () C:\Program Files\ClamWin\lib\pythoncom23.dll
2012-07-26 11:37 - 2004-11-20 02:27 - 00106496 _____ () C:\Program Files\ClamWin\lib\shell.pyd
2012-07-26 11:37 - 2004-11-20 02:27 - 00065536 _____ () C:\Program Files\ClamWin\lib\win32security.pyd
2012-07-26 11:37 - 2004-01-15 13:45 - 00061440 _____ () C:\Program Files\ClamWin\lib\_ctypes.pyd
2012-07-26 11:37 - 2004-11-20 02:27 - 00077824 _____ () C:\Program Files\ClamWin\lib\win32file.pyd
2012-07-26 11:37 - 2004-11-20 02:27 - 00024576 _____ () C:\Program Files\ClamWin\lib\win32pipe.pyd
2012-07-26 11:37 - 2003-10-01 12:40 - 02240512 _____ () C:\Program Files\ClamWin\lib\wxc.pyd
2012-07-26 11:37 - 2003-10-01 10:43 - 03239936 _____ () C:\Program Files\ClamWin\lib\wxmsw24h.dll
2012-07-26 11:37 - 2003-08-10 08:14 - 00061440 _____ () C:\Program Files\ClamWin\lib\mxDateTime.pyd
2012-07-26 11:37 - 2004-05-25 20:17 - 00622651 _____ () C:\Program Files\ClamWin\lib\_bsddb.pyd
2012-07-26 11:37 - 2004-05-25 20:19 - 00045117 _____ () C:\Program Files\ClamWin\lib\datetime.pyd

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (09/07/2014 10:09:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error CreateFileW(\\?\Volume{4ff7e406-8c33-11db-994d-806e6f6e6963},0x80000000,0x00000003,...).  hr = 0x80070005.

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider

Error: (09/07/2014 10:09:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error CreateFileW(\\?\Volume{4ff7e406-8c33-11db-994d-806e6f6e6963},0x80000000,0x00000003,...).  hr = 0x80070005.

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider

Error: (09/07/2014 10:09:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error CreateFileW(\\?\Volume{4ff7e406-8c33-11db-994d-806e6f6e6963},0x80000000,0x00000003,...).  hr = 0x80070005.

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider

Error: (09/07/2014 10:09:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error CreateFileW(\\?\Volume{4ff7e406-8c33-11db-994d-806e6f6e6963},0x80000000,0x00000003,...).  hr = 0x80070005.

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider

Error: (08/21/2014 01:55:57 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program OUTLOOK.EXE version 11.0.8326.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 1690
Start Time: 01cfbd68f43c89b7
Termination Time: 47

Error: (08/06/2014 03:16:38 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <MAPI://{S-1-5-21-3506291279-3617469437-294698084-1000}/PERSONAL FOLDERS($52C132D5)/X/OUTBOX/가가가가갭걽갸걙곃겯격걎겜걱곪걮갤겸걢겂곤갞갢가> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)

Error: (08/06/2014 03:16:38 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <MAPI://{S-1-5-21-3506291279-3617469437-294698084-1000}/PERSONAL FOLDERS($52C132D5)/X/OUTBOX/가가가가갭걽갸걙곃겯격걎겜걱곪걮갤겸걢겂곤갞갢가> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)

Error: (06/30/2014 11:10:04 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 35.0.1916.153, time stamp 0x538fb354, faulting module ole32.dll, version 6.0.6002.18277, time stamp 0x4c28d53e, exception code 0xc00000fd, fault offset 0x00023ebd,
process id 0x30c, application start time 0xchrome.exe0.

Error: (05/30/2014 11:10:58 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <MAPI://{S-1-5-21-3506291279-3617469437-294698084-1000}/PERSONAL FOLDERS($52C132D5)/X/OUTBOX/가가가가갭걽갸걙곃겯격걎겜걱곪걮갤겸걢겂겤갍갢가> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)

Error: (05/30/2014 11:10:58 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <MAPI://{S-1-5-21-3506291279-3617469437-294698084-1000}/PERSONAL FOLDERS($52C132D5)/X/OUTBOX/가가가가갭걽갸걙곃겯격걎겜걱곪걮갤겸걢겂겤갍갢가> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)

System errors:
=============
Error: (05/25/2014 10:09:29 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Driver Foundation - User-mode Driver Framework11200001Restart the service

