Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple instances of iexplore.exe in task manager


  • This topic is locked This topic is locked
21 replies to this topic

#1 msquared

msquared

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 03 September 2014 - 10:51 PM

My wife's laptop is running Windows 7 and IE 11 and had multiple types malware on it. I ran a bunch of stuff and got rid of everything save one issue. It continues to run multiple instances of iexplore in the task manager ("processes" tab), even if I never open IE myself. I can boot up, go right into task manager without starting any applications, and watch several instances self-initiate.  It usually levels out at four instances and can use up 500-600K of memory added together.

I have run: adwcleaner, avast, combofix, Farber Service Scanner, Junk Removal Tool, Malwarebytes, OTC.exe, OTL.exe, TempFileCleaner, rkill (followed by malwarebytes), tdsskiller (also followed by malwarebytes). I also ran ComboFix a few days ago, before I saw that I shouldn't.  I have run these both from the regular Windows logon as well as from Safe Mode. I cannot seem to get rid of these iexplore instances.  I have the Windows Firewall turned on.

 

DDS log (attach.txt is attached as directed in instructions):

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17239
Run by Cindy at 22:44:42 on 2014-09-03
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2940.1689 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\StikyNot.exe
C:\Windows\System32\regsvr32.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: {548f6736-8fe4-4680-82f2-170d6c07e1d2} - <orphaned>
uURLSearchHooks: {f92a9fe4-2850-4198-b9d5-279880e49b16} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [Adworks] regsvr32.exe c:\users\cindy\appdata\local\adworks\ASMweld217A.dll
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
StartupFolder: c:\users\cindy\appdata\roaming\micros~1\windows\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
uPolicies-Explorer: TaskbarNoNotification = dword:1
uPolicies-Explorer: HideSCAHealth = dword:1
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: TaskbarNoNotification = dword:1
mPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: EnableVirtualization = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Burger%20Shop/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.winkflash.com/photo/loaders/ImageUploader5.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://samsclubus.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Burger%20Shop/Images/armhelper.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.disneyphotopass.com/software/ImageUploader4.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{0F5E6ADD-EE5B-4EB5-8C3D-8A979B505B2A} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{0F5E6ADD-EE5B-4EB5-8C3D-8A979B505B2A}\2375942554138363 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{0F5E6ADD-EE5B-4EB5-8C3D-8A979B505B2A}\247524279736563416E697F6E6 : DHCPNameServer = 8.8.8.8 8.8.4.4
TCP: Interfaces\{0F5E6ADD-EE5B-4EB5-8C3D-8A979B505B2A}\45F677E65607C6163656 : DHCPNameServer = 192.168.100.1 8.8.8.8
TCP: Interfaces\{0F5E6ADD-EE5B-4EB5-8C3D-8A979B505B2A}\84F4D454D233836423 : DHCPNameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{0F5E6ADD-EE5B-4EB5-8C3D-8A979B505B2A}\8686F6E6F62737 : DHCPNameServer = 100.46.160.1 64.134.255.2 64.134.255.10
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
============= SERVICES / DRIVERS ===============
.
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-11-5 376832]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-8-28 108032]
S3 RT-USB;Ross-Tech USB driver;c:\windows\system32\drivers\RT-USB.SYS [2010-6-16 59464]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-1 52224]
S3 VAGUSB;VAGUSB.SYS USB Driver;c:\windows\system32\drivers\VAGUSB.sys [2005-12-15 34639]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-28 1343400]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]
.
=============== Created Last 30 ================
.
2014-09-04 02:17:30 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-04 02:17:30 699568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-09-04 01:56:26 -------- d-----w- c:\windows\pss
2014-09-04 01:44:01 -------- d-----w- c:\users\cindy\appdata\roaming\Process Hacker 2
2014-09-04 00:42:47 -------- d-----w- c:\program files\Trend Micro
2014-09-03 02:34:43 8581864 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{aa8da57c-bb3b-48eb-ac15-9982f8567727}\mpengine.dll
2014-08-28 12:41:32 -------- d-sh--w- c:\users\cindy\appdata\local\EmieUserList
2014-08-28 12:41:32 -------- d-sh--w- c:\users\cindy\appdata\local\EmieSiteList
2014-08-28 07:12:44 -------- d-s---w- c:\windows\system32\CompatTel
2014-08-28 06:41:12 -------- d-----w- c:\windows\Migration
2014-08-28 06:18:55 99480 ----a-w- c:\windows\system32\infocardapi.dll
2014-08-28 06:18:52 8856 ----a-w- c:\windows\system32\icardres.dll
2014-08-28 06:18:48 619672 ----a-w- c:\windows\system32\icardagt.exe
2014-08-28 06:18:46 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
2014-08-28 06:13:25 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2014-08-28 06:13:24 164864 ----a-w- c:\program files\windows media player\wmplayer.exe
2014-08-28 04:52:25 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2014-08-28 04:52:25 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2014-08-28 04:52:25 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2014-08-28 04:52:25 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2014-08-28 04:52:24 417792 ----a-w- c:\windows\system32\WMPhoto.dll
2014-08-28 04:52:02 301568 ----a-w- c:\windows\system32\msieftp.dll
2014-08-28 04:50:49 141824 ----a-w- c:\windows\system32\wscript.exe
2014-08-28 04:50:49 121856 ----a-w- c:\windows\system32\wshom.ocx
2014-08-28 04:50:48 163840 ----a-w- c:\windows\system32\scrrun.dll
2014-08-28 04:50:48 126976 ----a-w- c:\windows\system32\cscript.exe
2014-08-28 04:50:46 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-28 04:50:46 2352640 ----a-w- c:\windows\system32\win32k.sys
2014-08-28 04:50:43 185344 ----a-w- c:\windows\system32\wwansvc.dll
2014-08-28 04:50:41 234432 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2014-08-28 04:50:40 27072 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2014-08-28 04:50:40 2048 ----a-w- c:\windows\system32\iologmsg.dll
2014-08-28 04:50:40 149440 ----a-w- c:\windows\system32\drivers\storport.sys
2014-08-28 04:49:52 2048 ----a-w- c:\windows\system32\tzres.dll
2014-08-28 04:49:36 868864 ----a-w- c:\program files\common files\microsoft shared\ink\tipskins.dll
2014-08-28 04:49:36 399360 ----a-w- c:\program files\common files\microsoft shared\ink\tabskb.dll
2014-08-28 04:49:35 646144 ----a-w- c:\windows\system32\osk.exe
2014-08-28 04:49:35 544768 ----a-w- c:\program files\common files\microsoft shared\ink\TipRes.dll
2014-08-28 04:49:35 348672 ----a-w- c:\program files\common files\microsoft shared\ink\tiptsf.dll
2014-08-28 04:49:35 181760 ----a-w- c:\program files\common files\microsoft shared\ink\TabTip.exe
2014-08-28 04:49:35 104448 ----a-w- c:\program files\common files\microsoft shared\ink\TipBand.dll
2014-08-28 04:49:31 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-08-28 04:47:34 412160 ----a-w- c:\windows\system32\aepdu.dll
2014-08-28 04:47:33 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-08-28 04:47:30 3419136 ----a-w- c:\windows\system32\d2d1.dll
2014-08-28 04:47:30 1987584 ----a-w- c:\windows\system32\d3d10warp.dll
2014-08-28 04:43:16 626688 ----a-w- c:\windows\system32\usp10.dll
2014-08-28 04:43:14 679424 ----a-w- c:\windows\system32\IKEEXT.DLL
2014-08-28 04:43:13 656896 ----a-w- c:\windows\system32\nshwfp.dll
2014-08-28 04:43:13 216576 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2014-08-28 04:43:10 381440 ----a-w- c:\windows\system32\wer.dll
2014-08-28 04:43:01 1168384 ----a-w- c:\windows\system32\crypt32.dll
2014-08-28 04:42:10 76288 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2014-08-28 04:42:10 43520 ----a-w- c:\windows\system32\drivers\usbehci.sys
2014-08-28 04:42:10 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2014-08-28 04:42:10 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2014-08-28 04:42:10 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2014-08-28 04:42:09 6016 ----a-w- c:\windows\system32\drivers\usbd.sys
2014-08-28 04:42:09 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2014-08-28 04:41:50 594944 ----a-w- c:\windows\system32\RMActivate_isv.exe
2014-08-28 04:41:50 572416 ----a-w- c:\windows\system32\RMActivate.exe
2014-08-28 04:41:50 508928 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2014-08-28 04:41:49 87040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2014-08-28 04:41:49 87040 ----a-w- c:\windows\system32\secproc_ssp.dll
2014-08-28 04:41:49 510976 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2014-08-28 04:41:49 428032 ----a-w- c:\windows\system32\secproc.dll
2014-08-28 04:41:49 423936 ----a-w- c:\windows\system32\secproc_isv.dll
2014-08-28 04:41:49 390144 ----a-w- c:\windows\system32\msdrm.dll
2014-08-28 04:33:57 67520 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2014-08-28 04:33:57 369848 ----a-w- c:\windows\system32\drivers\cng.sys
2014-08-28 04:33:57 136640 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-08-28 04:33:57 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-08-28 04:33:56 22528 ----a-w- c:\windows\system32\lsass.exe
2014-08-28 04:33:56 22016 ----a-w- c:\windows\system32\secur32.dll
2014-08-28 04:33:56 15872 ----a-w- c:\windows\system32\sspisrv.dll
2014-08-28 04:33:56 100352 ----a-w- c:\windows\system32\sspicli.dll
2014-08-28 04:18:45 -------- d-----w- c:\users\cindy\appdata\local\temp
2014-08-28 04:18:04 -------- d-sh--w- C:\$RECYCLE.BIN
2014-08-28 04:15:27 2425856 ----a-w- c:\windows\system32\wucltux.dll
2014-08-28 04:14:49 92672 ----a-w- c:\windows\system32\wudriver.dll
2014-08-28 04:14:29 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-08-28 04:14:29 179656 ----a-w- c:\windows\system32\wuwebv.dll
2014-08-28 03:05:57 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-08-28 01:56:26 33512 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-08-28 01:56:24 -------- d-----w- c:\programdata\RogueKiller
2014-08-28 01:11:01 -------- d-----w- c:\windows\ERUNT
2014-08-28 01:05:28 -------- d-----w- C:\AdwCleaner
2014-08-15 04:04:02 -------- d-----w- c:\users\cindy\appdata\roaming\Awunsia
2014-08-14 18:57:11 -------- d-----w- c:\users\cindy\appdata\roaming\Xeequnf
2014-08-13 22:06:33 -------- d-----w- c:\users\cindy\appdata\roaming\Efgabyno
2014-08-12 18:01:48 -------- d-----w- c:\users\cindy\appdata\roaming\Ovmyivtu
2014-08-12 13:59:47 -------- d-----w- c:\users\cindy\appdata\roaming\Zaydcom
2014-08-10 01:53:53 -------- d-----w- c:\users\cindy\appdata\roaming\Xorako
2014-08-10 00:56:54 -------- d-----w- c:\users\cindy\appdata\roaming\Ekacizk
2014-08-09 18:01:02 -------- d-----w- c:\users\cindy\appdata\roaming\Fyyqeko
2014-08-09 05:19:45 -------- d-----w- c:\users\cindy\appdata\roaming\Usyrzec
.
==================== Find3M  ====================
.
2014-08-05 14:20:02 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-07-25 13:04:40 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-07-25 13:03:54 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-07-25 12:34:49 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-07-25 12:34:03 455168 ----a-w- c:\windows\system32\vbscript.dll
2014-07-25 12:33:08 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-07-25 12:30:32 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-07-25 12:10:15 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-07-25 12:10:12 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-07-25 12:08:47 597504 ----a-w- c:\windows\system32\jscript9diag.dll
2014-07-25 12:06:47 4204032 ----a-w- c:\windows\system32\jscript9.dll
2014-07-25 11:59:29 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-07-25 11:43:16 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-07-25 11:07:49 2001920 ----a-w- c:\windows\system32\inetcpl.cpl
2014-07-25 11:07:10 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-07-25 10:05:23 1792512 ----a-w- c:\windows\system32\wininet.dll
2014-07-14 01:42:02 654336 ----a-w- c:\windows\system32\rpcrt4.dll
2014-06-16 01:44:49 730048 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-06-16 01:44:49 219072 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2014-06-16 01:40:20 107520 ----a-w- c:\windows\system32\cdd.dll
2014-06-06 09:44:17 509440 ----a-w- c:\windows\system32\qedit.dll
.
============= FINISH: 22:45:34.55 ===============


 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:20 AM

Posted 06 September 2014 - 08:41 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 msquared

msquared
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 06 September 2014 - 01:05 PM

Hi Georgi,

 

I downloaded the FRST tool and began the scan.  It's been running for at least 90 minutes so far and continues to run.  In the top left of the FRST window it says "Getting Office Sessions errors: 1061."  I left all the boxes in the whitelist partion of the window checkmarked per the default settings.  Was this correct?

 

I will keep this scan running unless you tell me to stop it and change something.



#4 msquared

msquared
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 06 September 2014 - 03:09 PM

Okay, after 3.5 hours FRST continued to do the same thing.  I shut it down and restarted and watched closely this time.  It scanned through a bunch of files, and then said it was going to do something with the whitelist items.  After a few seconds of running through more files, it then said it was "Getting Office Sessions errors:" again, and started counting down from maybe 5000-1061.  At 1061 it hung up again.  So as of now, I can't get FRST to finish running, and I don't have any logs to show you.  Please let me know how to proceed.  Thanks.



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:20 AM

Posted 06 September 2014 - 06:12 PM

Hello,

 

This is very unusual and I reported the issue to the developer. In the most time FRST takes no longer than 5 minutes to complete.

 

Please do the following:

 

Please make sure that you can view all hidden files.  Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link => VirusTotal

When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\users\cindy\appdata\local\adworks\ASMweld217A.dll

Note, if VirusTotal says this file have already been analysed, make sure you click Reanalyse.

Please post back the results of the scan in your next post.

Please post the link to the results page rather than the contents of the page itself (its a little easier for me to read).

 


Regards,

Georgi


cXfZ4wS.png


#6 msquared

msquared
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 06 September 2014 - 07:06 PM

Okay, here is the link to the results from VirusTotal:

https://www.virustotal.com/en/file/d3daf671ee1b04319dbd38a9dc07eccb7aca8794ae8d2114fb61426a21e2bb34/analysis/1410048243/



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:20 AM

Posted 07 September 2014 - 03:13 AM

Hi,

 

Please right click on the it, select send to compressed(zip) folder that will make a zipped copy of this file.

Next please upload it to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so I can examine the file and submit to antivirus companies if needed.
After that please delete the zip file you just created.

 

As for the FRST issue...the logs should be almost complete. Please post the logs created in the folder from where you ran the tool.

Thanks!

 

 

Regards,

Georgi


cXfZ4wS.png


#8 msquared

msquared
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 07 September 2014 - 10:24 AM

Okay, I tried sending the zipped file as requested and when I click "submit" I get a timeout error and it says the site is down.  I will keep trying.

 

Here is the FRST file that was generated, and I am attaching the "addition.txt" file as directed:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 06-09-2014
Ran by Cindy (administrator) on CINDYSLAPTOP on 07-09-2014 10:05:42
Running from C:\Users\Cindy\Desktop
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (All) =========================

(Microsoft Corporation) C:\Windows\System32\smss.exe
(Microsoft Corporation) C:\Windows\System32\csrss.exe
(Microsoft Corporation) C:\Windows\System32\wininit.exe
(Microsoft Corporation) C:\Windows\System32\csrss.exe
(Microsoft Corporation) C:\Windows\System32\services.exe
(Microsoft Corporation) C:\Windows\System32\lsass.exe
(Microsoft Corporation) C:\Windows\System32\lsm.exe
(Microsoft Corporation) C:\Windows\System32\winlogon.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\spoolsv.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\taskhost.exe
(Microsoft Corporation) C:\Windows\explorer.exe
(Microsoft Corporation) C:\Windows\System32\dwm.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Southwest Airlines) C:\Program Files\Southwest Airlines\Ding\Ding.exe
(Microsoft Corporation) C:\Windows\System32\SearchIndexer.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnetwk.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\VSSVC.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\svchost.exe
(Microsoft Corporation) C:\Windows\System32\SearchProtocolHost.exe
(Microsoft Corporation) C:\Windows\System32\SearchFilterHost.exe
(Farbar) C:\Users\Cindy\Desktop\FRST.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WmiPrvSE.exe