Error: (05/25/2014 10:09:29 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Portable Device Enumerator Service11200001Restart the service

Error: (05/25/2014 10:09:29 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: WLAN AutoConfig11200001Restart the service

Error: (05/25/2014 10:09:29 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Diagnostic System Host1

Error: (05/25/2014 10:09:28 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Desktop Window Manager Session Manager11200001Restart the service

Error: (05/25/2014 10:09:28 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Distributed Link Tracking Client11200001Restart the service

Error: (05/25/2014 10:09:28 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Tablet PC Input Service1600001Restart the service

Error: (05/25/2014 10:09:28 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Superfetch1600001Restart the service

Error: (05/25/2014 10:09:28 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Program Compatibility Assistant Service1600001Restart the service

Error: (05/25/2014 10:09:28 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Network Connections11001Restart the service

Microsoft Office Sessions:
=========================
Error: (09/07/2014 10:09:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: CreateFileW(\\?\Volume{4ff7e406-8c33-11db-994d-806e6f6e6963},0x80000000,0x00000003,...)0x80070005

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider

Error: (09/07/2014 10:09:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: CreateFileW(\\?\Volume{4ff7e406-8c33-11db-994d-806e6f6e6963},0x80000000,0x00000003,...)0x80070005

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider

Error: (09/07/2014 10:09:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: CreateFileW(\\?\Volume{4ff7e406-8c33-11db-994d-806e6f6e6963},0x80000000,0x00000003,...)0x80070005

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider

Error: (09/07/2014 10:09:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: CreateFileW(\\?\Volume{4ff7e406-8c33-11db-994d-806e6f6e6963},0x80000000,0x00000003,...)0x80070005

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider

Error: (08/21/2014 01:55:57 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: OUTLOOK.EXE11.0.8326.0169001cfbd68f43c89b747

Error: (08/06/2014 03:16:38 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)
MAPI://{S-1-5-21-3506291279-3617469437-294698084-1000}/PERSONAL FOLDERS($52C132D5)/X/OUTBOX/가가가가갭걽갸걙곃겯격걎겜걱곪걮갤겸걢겂곤갞갢가

Error: (08/06/2014 03:16:38 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)
MAPI://{S-1-5-21-3506291279-3617469437-294698084-1000}/PERSONAL FOLDERS($52C132D5)/X/OUTBOX/가가가가갭걽갸걙곃겯격걎겜걱곪걮갤겸걢겂곤갞갢가

Error: (06/30/2014 11:10:04 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe35.0.1916.153538fb354ole32.dll6.0.6002.182774c28d53ec00000fd00023ebd30c01cf9474ed812a87

Error: (05/30/2014 11:10:58 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)
MAPI://{S-1-5-21-3506291279-3617469437-294698084-1000}/PERSONAL FOLDERS($52C132D5)/X/OUTBOX/가가가가갭걽갸걙곃겯격걎겜걱곪걮갤겸걢겂겤갍갢가

Error: (05/30/2014 11:10:58 AM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: Context:  Application, SystemIndex Catalog

Details:
 A device attached to the system is not functioning.   (0x8007001f)
MAPI://{S-1-5-21-3506291279-3617469437-294698084-1000}/PERSONAL FOLDERS($52C132D5)/X/OUTBOX/가가가가갭걽갸걙곃겯격걎겜걱곪걮갤겸걢겂겤갍갢가

CodeIntegrity Errors:
===================================
  Date: 2013-03-03 10:30:49.281
  Description: N/A

  Date: 2013-03-03 10:30:49.095
  Description: N/A

  Date: 2013-03-03 10:30:48.905
  Description: N/A

  Date: 2013-03-03 10:30:48.731
  Description: N/A

  Date: 2013-03-03 10:30:48.501
  Description: N/A

  Date: 2011-05-10 12:13:23.531
  Description: N/A

  Date: 2011-05-10 12:13:23.318
  Description: N/A

  Date: 2011-05-10 12:13:23.158
  Description: N/A

  Date: 2011-05-10 12:13:22.957
  Description: N/A

  Date: 2010-10-10 09:29:59.696
  Description: N/A

==================== Memory info ===========================

Processor: AMD Sempron™ Processor 3200+
Percentage of memory in use: 65%
Total physical RAM: 2493.84 MB
Available physical RAM: 862.48 MB
Total Pagefile: 5240.49 MB
Available Pagefile: 3655.21 MB
Total Virtual: 2047.88 MB
Available Virtual: 1899.13 MB