==================== Registry (All) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Persistence] => C:\Windows\system32\igfxpers.exe [170520 2010-08-25] (Intel Corporation)
HKLM\...\Run: [IgfxTray] => C:\Windows\system32\igfxtray.exe [136216 2010-08-25] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] => C:\Windows\system32\hkcmd.exe [171032 2010-08-25] (Intel Corporation)
HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe, [26624 2010-11-20] (Microsoft Corporation)
HKLM\...\Winlogon: [Shell] Explorer.exe [2616320 2011-02-25] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoDrives] 0
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-3999264683-2072094160-444931896-1003\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [354304 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-3999264683-2072094160-444931896-1003\...\Run: [Adworks] => regsvr32.exe C:\Users\Cindy\AppData\Local\Adworks\ASMweld217A.dll <===== ATTENTION
HKU\S-1-5-21-3999264683-2072094160-444931896-1003\...\Policies\Explorer: [TaskbarNoNotification] 1
HKU\S-1-5-21-3999264683-2072094160-444931896-1003\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-3999264683-2072094160-444931896-1003\...\Policies\Explorer: [NoDriveTypeAutoRun] 145
Lsa: [Authentication Packages] msv1_0
Lsa: [Notification Packages] scecli
SecurityProviders: credssp.dll
Startup: C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DING!.lnk
ShortcutTarget: DING!.lnk -> C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)
Startup: C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RT-Updater.lnk
ShortcutTarget: RT-Updater.lnk -> C:\Ross-Tech\VCDS\VCDS.EXE (Ross-Tech, LLC)
SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -  No File
ShellIconOverlayIdentifiers: EnhancedStorageShell -> {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} => C:\Windows\system32\EhStorShell.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 1 (GFS Unread Stub) -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2 (GFS Stub) -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 2.5 (GFS Unread Folder) -> {920E6DB1-9907-4370-B3A0-BAFC03D81399} => C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 3 (GFS Folder) -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: Groove Explorer Icon Overlay 4 (GFS Unread Mark) -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: Offline Files -> {4E77131D-3629-431c-9818-C5679DC83E81} => C:\Windows\System32\cscui.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: SharingPrivate -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} => C:\Windows\system32\ntshrui.dll (Microsoft Corporation)
BootExecute: autocheck autochk *
AlternateShell: cmd.exe

==================== Internet (All) ===========================

HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
URLSearchHook: HKCU - (No Name) - {548f6736-8fe4-4680-82f2-170d6c07e1d2} -  No File
URLSearchHook: HKCU - (No Name) - {f92a9fe4-2850-4198-b9d5-279880e49b16} -  No File
URLSearchHook: HKCU - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\Windows\System32\ieframe.dll (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - "C:\Program Files\Internet Explorer\iexplore.exe"
SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
SearchScopes: HKCU - {0FA66977-B001-4F81-BA5E-81D538505402} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {4CB1BEEE-9A37-457B-BC33-F3C3C7BDF922} URL = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20110519,6901,0,8,0
SearchScopes: HKCU - {53F935F4-0C14-42A5-892E-569EA203FB29} URL = http://websearch.ask.com/redirect?client=ie&tb=OVO2&o=2159&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=^A2E&apn_dtid=^YYYYYY^YY^US&apn_uid=bd4902a8-b7b3-4fc8-8d52-9c8726669ae4&apn_sauid=FFA100D5-39F4-4C20-80B5-311BFC0EA643
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=246&itype=n&ver=13001&tm=417&src=ds&p={searchTerms}
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/Results.aspx?gd=&ctid=CT3325565&octid=EB_ORIGINAL_CTID&ISID=M05A9ACD3-F41C-4C9F-8D8F-C3FBBFA9FFDD&SearchSource=58&CUI=&UM=5&UP=SP418157B1-A13B-4247-9FD5-9A4EEB0DF587&q={searchTerms}&SSPV=
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {548F6736-8FE4-4680-82F2-170D6C07E1D2} -  No File
Toolbar: HKCU - No Name - {F92A9FE4-2850-4198-B9D5-279880E49B16} -  No File
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Burger%20Shop/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.winkflash.com/photo/loaders/ImageUploader5.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} http://aolsvc.aol.com/onlinegames/free-trial-burger-shop/GoBitGamesPlayer_v4.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} http://samsclubus.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Burger%20Shop/Images/armhelper.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} http://www.disneyphotopass.com/software/ImageUploader4.cab
Handler: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
Handler: cdl - {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
Handler: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\msvidctl.dll (Microsoft Corporation)
Handler: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
Handler: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
Handler: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
Handler: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
Handler: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
Handler: mailto - {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
Handler: mhtml - {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\Windows\system32\inetcomm.dll (Microsoft Corporation)
Handler: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
Handler: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll (Microsoft Corporation)
Handler: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\msvidctl.dll (Microsoft Corporation)
Handler: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll (Microsoft Corporation)
Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\system32\mscoree.dll (Microsoft Corporation)
Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\system32\mscoree.dll (Microsoft Corporation)
Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\Windows\system32\mscoree.dll (Microsoft Corporation)
Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
ShellExecuteHooks: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2217832 2009-02-26] (Microsoft Corporation)
Winsock: Catalog5 01 %SystemRoot%\system32\NLAapi.dll [52224] (Microsoft Corporation)
Winsock: Catalog5 02 %SystemRoot%\system32\napinsp.dll [52224] (Microsoft Corporation)
Winsock: Catalog5 03 %SystemRoot%\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Winsock: Catalog5 04 %SystemRoot%\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Winsock: Catalog5 05 %SystemRoot%\System32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog5 06 %SystemRoot%\System32\winrnr.dll [20992] (Microsoft Corporation)
Winsock: Catalog9 01 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 02 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 03 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 04 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 05 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 06 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 07 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 08 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 09 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 10 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 11 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 12 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 13 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 14 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 15 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 16 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 17 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 18 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 19 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 20 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 21 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 22 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 23 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 24 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 25 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 26 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 27 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 28 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 29 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 30 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 31 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 32 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 33 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 34 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 35 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 36 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 37 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 38 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 39 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Winsock: Catalog9 40 %SystemRoot%\system32\mswsock.dll [231424] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Cindy\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll No File
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Cindy\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

Chrome:
=======
CHR DefaultSearchKeyword: Default -> conduit.search
CHR DefaultSearchProvider: Default -> Conduit Search
CHR DefaultSuggestURL: Default -> http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
CHR CustomProfile: C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-14]
CHR Extension: (Google Drive) - C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-14]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
CHR Extension: (YouTube) - C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-14]
CHR Extension: (Google Search) - C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-14]
CHR Extension: (Google Wallet) - C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-14]
CHR Extension: (Gmail) - C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-14]

==================== Services (All) ========================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 AeLookupSvc; C:\Windows\System32\aelupsvc.dll [62464 2009-07-13] (Microsoft Corporation)
S3 ALG; C:\Windows\System32\alg.exe [59392 2009-07-13] (Microsoft Corporation)
S3 AppIDSvc; C:\Windows\System32\appidsvc.dll [27648 2009-07-13] (Microsoft Corporation)
S3 Appinfo; C:\Windows\System32\appinfo.dll [47104 2013-02-26] (Microsoft Corporation)
S3 AppMgmt; C:\Windows\System32\appmgmts.dll [149504 2009-07-13] (Microsoft Corporation)
S4 aspnet_state; C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe [46688 2013-09-11] (Microsoft Corporation)
R2 AudioEndpointBuilder; C:\Windows\System32\Audiosrv.dll [473600 2010-11-20] (Microsoft Corporation)
R2 Audiosrv; C:\Windows\System32\Audiosrv.dll [473600 2010-11-20] (Microsoft Corporation)
S3 AxInstSV; C:\Windows\System32\AxInstSV.dll [88064 2010-11-20] (Microsoft Corporation)
S3 BDESVC; C:\Windows\System32\bdesvc.dll [76800 2009-07-13] (Microsoft Corporation)
R2 BFE; C:\Windows\System32\bfe.dll [494592 2010-11-20] (Microsoft Corporation)
R2 BITS; C:\Windows\system32\qmgr.dll [585728 2010-11-20] (Microsoft Corporation)
R3 Browser; C:\Windows\System32\browser.dll [102912 2012-07-04] (Microsoft Corporation)
S3 bthserv; C:\Windows\system32\bthserv.dll [64512 2009-07-13] (Microsoft Corporation)
S3 CertPropSvc; C:\Windows\System32\certprop.dll [67584 2010-11-20] (Microsoft Corporation)
S4 clr_optimization_v2.0.50727_32; C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [67224 2014-03-20] (Microsoft Corporation)
S2 clr_optimization_v4.0.30319_32; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [105144 2013-09-11] (Microsoft Corporation)
S3 COMSysApp; C:\Windows\system32\dllhost.exe [7168 2009-07-13] (Microsoft Corporation)
R2 CryptSvc; C:\Windows\system32\cryptsvc.dll [140288 2013-07-08] (Microsoft Corporation)
R2 CscService; C:\Windows\System32\cscsvc.dll [546304 2010-11-20] (Microsoft Corporation)
R2 DcomLaunch; C:\Windows\system32\rpcss.dll [376832 2010-11-20] (Microsoft Corporation)
S3 defragsvc; C:\Windows\System32\defragsvc.dll [218624 2009-07-13] (Microsoft Corporation)
R2 Dhcp; C:\Windows\system32\dhcpcore.dll [254464 2010-11-20] (Microsoft Corporation)
R2 Dnscache; C:\Windows\System32\dnsrslvr.dll [132608 2011-03-03] (Microsoft Corporation)
S3 dot3svc; C:\Windows\System32\dot3svc.dll [214016 2010-11-20] (Microsoft Corporation)
R2 DPS; C:\Windows\system32\dps.dll [144384 2010-11-20] (Microsoft Corporation)
R3 EapHost; C:\Windows\System32\eapsvc.dll [98304 2009-07-13] (Microsoft Corporation)
R2 EFS; C:\Windows\System32\lsass.exe [22528 2014-04-11] (Microsoft Corporation)
S3 ehRecvr; C:\Windows\ehome\ehRecvr.exe [556544 2010-11-20] (Microsoft Corporation)
S3 ehSched; C:\Windows\ehome\ehsched.exe [94720 2009-07-13] (Microsoft Corporation)
R2 eventlog; C:\Windows\System32\wevtsvc.dll [1086976 2010-11-20] (Microsoft Corporation)
R2 EventSystem; C:\Windows\system32\es.dll [271360 2009-07-13] (Microsoft Corporation)
S3 Fax; C:\Windows\system32\fxssvc.exe [523264 2010-11-20] (Microsoft Corporation)
R3 fdPHost; C:\Windows\system32\fdPHost.dll [12800 2009-07-13] (Microsoft Corporation)
R2 FDResPub; C:\Windows\system32\fdrespub.dll [28160 2009-07-13] (Microsoft Corporation)
R2 FontCache; C:\Windows\system32\FntCache.dll [906240 2013-01-13] (Microsoft Corporation)
S3 FontCache3.0.0.0; C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [42856 2009-06-10] (Microsoft Corporation)
R2 gpsvc; C:\Windows\System32\gpsvc.dll [593408 2010-11-20] (Microsoft Corporation)
S3 gusvc; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [182768 2010-03-17] (Google)
S3 hidserv; C:\Windows\System32\hidserv.dll [49152 2009-07-13] (Microsoft Corporation)
S3 hkmsvc; C:\Windows\system32\kmsvc.dll [71168 2010-11-20] (Microsoft Corporation)
R3 HomeGroupListener; C:\Windows\system32\ListSvc.dll [194560 2010-11-20] (Microsoft Corporation)
R3 HomeGroupProvider; C:\Windows\system32\provsvc.dll [165376 2010-11-20] (Microsoft Corporation)
S3 idsvc; C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [879248 2014-06-30] (Microsoft Corporation)
S3 IEEtwCollectorService; C:\Windows\system32\IEEtwCollector.exe [108032 2014-07-25] (Microsoft Corporation)
R2 IKEEXT; C:\Windows\System32\ikeext.dll [679424 2013-10-11] (Microsoft Corporation)
S3 IPBusEnum; C:\Windows\system32\ipbusenum.dll [78848 2009-07-13] (Microsoft Corporation)
R2 iphlpsvc; C:\Windows\System32\iphlpsvc.dll [499712 2012-10-03] (Microsoft Corporation)
R3 KeyIso; C:\Windows\system32\lsass.exe [22528 2014-04-11] (Microsoft Corporation)
S3 KtmRm; C:\Windows\system32\msdtckrm.dll [308736 2009-07-13] (Microsoft Corporation)
R2 LanmanServer; C:\Windows\System32\srvsvc.dll [168960 2010-11-20] (Microsoft Corporation)
R2 LanmanWorkstation; C:\Windows\System32\wkssvc.dll [84480 2010-11-20] (Microsoft Corporation)
S3 lltdsvc; C:\Windows\System32\lltdsvc.dll [189952 2009-07-13] (Microsoft Corporation)
R2 lmhosts; C:\Windows\System32\lmhsvc.dll [18432 2009-07-13] (Microsoft Corporation)
S4 Mcx2Svc; C:\Windows\system32\Mcx2Svc.dll [68096 2010-11-20] (Microsoft Corporation)
S3 Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [64856 2009-02-26] (Microsoft Corporation)
S2 MMCSS; C:\Windows\system32\mmcss.dll [49664 2009-07-13] (Microsoft Corporation)
R2 MpsSvc; C:\Windows\system32\mpssvc.dll [566272 2010-11-20] (Microsoft Corporation)
S3 MSDTC; C:\Windows\System32\msdtc.exe [134144 2009-07-13] (Microsoft Corporation)
S3 MSiSCSI; C:\Windows\system32\iscsiexe.dll [114688 2009-07-13] (Microsoft Corporation)
S3 msiserver; C:\Windows\System32\msiexec.exe [73216 2010-11-20] (Microsoft Corporation)
S3 napagent; C:\Windows\system32\qagentRT.dll [330240 2010-11-20] (Microsoft Corporation)
S3 Netlogon; C:\Windows\system32\lsass.exe [22528 2014-04-11] (Microsoft Corporation)
R3 Netman; C:\Windows\System32\netman.dll [280576 2009-07-13] (Microsoft Corporation)
S4 NetMsmqActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [139856 2013-09-11] (Microsoft Corporation)
S4 NetPipeActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [139856 2013-09-11] (Microsoft Corporation)
R3 netprofm; C:\Windows\System32\netprofm.dll [360448 2009-07-13] (Microsoft Corporation)
S4 NetTcpActivator; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [139856 2013-09-11] (Microsoft Corporation)
S4 NetTcpPortSharing; C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [139856 2013-09-11] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\System32\nlasvc.dll [242176 2012-10-03] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\nsisvc.dll [19456 2009-07-13] (Microsoft Corporation)
S3 odserv; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [440696 2011-07-20] (Microsoft Corporation)
S3 ose; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [145184 2006-10-26] (Microsoft Corporation)
R3 p2pimsvc; C:\Windows\system32\pnrpsvc.dll [269824 2009-07-13] (Microsoft Corporation)
R3 p2psvc; C:\Windows\system32\p2psvc.dll [327680 2009-07-13] (Microsoft Corporation)
R2 PcaSvc; C:\Windows\System32\pcasvc.dll [154624 2009-07-13] (Microsoft Corporation)