==================== Drives ================================

Drive c: (COMPAQ) (Fixed) (Total:106.03 GB) (Free:66.25 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Recovery) (Fixed) (Total:5.76 GB) (Free:0.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: () (Fixed) (Total:74.52 GB) (Free:52.67 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 74.5 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=74.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 111.8 GB) (Disk ID: 872802A8)
Partition 1: (Active) - (Size=106 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=5.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

Virus Total link:

 

 https://www.virustotal.com/en/file/a8dc07c7faa62aad895dfd7615ddf22112321205951c34b1507f6f9f7e8406b6/analysis/1410099280/

 

Thanks

Attached Files



#5 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:03 PM

Posted 07 September 2014 - 10:02 AM

Hello Simon Mason,

Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#6 Simon Mason

Simon Mason
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 07 September 2014 - 11:36 AM

mbar:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.09.07.02

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
ChristianEd :: CHRISTIANED-PC [administrator]

9/7/2014 11:18:21 AM
mbar-log-2014-09-07 (11-18-21).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 309068
Time elapsed: 19 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKU\S-1-5-21-3506291279-3617469437-294698084-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Veirqi (Spyware.Zbot) -> Data: C:\Users\ChristianEd\AppData\Local\Temp\Poawob\veirqi.exe -> No action taken. [39604f7a90eb6dc975120684a45ddc24]
HKU\S-1-5-21-3506291279-3617469437-294698084-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|syshost32 (Rootkit.Necurs.ED) -> Data: C:\Users\ChristianEd\AppData\Local\{4FA1F08B-2204-1359-EFE9-9B83CFD48EA7}\syshost.exe -> No action taken. [6039cffafe7d45f1b9f694f6f50c06fa]

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\SYSTEM32\drivers\a29e4cd9fcff2094.sys (Rootkit.Necurs) -> No action taken. [ee0d14ea2dbfb0864b9f518d1eb923b4]
c:\Users\ChristianEd\AppData\Local\Temp\Poawob\veirqi.exe (Spyware.Zbot) -> No action taken. [39604f7a90eb6dc975120684a45ddc24]
C:\Users\ChristianEd\AppData\Local\{4FA1F08B-2204-1359-EFE9-9B83CFD48EA7}\syshost.exe (Rootkit.Necurs.ED) -> No action taken. [6039cffafe7d45f1b9f694f6f50c06fa]

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

adware:

 

# AdwCleaner v3.309 - Report created 07/09/2014 at 12:32:55
# Updated 02/09/2014 by Xplode
# Operating System : Windows Vista ™ Home Basic Service Pack 2 (32 bits)
# Username : ChristianEd - CHRISTIANED-PC
# Running from : C:\Users\ChristianEd\Desktop\Cleaning\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\eb3e3539b5fc9d5f
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\S

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16545

-\\ Google Chrome v37.0.2062.103

[ File : C:\Users\ChristianEd\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Found [Search Provider] : hxxp://search.tb.ask.com/search/GGmain.jhtml?searchfor={searchTerms}&st=kwd&ptb=426A42F7-D677-46DE-8769-C01036552EE6&n=780b833b&ind=2014020411&p2=^HI^xdm003^YYA^us&si=CJiu-NvusrwCFW3NOgodlzkA3w

*************************

AdwCleaner[R0].txt - [1379 octets] - [07/09/2014 12:32:55]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1439 octets] ##########



#7 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:03 PM

Posted 07 September 2014 - 11:48 AM

Hello Simon Mason,

there are an info stealer and a rootkit on this pc.

Run Malwarebytes Anti-Rootkit again: Right-click mbar.exe and select Run As Administrator
  • Scan your system for malware
  • If malware is found, click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
If there is no malware found, please let me know as well.

 

***


Download ComboFix from the following location:
Link

* IMPORTANT- Save ComboFix.exe to your Desktop
 

***


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link:
How to Disable your Security Programs


***


Double click on combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
Enable your antivirus!
 