S3 PeerDistSvc; C:\Windows\system32\peerdistsvc.dll [1004544 2009-07-13] (Microsoft Corporation)
S3 pla; C:\Windows\system32\pla.dll [1508864 2010-11-20] (Microsoft Corporation)
R2 PlugPlay; C:\Windows\system32\umpnpmgr.dll [293376 2011-05-24] (Microsoft Corporation)
S3 PNRPAutoReg; C:\Windows\system32\pnrpauto.dll [20480 2009-07-13] (Microsoft Corporation)
R3 PNRPsvc; C:\Windows\system32\pnrpsvc.dll [269824 2009-07-13] (Microsoft Corporation)
S3 PolicyAgent; C:\Windows\System32\ipsecsvc.dll [350208 2010-11-20] (Microsoft Corporation)
R2 Power; C:\Windows\system32\umpo.dll [119808 2010-11-20] (Microsoft Corporation)
R2 ProfSvc; C:\Windows\system32\profsvc.dll [164352 2012-04-30] (Microsoft Corporation)
S3 ProtectedStorage; C:\Windows\system32\lsass.exe [22528 2014-04-11] (Microsoft Corporation)
S3 QWAVE; C:\Windows\system32\qwave.dll [210944 2009-07-13] (Microsoft Corporation)
S3 RasAuto; C:\Windows\System32\rasauto.dll [90624 2009-07-13] (Microsoft Corporation)
R3 RasMan; C:\Windows\System32\rasmans.dll [286208 2010-11-20] (Microsoft Corporation)
S4 RemoteAccess; C:\Windows\System32\mprdim.dll [75264 2009-07-13] (Microsoft Corporation)
S3 RemoteRegistry; C:\Windows\system32\regsvc.dll [112640 2009-07-13] (Microsoft Corporation)
R2 RpcEptMapper; C:\Windows\System32\RpcEpMap.dll [43520 2009-07-13] (Microsoft Corporation)
S3 RpcLocator; C:\Windows\system32\locator.exe [9216 2009-07-13] (Microsoft Corporation)
R2 RpcSs; C:\Windows\system32\rpcss.dll [376832 2010-11-20] (Microsoft Corporation)
R2 SamSs; C:\Windows\system32\lsass.exe [22528 2014-04-11] (Microsoft Corporation)
S3 SCardSvr; C:\Windows\System32\SCardSvr.dll [132608 2009-07-13] (Microsoft Corporation)
R2 Schedule; C:\Windows\system32\schedsvc.dll [750592 2010-11-20] (Microsoft Corporation)
S3 SCPolicySvc; C:\Windows\System32\certprop.dll [67584 2010-11-20] (Microsoft Corporation)
R3 SDRSVC; C:\Windows\System32\SDRSVC.dll [125952 2010-11-20] (Microsoft Corporation)
R2 seclogon; C:\Windows\system32\seclogon.dll [21504 2009-07-13] (Microsoft Corporation)
R2 SENS; C:\Windows\system32\sens.dll [49664 2009-07-13] (Microsoft Corporation)
S3 SensrSvc; C:\Windows\system32\sensrsvc.dll [25088 2009-07-13] (Microsoft Corporation)
S3 SessionEnv; C:\Windows\system32\sessenv.dll [113664 2010-11-20] (Microsoft Corporation)
S2 SharedAccess; C:\Windows\System32\ipnathlp.dll [300544 2009-07-13] (Microsoft Corporation)
R2 ShellHWDetection; C:\Windows\System32\shsvcs.dll [328192 2010-11-20] (Microsoft Corporation)
S3 SNMPTRAP; C:\Windows\System32\snmptrap.exe [12800 2009-07-13] (Microsoft Corporation)
R2 Spooler; C:\Windows\System32\spoolsv.exe [317440 2012-02-11] (Microsoft Corporation)
S2 sppsvc; C:\Windows\system32\sppsvc.exe [3179520 2010-11-20] (Microsoft Corporation)
S3 sppuinotify; C:\Windows\system32\sppuinotify.dll [53760 2010-11-20] (Microsoft Corporation)
R3 SSDPSRV; C:\Windows\System32\ssdpsrv.dll [162816 2009-07-13] (Microsoft Corporation)
R3 SstpSvc; C:\Windows\system32\sstpsvc.dll [90112 2009-07-13] (Microsoft Corporation)
R2 StiSvc; C:\Windows\System32\wiaservc.dll [463360 2010-11-20] (Microsoft Corporation)
S3 StorSvc; C:\Windows\system32\storsvc.dll [16384 2009-07-13] (Microsoft Corporation)
R3 swprv; C:\Windows\System32\swprv.dll [313856 2009-07-13] (Microsoft Corporation)
R2 SysMain; C:\Windows\system32\sysmain.dll [1159168 2010-11-20] (Microsoft Corporation)
S3 TabletInputService; C:\Windows\System32\TabSvc.dll [73216 2010-11-20] (Microsoft Corporation)
R3 TapiSrv; C:\Windows\System32\tapisrv.dll [242176 2010-11-20] (Microsoft Corporation)
S3 TBS; C:\Windows\System32\tbssvc.dll [55808 2009-07-13] (Microsoft Corporation)
S3 TermService; C:\Windows\System32\termsrv.dll [521216 2010-11-20] (Microsoft Corporation)
R2 Themes; C:\Windows\system32\themeservice.dll [37376 2009-07-13] (Microsoft Corporation)
S3 THREADORDER; C:\Windows\system32\mmcss.dll [49664 2009-07-13] (Microsoft Corporation)
R2 TrkWks; C:\Windows\System32\trkwks.dll [77312 2009-07-13] (Microsoft Corporation)
S3 TrustedInstaller; C:\Windows\servicing\TrustedInstaller.exe [204800 2010-11-20] (Microsoft Corporation)
S3 UI0Detect; C:\Windows\system32\UI0Detect.exe [35840 2009-07-13] (Microsoft Corporation)
S3 UmRdpService; C:\Windows\System32\umrdp.dll [171008 2010-11-20] (Microsoft Corporation)
R3 upnphost; C:\Windows\System32\upnphost.dll [266752 2009-07-13] (Microsoft Corporation)
R2 UxSms; C:\Windows\System32\uxsms.dll [29696 2009-07-13] (Microsoft Corporation)
S3 VaultSvc; C:\Windows\system32\lsass.exe [22528 2014-04-11] (Microsoft Corporation)
S3 vds; C:\Windows\System32\vds.exe [453632 2010-11-20] (Microsoft Corporation)
R3 VSS; C:\Windows\system32\vssvc.exe [1025536 2010-11-20] (Microsoft Corporation)
S3 W32Time; C:\Windows\system32\w32time.dll [288768 2009-07-13] (Microsoft Corporation)
S3 WatAdminSvc; C:\Windows\system32\Wat\WatAdminSvc.exe [1343400 2010-02-28] (Microsoft Corporation)
S3 wbengine; C:\Windows\system32\wbengine.exe [1203200 2010-11-20] (Microsoft Corporation)
S3 WbioSrvc; C:\Windows\System32\wbiosrvc.dll [151552 2009-07-13] (Microsoft Corporation)
S3 wcncsvc; C:\Windows\System32\wcncsvc.dll [276992 2010-11-20] (Microsoft Corporation)
S3 WcsPlugInService; C:\Windows\System32\WcsPlugInService.dll [32768 2009-07-13] (Microsoft Corporation)
R3 WdiServiceHost; C:\Windows\system32\wdi.dll [76288 2009-07-13] (Microsoft Corporation)
R3 WdiSystemHost; C:\Windows\system32\wdi.dll [76288 2009-07-13] (Microsoft Corporation)
S3 WebClient; C:\Windows\System32\webclnt.dll [205824 2013-07-04] (Microsoft Corporation)
S3 Wecsvc; C:\Windows\system32\wecsvc.dll [147968 2009-07-13] (Microsoft Corporation)
S3 wercplsupport; C:\Windows\System32\wercplsupport.dll [61440 2009-07-13] (Microsoft Corporation)
R3 WerSvc; C:\Windows\System32\WerSvc.dll [65024 2009-07-13] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
R3 WinHttpAutoProxySvc; C:\Windows\system32\winhttp.dll [351232 2010-11-20] (Microsoft Corporation)
R2 Winmgmt; C:\Windows\system32\wbem\WMIsvc.dll [168960 2009-07-13] (Microsoft Corporation)
S3 WinRM; C:\Windows\system32\WsmSvc.dll [1175040 2010-11-20] (Microsoft Corporation)
R2 Wlansvc; C:\Windows\System32\wlansvc.dll [829440 2009-07-13] (Microsoft Corporation)
S3 wmiApSrv; C:\Windows\system32\wbem\WmiApSrv.exe [136192 2009-07-13] (Microsoft Corporation)
R2 WMPNetworkSvc; C:\Program Files\Windows Media Player\wmpnetwk.exe [1121792 2010-11-20] (Microsoft Corporation)
S3 WPCSvc; C:\Windows\System32\wpcsvc.dll [10752 2009-07-13] (Microsoft Corporation)
S3 WPDBusEnum; C:\Windows\system32\wpdbusenum.dll [85504 2010-11-20] (Microsoft Corporation)
R2 wscsvc; C:\Windows\system32\wscsvc.dll [73728 2009-07-13] (Microsoft Corporation)
R2 WSearch; C:\Windows\system32\SearchIndexer.exe [427520 2011-05-03] (Microsoft Corporation)
R2 wuauserv; C:\Windows\system32\wuaueng.dll [1973728 2014-05-14] (Microsoft Corporation)
S3 wudfsvc; C:\Windows\System32\WUDFSvc.dll [73216 2012-07-25] (Microsoft Corporation)
S3 WwanSvc; C:\Windows\System32\wwansvc.dll [185344 2014-01-27] (Microsoft Corporation)