* Post 3*


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#8 Simon Mason

Simon Mason
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 09 September 2014 - 01:25 PM

MBAR:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.09.08.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
ChristianEd :: CHRISTIANED-PC [administrator]

9/8/2014 5:16:54 PM
mbar-log-2014-09-08 (17-16-54).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 309932
Time elapsed: 16 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKU\S-1-5-21-3506291279-3617469437-294698084-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Veirqi (Spyware.Zbot) -> Data: C:\Users\ChristianEd\AppData\Local\Temp\Poawob\veirqi.exe -> Delete on reboot. [f3a670599cdf3204379ed5b522df946c]
HKU\S-1-5-21-3506291279-3617469437-294698084-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|syshost32 (Rootkit.Necurs.ED) -> Data: C:\Users\ChristianEd\AppData\Local\{4FA1F08B-2204-1359-EFE9-9B83CFD48EA7}\syshost.exe -> Delete on reboot. [4a4fb1180f6c77bf31cc0288b94859a7]

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\SYSTEM32\drivers\a29e4cd9fcff2094.sys (Rootkit.Necurs) -> Delete on reboot. [ee0d14ea2dbfb0864b9f518d1eb923b4]
c:\Users\ChristianEd\AppData\Local\Temp\Poawob\veirqi.exe (Spyware.Zbot) -> Delete on reboot. [f3a670599cdf3204379ed5b522df946c]
C:\Users\ChristianEd\AppData\Local\{4FA1F08B-2204-1359-EFE9-9B83CFD48EA7}\syshost.exe (Rootkit.Necurs.ED) -> Delete on reboot. [4a4fb1180f6c77bf31cc0288b94859a7]

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

Combofix:

ComboFix 14-09-09.01 - ChristianEd 09/08/2014  19:39:27.1.1 - x86
Microsoft® Windows Vista™ Home Basic   6.0.6002.2.1252.1.1033.18.2494.1670 [GMT -4:00]
Running from: c:\users\ChristianEd\Desktop\Cleaning\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\security\Database\tmp.edb
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-09 to 2014-09-09  )))))))))))))))))))))))))))))))
.
.
2014-09-08 23:46 . 2014-09-08 23:46 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2014-09-08 23:46 . 2014-09-08 23:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-07 16:33 . 2010-08-30 12:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
2014-09-07 16:32 . 2014-09-07 16:34 -------- d-----w- C:\AdwCleaner
2014-09-07 15:18 . 2014-09-07 15:18 -------- d-----w- c:\programdata\Malwarebytes
2014-09-07 15:17 . 2014-09-09 17:54 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-09-07 15:14 . 2014-09-08 21:16 113880 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-07 15:11 . 2014-09-08 19:40 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-07 14:07 . 2014-09-07 14:10 -------- d-----w- C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-08 19:12 . 2012-07-26 15:44 699056 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-07-08 19:12 . 2011-08-18 18:19 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-12 90112]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2006-11-08 81920]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2014-08-07 86016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-25 44136]
.
c:\users\ChristianEd\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Launch Microsoft Office Outlook.lnk - c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE  /recycle [2010-6-23 196440]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe -startup [2006-12-11 34520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ    PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-03 19:21 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.103\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-26 19:12]
.
2014-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-18 16:05]
.
2014-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-02-18 16:05]
.
2014-09-08 c:\windows\Tasks\SyncBack Document Backup.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2012-09-13 19:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.stpaulschatham.org/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALuNotify.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-09-09 13:57
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3216)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\TeamViewer\Version9\TeamViewer_Service.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\TeamViewer\Version9\TeamViewer.exe
c:\windows\system32\conime.exe
c:\program files\TeamViewer\Version9\tv_w32.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\SLUI.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2014-09-09  14:02:56 - machine was rebooted
ComboFix-quarantined-files.txt  2014-09-09 18:02
.
Pre-Run: 67,623,194,624 bytes free
Post-Run: 67,816,648,704 bytes free
.
- - End Of File - - 9A09BAFE946C9066A2487610B6620F2C
8913823FF508CCF109DB74B636C301DA
 



#9 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:03 PM

Posted 09 September 2014 - 02:39 PM

Hello Simon Mason,

Please download Farbar Service Scanner and run it on the computer with the issue.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Make sure "Include All Files" option remains checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

***


On your Desktop:
Now please go to the MBAR folder and then run the "fixdamage.exe" tool that's inside the mbar\plugins\ sub-folder.

Restart the system after running fixdamage.