==================== Drivers (All) ==========================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 1394ohci; C:\Windows\system32\drivers\1394ohci.sys [164864 2010-11-20] (Microsoft Corporation)
R0 ACPI; C:\Windows\System32\drivers\ACPI.sys [274304 2010-11-20] (Microsoft Corporation)
S3 AcpiPmi; C:\Windows\system32\drivers\acpipmi.sys [10240 2010-11-20] (Microsoft Corporation)
S3 adp94xx; C:\Windows\system32\DRIVERS\adp94xx.sys [422976 2009-07-13] (Adaptec, Inc.)
S3 adpahci; C:\Windows\system32\DRIVERS\adpahci.sys [297552 2009-07-13] (Adaptec, Inc.)
S3 adpu320; C:\Windows\system32\DRIVERS\adpu320.sys [146512 2009-07-13] (Adaptec, Inc.)
R1 AFD; C:\Windows\system32\drivers\afd.sys [338944 2014-05-30] (Microsoft Corporation)
R3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1035776 2009-07-13] (LSI Corp)
S3 agp440; C:\Windows\system32\drivers\agp440.sys [53312 2009-07-13] (Microsoft Corporation)
S3 aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [70720 2009-07-13] (Adaptec, Inc.)
S3 aliide; C:\Windows\system32\drivers\aliide.sys [14400 2009-07-13] (Acer Laboratories Inc.)
S3 amdagp; C:\Windows\system32\drivers\amdagp.sys [53312 2009-07-13] (Microsoft Corporation)
S3 amdide; C:\Windows\system32\drivers\amdide.sys [14912 2009-07-13] (Microsoft Corporation)
S3 AmdK8; C:\Windows\system32\DRIVERS\amdk8.sys [55296 2009-07-13] (Microsoft Corporation)
S3 AmdPPM; C:\Windows\system32\DRIVERS\amdppm.sys [52736 2009-07-13] (Microsoft Corporation)
S3 amdsata; C:\Windows\system32\drivers\amdsata.sys [80256 2011-03-11] (Advanced Micro Devices)
S3 amdsbs; C:\Windows\system32\DRIVERS\amdsbs.sys [159312 2009-07-13] (AMD Technologies Inc.)
R0 amdxata; C:\Windows\System32\drivers\amdxata.sys [22400 2011-03-11] (Advanced Micro Devices)
S3 AppID; C:\Windows\system32\drivers\appid.sys [50176 2010-11-20] (Microsoft Corporation)
S3 arc; C:\Windows\system32\DRIVERS\arc.sys [76368 2009-07-13] (Adaptec, Inc.)
S3 arcsas; C:\Windows\system32\DRIVERS\arcsas.sys [86608 2009-07-13] (Adaptec, Inc.)
R3 AsyncMac; C:\Windows\System32\DRIVERS\asyncmac.sys [17920 2009-07-13] (Microsoft Corporation)
R0 atapi; C:\Windows\System32\drivers\atapi.sys [21584 2009-07-13] (Microsoft Corporation)
S3 b06bdrv; C:\Windows\system32\DRIVERS\bxvbdx.sys [430080 2009-07-13] (Broadcom Corporation)
S3 b57nd60x; C:\Windows\System32\DRIVERS\b57nd60x.sys [229888 2009-07-13] (Broadcom Corporation)
R1 Beep; C:\Windows\system32\Drivers\Beep.sys [6144 2009-07-13] (Microsoft Corporation)
R1 blbdrive; C:\Windows\System32\DRIVERS\blbdrive.sys [35328 2009-07-13] (Microsoft Corporation)
R3 bowser; C:\Windows\System32\DRIVERS\bowser.sys [69632 2011-02-22] (Microsoft Corporation)
S3 BrFiltLo; C:\Windows\system32\DRIVERS\BrFiltLo.sys [13568 2009-07-13] (Brother Industries, Ltd.)
S3 BrFiltUp; C:\Windows\system32\DRIVERS\BrFiltUp.sys [5248 2009-07-13] (Brother Industries, Ltd.)
S3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [78336 2009-07-13] (Microsoft Corporation)
S3 Brserid; C:\Windows\System32\Drivers\Brserid.sys [272128 2009-07-13] (Brother Industries Ltd.)
S3 BrSerWdm; C:\Windows\System32\Drivers\BrSerWdm.sys [62336 2009-07-13] (Brother Industries Ltd.)
S3 BrUsbMdm; C:\Windows\System32\Drivers\BrUsbMdm.sys [12160 2009-07-13] (Brother Industries Ltd.)
S3 BrUsbSer; C:\Windows\System32\Drivers\BrUsbSer.sys [11904 2009-07-13] (Brother Industries Ltd.)
S3 BTHMODEM; C:\Windows\system32\DRIVERS\bthmodem.sys [56320 2009-07-13] (Microsoft Corporation)
S4 cdfs; C:\Windows\System32\DRIVERS\cdfs.sys [70656 2009-07-13] (Microsoft Corporation)
R1 cdrom; C:\Windows\System32\DRIVERS\cdrom.sys [108544 2010-11-20] (Microsoft Corporation)
S3 circlass; C:\Windows\system32\DRIVERS\circlass.sys [37888 2009-07-13] (Microsoft Corporation)
R0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-13] (Microsoft Corporation)
R3 CmBatt; C:\Windows\System32\DRIVERS\CmBatt.sys [14080 2009-07-13] (Microsoft Corporation)
S3 cmdide; C:\Windows\system32\drivers\cmdide.sys [15952 2009-07-13] (CMD Technology, Inc.)
R0 CNG; C:\Windows\System32\Drivers\cng.sys [369848 2013-07-04] (Microsoft Corporation)
R0 Compbatt; C:\Windows\System32\DRIVERS\compbatt.sys [19024 2009-07-13] (Microsoft Corporation)
R3 CompositeBus; C:\Windows\system32\drivers\CompositeBus.sys [31232 2010-11-20] (Microsoft Corporation)
S4 crcdisk; C:\Windows\system32\DRIVERS\crcdisk.sys [22096 2009-07-13] (Microsoft Corporation)
R1 CSC; C:\Windows\System32\drivers\csc.sys [388096 2010-11-20] (Microsoft Corporation)
R1 DfsC; C:\Windows\System32\Drivers\dfsc.sys [78336 2010-11-20] (Microsoft Corporation)
R1 discache; C:\Windows\System32\drivers\discache.sys [32256 2009-07-13] (Microsoft Corporation)
R0 Disk; C:\Windows\System32\DRIVERS\disk.sys [57424 2009-07-13] (Microsoft Corporation)
S3 drmkaud; C:\Windows\system32\drivers\drmkaud.sys [5120 2009-07-13] (Microsoft Corporation)
R3 DXGKrnl; C:\Windows\System32\drivers\dxgkrnl.sys [730048 2014-06-15] (Microsoft Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbdx.sys [3100160 2009-07-13] (Broadcom Corporation)
S3 elxstor; C:\Windows\system32\DRIVERS\elxstor.sys [453712 2009-07-13] (Emulex)
S3 ErrDev; C:\Windows\system32\drivers\errdev.sys [7168 2009-07-13] (Microsoft Corporation)
S3 exfat; C:\Windows\system32\Drivers\exfat.sys [142336 2009-07-13] (Microsoft Corporation)
S3 fastfat; C:\Windows\system32\Drivers\fastfat.sys [148480 2009-07-13] (Microsoft Corporation)
S3 fdc; C:\Windows\system32\DRIVERS\fdc.sys [25088 2009-07-13] (Microsoft Corporation)
R0 FileInfo; C:\Windows\System32\drivers\fileinfo.sys [58448 2009-07-13] (Microsoft Corporation)
S3 Filetrace; C:\Windows\System32\drivers\filetrace.sys [28160 2009-07-13] (Microsoft Corporation)
S3 flpydisk; C:\Windows\system32\DRIVERS\flpydisk.sys [19968 2009-07-13] (Microsoft Corporation)
R0 FltMgr; C:\Windows\System32\drivers\fltmgr.sys [198208 2009-07-13] (Microsoft Corporation)
S3 FsDepends; C:\Windows\System32\drivers\FsDepends.sys [46160 2009-07-13] (Microsoft Corporation)
U0 Fs_Rec; C:\Windows\system32\Drivers\Fs_Rec.sys [19824 2012-03-01] (Microsoft Corporation)
R0 fvevol; C:\Windows\System32\DRIVERS\fvevol.sys [196328 2013-01-23] (Microsoft Corporation)
S3 gagp30kx; C:\Windows\system32\DRIVERS\gagp30kx.sys [57936 2009-07-13] (Microsoft Corporation)
S3 hcw85cir; C:\Windows\system32\drivers\hcw85cir.sys [26624 2009-07-13] (Hauppauge Computer Works, Inc.)
R3 HdAudAddService; C:\Windows\system32\drivers\HdAudio.sys [304128 2010-11-20] (Microsoft Corporation)