Run Farbar Service Scanner again and post the log.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#10 Simon Mason

Simon Mason
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 11 September 2014 - 06:29 AM

I do not see an option for include all files on fss when running it as administrator.  When I ran the scan I checked all of the boxes on the first screen in the hopes that this would achieve the desired outcome.

 

Here is the first fss log:

 

Farbar Service Scanner Version: 21-07-2014
Ran by ChristianEd (administrator) on 11-09-2014 at 07:13:48
Running from "C:\Users\ChristianEd\Desktop\Cleaning"
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcsvc.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed

**** End of log ****

 

and here is the second log:

 

Farbar Service Scanner Version: 21-07-2014
Ran by ChristianEd (administrator) on 11-09-2014 at 07:25:00
Running from "C:\Users\ChristianEd\Desktop\Cleaning"
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcsvc.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed

**** End of log ****



#11 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:03 PM

Posted 11 September 2014 - 06:33 AM

Hello Simon Mason,
 

HKU\S-1-5-21-3506291279-3617469437-294698084-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Veirqi (Spyware.Zbot) -> Data: C:\Users\ChristianEd\AppData\Local\Temp\Poawob\veirqi.exe -> No action taken. [39604f7a90eb6dc975120684a45ddc24]
HKU\S-1-5-21-3506291279-3617469437-294698084-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|syshost32 (Rootkit.Necurs.ED) -> Data: C:\Users\ChristianEd\AppData\Local\{4FA1F08B-2204-1359-EFE9-9B83CFD48EA7}\syshost.exe -> No action taken.


your computer appears to have been infected by malware with a backdoor (Zbot + Necurs-Rootkit). These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.
 

***


Source: what-is-a-backdoor-trojan

Important: Warning about the threats, which a backdoor Trojan brings with it:
  • Uses your system and Internet connection to send spam (yes, the majority of spam is now generated by infected systems).
  • Steals your online and offline passwords, credit card numbers, address, phone number, and other information stored on your computer that could be used for identity theft, or other financial fraud.
  • Logs your activity, read email, view and download contents of documents, pictures, videos and other private data.
  • Uses your computer and Internet connection, in conjunction with others to launch Distributed Denial of Service (DDoS) attacks.
  • Modifies system files, disables antivirus, deletes files, changes system settings, to cover tracks, or just to wreak havoc.

***



Do you see such strange items in your email outbox:

OUTBOX/가가가가갭걽갸걙곃겯격걎겜걱곪걮갤겸걢겂곤갞갢가

Error: (08/06/2014 03:16:38 PM) (Source: Windows Search Service) (EventID: 3013) (User: )
Description: The entry <MAPI://{S-1-5-21-3506291279-3617469437-294698084-1000}/PERSONAL FOLDERS($52C132D5)/X/OUTBOX/가가가가갭걽갸걙곃겯격걎겜걱곪걮갤겸걢겂곤갞갢가> in the hash map cannot be updated.


Which email program do you use?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#12 Simon Mason

Simon Mason
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 11 September 2014 - 06:45 AM

The only thing used on this computer was email and word processing.  The malware apparently used the computer to send spam through the email account installed in Outlook.

 

We deleted the email account on the server and changed the password.  If I understand correctly there is a possibility that the malware is still in the computer and could take control of the email again?  If so, we will monitor that and if it happens we will format the computer.  Does that make sense?



#13 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:03 PM

Posted 11 September 2014 - 06:52 AM

Hello Simon Mason,

OK, this makes sense!

Now we look if MBAR and CF stopped the Necurs malware:

Please download and run this tool: http://download.eset.com/special/ESETNecursCleaner.exe
Tell me if Necurs was detected or not.
 

***


Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • When the scan has finished, the actual line should say "Pending. Please uncheck elements you do not want to remove". Look through the scan results and uncheck any entries that you do not wish to remove.
  • This time, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


Run the Farbar Recovery Scan Tool again.
  • Double-click to run FSRT / FSRT64. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

***


How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#14 Jo*

Jo*

  • Malware Response Team
  • 3,453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:03 PM

Posted 24 September 2014 - 12:35 PM


Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Threads will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 Simon Mason

Simon Mason
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 25 September 2014 - 03:48 AM

Thank you, please go ahead and close the topic.  I was able to clean the computer following all of your instructions.  However, as luck would have it, we were able to move another newer computer to this user in the church.  So I will now be formatting this computer just in case any residual infection remains, per your instructions.  Thank you again for all of your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users