R3 HDAudBus; C:\Windows\system32\drivers\HDAudBus.sys [108544 2010-11-20] (Microsoft Corporation)
S3 HidBatt; C:\Windows\system32\DRIVERS\HidBatt.sys [21504 2009-07-13] (Microsoft Corporation)
S3 HidBth; C:\Windows\system32\DRIVERS\hidbth.sys [91136 2009-07-13] (Microsoft Corporation)
S3 HidIr; C:\Windows\system32\DRIVERS\hidir.sys [37888 2009-07-13] (Microsoft Corporation)
S3 HidUsb; C:\Windows\system32\drivers\hidusb.sys [24064 2010-11-20] (Microsoft Corporation)
S3 HpSAMD; C:\Windows\system32\drivers\HpSAMD.sys [67152 2009-07-13] (Hewlett-Packard Company)
R3 HTTP; C:\Windows\System32\drivers\HTTP.sys [513536 2010-11-20] (Microsoft Corporation)
R0 hwpolicy; C:\Windows\System32\drivers\hwpolicy.sys [14208 2010-11-20] (Microsoft Corporation)
R3 i8042prt; C:\Windows\system32\drivers\i8042prt.sys [80896 2009-07-13] (Microsoft Corporation)
S3 iaStorV; C:\Windows\system32\drivers\iaStorV.sys [332160 2011-03-11] (Intel Corporation)
R3 igfx; C:\Windows\System32\DRIVERS\igdkmd32.sys [9024512 2010-08-25] (Intel Corporation)
S3 iirsp; C:\Windows\system32\DRIVERS\iirsp.sys [41040 2009-07-13] (Intel Corp./ICP vortex GmbH)
S3 intelide; C:\Windows\system32\drivers\intelide.sys [15424 2009-07-13] (Microsoft Corporation)
R3 intelppm; C:\Windows\System32\DRIVERS\intelppm.sys [53760 2009-07-13] (Microsoft Corporation)
S3 IpFilterDriver; C:\Windows\System32\DRIVERS\ipfltdrv.sys [58880 2009-07-13] (Microsoft Corporation)
S3 IPMIDRV; C:\Windows\system32\drivers\IPMIDrv.sys [65536 2010-11-20] (Microsoft Corporation)
S3 IPNAT; C:\Windows\System32\drivers\ipnat.sys [101888 2009-07-13] (Microsoft Corporation)
S3 IRENUM; C:\Windows\System32\drivers\irenum.sys [13824 2009-07-13] (Microsoft Corporation)
S3 isapnp; C:\Windows\system32\drivers\isapnp.sys [46656 2009-07-13] (Microsoft Corporation)
S3 iScsiPrt; C:\Windows\system32\drivers\msiscsi.sys [234432 2014-02-03] (Microsoft Corporation)
R3 kbdclass; C:\Windows\system32\drivers\kbdclass.sys [42576 2009-07-13] (Microsoft Corporation)
S3 kbdhid; C:\Windows\system32\drivers\kbdhid.sys [28160 2010-11-20] (Microsoft Corporation)
R0 KSecDD; C:\Windows\System32\Drivers\ksecdd.sys [67520 2014-04-11] (Microsoft Corporation)
R0 KSecPkg; C:\Windows\System32\Drivers\ksecpkg.sys [136640 2014-04-11] (Microsoft Corporation)
R2 lltdio; C:\Windows\System32\DRIVERS\lltdio.sys [48128 2009-07-13] (Microsoft Corporation)
S3 LSI_FC; C:\Windows\system32\DRIVERS\lsi_fc.sys [95824 2009-07-13] (LSI Corporation)
S3 LSI_SAS; C:\Windows\system32\DRIVERS\lsi_sas.sys [89168 2009-07-13] (LSI Corporation)
S3 LSI_SAS2; C:\Windows\system32\DRIVERS\lsi_sas2.sys [54864 2009-07-13] (LSI Corporation)
S3 LSI_SCSI; C:\Windows\system32\DRIVERS\lsi_scsi.sys [96848 2009-07-13] (LSI Corporation)
S4 luafv; C:\Windows\system32\drivers\luafv.sys [86528 2009-07-13] (Microsoft Corporation)
S3 megasas; C:\Windows\system32\DRIVERS\megasas.sys [30800 2009-07-13] (LSI Corporation)
S3 MegaSR; C:\Windows\system32\DRIVERS\MegaSR.sys [235584 2009-07-13] (LSI Corporation, Inc.)
R3 Modem; C:\Windows\System32\drivers\modem.sys [31744 2009-07-13] (Microsoft Corporation)
R3 monitor; C:\Windows\System32\DRIVERS\monitor.sys [23552 2009-07-13] (Microsoft Corporation)
R3 mouclass; C:\Windows\System32\DRIVERS\mouclass.sys [41552 2009-07-13] (Microsoft Corporation)
S3 mouhid; C:\Windows\System32\DRIVERS\mouhid.sys [26112 2009-07-13] (Microsoft Corporation)
R0 mountmgr; C:\Windows\System32\drivers\mountmgr.sys [78208 2010-11-20] (Microsoft Corporation)
S3 mpio; C:\Windows\system32\drivers\mpio.sys [130432 2010-11-20] (Microsoft Corporation)
R3 mpsdrv; C:\Windows\System32\drivers\mpsdrv.sys [60416 2009-07-13] (Microsoft Corporation)
S3 MRxDAV; C:\Windows\system32\drivers\mrxdav.sys [115712 2013-07-04] (Microsoft Corporation)
R3 mrxsmb; C:\Windows\System32\DRIVERS\mrxsmb.sys [123904 2011-04-26] (Microsoft Corporation)
R3 mrxsmb10; C:\Windows\System32\DRIVERS\mrxsmb10.sys [223744 2011-07-08] (Microsoft Corporation)
R3 mrxsmb20; C:\Windows\System32\DRIVERS\mrxsmb20.sys [96768 2011-04-26] (Microsoft Corporation)
R0 msahci; C:\Windows\System32\drivers\msahci.sys [28032 2010-11-20] (Microsoft Corporation)
S3 msdsm; C:\Windows\system32\drivers\msdsm.sys [116096 2010-11-20] (Microsoft Corporation)
R1 Msfs; C:\Windows\system32\Drivers\Msfs.sys [22528 2009-07-13] (Microsoft Corporation)
S3 mshidkmdf; C:\Windows\System32\drivers\mshidkmdf.sys [4096 2009-07-13] (Microsoft Corporation)
R0 msisadrv; C:\Windows\System32\drivers\msisadrv.sys [13888 2009-07-13] (Microsoft Corporation)
S3 MSKSSRV; C:\Windows\System32\drivers\MSKSSRV.sys [8320 2009-07-13] (Microsoft Corporation)
S3 MSPCLOCK; C:\Windows\System32\drivers\MSPCLOCK.sys [5888 2009-07-13] (Microsoft Corporation)
S3 MSPQM; C:\Windows\System32\drivers\MSPQM.sys [5504 2009-07-13] (Microsoft Corporation)
S3 MsRPC; C:\Windows\system32\Drivers\MsRPC.sys [162896 2009-07-13] (Microsoft Corporation)
R1 mssmbios; C:\Windows\system32\drivers\mssmbios.sys [28240 2009-07-13] (Microsoft Corporation)
S3 MSTEE; C:\Windows\System32\drivers\MSTEE.sys [6144 2009-07-13] (Microsoft Corporation)
S3 MTConfig; C:\Windows\system32\DRIVERS\MTConfig.sys [12288 2009-07-13] (Microsoft Corporation)
R0 Mup; C:\Windows\System32\Drivers\mup.sys [49728 2009-07-13] (Microsoft Corporation)
R3 NativeWifiP; C:\Windows\System32\DRIVERS\nwifi.sys [267264 2009-07-13] (Microsoft Corporation)
R0 NDIS; C:\Windows\System32\drivers\ndis.sys [712048 2012-08-22] (Microsoft Corporation)
S3 NdisCap; C:\Windows\System32\DRIVERS\ndiscap.sys [27136 2009-07-13] (Microsoft Corporation)
R3 NdisTapi; C:\Windows\System32\DRIVERS\ndistapi.sys [20992 2009-07-13] (Microsoft Corporation)
R3 Ndisuio; C:\Windows\System32\DRIVERS\ndisuio.sys [46080 2010-11-20] (Microsoft Corporation)
R3 NdisWan; C:\Windows\System32\DRIVERS\ndiswan.sys [118784 2010-11-20] (Microsoft Corporation)
R3 NDProxy; C:\Windows\system32\Drivers\NDProxy.sys [48640 2010-11-20] (Microsoft Corporation)
R1 NetBIOS; C:\Windows\System32\DRIVERS\netbios.sys [36352 2009-07-13] (Microsoft Corporation)
R1 NetBT; C:\Windows\System32\DRIVERS\netbt.sys [187904 2010-11-20] (Microsoft Corporation)
S3 nfrd960; C:\Windows\system32\DRIVERS\nfrd960.sys [44624 2009-07-13] (IBM Corporation)
R1 Npfs; C:\Windows\system32\Drivers\Npfs.sys [35328 2009-07-13] (Microsoft Corporation)
R1 nsiproxy; C:\Windows\System32\drivers\nsiproxy.sys [16896 2009-07-13] (Microsoft Corporation)
R3 Ntfs; C:\Windows\system32\Drivers\Ntfs.sys [1212352 2014-01-23] (Microsoft Corporation)
R1 Null; C:\Windows\system32\Drivers\Null.sys [4608 2009-07-13] (Microsoft Corporation)
S3 nvraid; C:\Windows\system32\drivers\nvraid.sys [117120 2011-03-11] (NVIDIA Corporation)
S3 nvstor; C:\Windows\system32\drivers\nvstor.sys [143744 2011-03-11] (NVIDIA Corporation)
S3 nv_agp; C:\Windows\system32\drivers\nv_agp.sys [105024 2009-07-13] (Microsoft Corporation)
S3 ohci1394; C:\Windows\system32\drivers\ohci1394.sys [62464 2009-07-13] (Microsoft Corporation)
S3 Parport; C:\Windows\system32\DRIVERS\parport.sys [79360 2009-07-13] (Microsoft Corporation)
R0 partmgr; C:\Windows\System32\drivers\partmgr.sys [56176 2012-03-17] (Microsoft Corporation)
S2 Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [8704 2009-07-13] (Microsoft Corporation)
R0 pci; C:\Windows\System32\drivers\pci.sys [153984 2010-11-20] (Microsoft Corporation)
S3 pciide; C:\Windows\system32\drivers\pciide.sys [12368 2009-07-13] (Microsoft Corporation)
S3 pcmcia; C:\Windows\system32\DRIVERS\pcmcia.sys [180288 2009-07-13] (Microsoft Corporation)
R0 pcw; C:\Windows\System32\drivers\pcw.sys [43088 2009-07-13] (Microsoft Corporation)
R2 PEAUTH; C:\Windows\System32\drivers\peauth.sys [586752 2009-07-13] (Microsoft Corporation)
R3 PptpMiniport; C:\Windows\System32\DRIVERS\raspptp.sys [73728 2009-07-13] (Microsoft Corporation)
S3 Processor; C:\Windows\system32\DRIVERS\processr.sys [52224 2009-07-13] (Microsoft Corporation)
R1 Psched; C:\Windows\System32\DRIVERS\pacer.sys [104448 2009-07-13] (Microsoft Corporation)
S3 ql2300; C:\Windows\system32\DRIVERS\ql2300.sys [1383488 2009-07-13] (QLogic Corporation)
S3 ql40xx; C:\Windows\system32\DRIVERS\ql40xx.sys [106064 2009-07-13] (QLogic Corporation)
S3 QWAVEdrv; C:\Windows\system32\drivers\qwavedrv.sys [31744 2009-07-13] (Microsoft Corporation)
S3 RasAcd; C:\Windows\System32\DRIVERS\rasacd.sys [11776 2009-07-13] (Microsoft Corporation)
R3 RasAgileVpn; C:\Windows\System32\DRIVERS\AgileVpn.sys [49152 2009-07-13] (Microsoft Corporation)
R3 Rasl2tp; C:\Windows\System32\DRIVERS\rasl2tp.sys [78848 2009-07-13] (Microsoft Corporation)
R3 RasPppoe; C:\Windows\System32\DRIVERS\raspppoe.sys [77824 2009-07-13] (Microsoft Corporation)
R3 RasSstp; C:\Windows\System32\DRIVERS\rassstp.sys [75264 2009-07-13] (Microsoft Corporation)
R1 rdbss; C:\Windows\System32\DRIVERS\rdbss.sys [242688 2010-11-20] (Microsoft Corporation)
R3 rdpbus; C:\Windows\System32\DRIVERS\rdpbus.sys [18944 2009-07-13] (Microsoft Corporation)
R1 RDPCDD; C:\Windows\System32\DRIVERS\RDPCDD.sys [6656 2010-11-20] (Microsoft Corporation)
S3 RDPDR; C:\Windows\System32\drivers\rdpdr.sys [133632 2010-11-20] (Microsoft Corporation)
R1 RDPENCDD; C:\Windows\System32\drivers\rdpencdd.sys [6656 2009-07-13] (Microsoft Corporation)
R1 RDPREFMP; C:\Windows\System32\drivers\rdprefmp.sys [7168 2009-07-13] (Microsoft Corporation)
S3 RDPWD; C:\Windows\system32\Drivers\RDPWD.sys [183808 2012-04-27] (Microsoft Corporation)
R0 rdyboost; C:\Windows\System32\drivers\rdyboost.sys [173440 2010-11-20] (Microsoft Corporation)
R2 rspndr; C:\Windows\System32\DRIVERS\rspndr.sys [60928 2009-07-13] (Microsoft Corporation)
S3 RT-USB; C:\Windows\System32\drivers\RT-USB.SYS [59464 2010-06-16] (Ross-Tech LLC)
R3 RTL8167; C:\Windows\System32\DRIVERS\Rt86win7.sys [139776 2009-07-13] (Realtek Corporation                                            )
R3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [376832 2009-11-05] (Realtek Semiconductor Corporation                           )
S3 s3cap; C:\Windows\system32\drivers\vms3cap.sys [5632 2010-11-20] (Microsoft Corporation)
S3 sbp2port; C:\Windows\system32\drivers\sbp2port.sys [85376 2010-11-20] (Microsoft Corporation)
S3 scfilter; C:\Windows\System32\DRIVERS\scfilter.sys [26624 2010-11-20] (Microsoft Corporation)
R2 secdrv; C:\Windows\system32\Drivers\secdrv.sys [20480 2009-07-13] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
S3 Serenum; C:\Windows\system32\DRIVERS\serenum.sys [17920 2009-07-13] (Microsoft Corporation)
S3 Serial; C:\Windows\system32\DRIVERS\serial.sys [83456 2009-07-13] (Microsoft Corporation)
S3 sermouse; C:\Windows\system32\DRIVERS\sermouse.sys [19968 2009-07-13] (Microsoft Corporation)
S3 sffdisk; C:\Windows\system32\drivers\sffdisk.sys [11264 2009-07-13] (Microsoft Corporation)
S3 sffp_mmc; C:\Windows\system32\drivers\sffp_mmc.sys [12288 2009-07-13] (Microsoft Corporation)
S3 sffp_sd; C:\Windows\system32\drivers\sffp_sd.sys [12800 2010-11-20] (Microsoft Corporation)
S3 sfloppy; C:\Windows\system32\DRIVERS\sfloppy.sys [13824 2009-07-13] (Microsoft Corporation)
S3 sisagp; C:\Windows\system32\drivers\sisagp.sys [52304 2009-07-13] (Microsoft Corporation)
S3 SiSRaid2; C:\Windows\system32\DRIVERS\SiSRaid2.sys [40016 2009-07-13] (Silicon Integrated Systems Corp.)
S3 SiSRaid4; C:\Windows\system32\DRIVERS\sisraid4.sys [77888 2009-07-13] (Silicon Integrated Systems)
S3 Smb; C:\Windows\System32\DRIVERS\smb.sys [71168 2009-07-13] (Microsoft Corporation)
R0 spldr; C:\Windows\system32\Drivers\spldr.sys [17472 2009-07-13] (Microsoft Corporation)
R3 srv; C:\Windows\System32\DRIVERS\srv.sys [311808 2011-04-28] (Microsoft Corporation)
R3 srv2; C:\Windows\System32\DRIVERS\srv2.sys [310272 2011-04-28] (Microsoft Corporation)
R3 srvnet; C:\Windows\System32\DRIVERS\srvnet.sys [114688 2011-04-28] (Microsoft Corporation)
S3 stexstor; C:\Windows\system32\DRIVERS\stexstor.sys [21072 2009-07-13] (Promise Technology)
R3 StillCam; C:\Windows\System32\DRIVERS\serscan.sys [9216 2009-07-13] (Microsoft Corporation)
R0 storflt; C:\Windows\System32\drivers\vmstorfl.sys [40704 2010-11-20] (Microsoft Corporation)
S3 storvsc; C:\Windows\system32\drivers\storvsc.sys [28032 2010-11-20] (Microsoft Corporation)
R3 swenum; C:\Windows\system32\drivers\swenum.sys [12240 2009-07-13] (Microsoft Corporation)
R0 Tcpip; C:\Windows\System32\drivers\tcpip.sys [1294272 2014-04-04] (Microsoft Corporation)
S3 TCPIP6; C:\Windows\System32\DRIVERS\tcpip.sys [1294272 2014-04-04] (Microsoft Corporation)
R2 tcpipreg; C:\Windows\System32\drivers\tcpipreg.sys [35328 2012-10-03] (Microsoft Corporation)
S3 TDPIPE; C:\Windows\System32\drivers\tdpipe.sys [18432 2010-11-20] (Microsoft Corporation)
S3 TDTCP; C:\Windows\System32\drivers\tdtcp.sys [24576 2012-02-16] (Microsoft Corporation)
R1 tdx; C:\Windows\System32\DRIVERS\tdx.sys [74752 2010-11-20] (Microsoft Corporation)
R1 TermDD; C:\Windows\system32\drivers\termdd.sys [53120 2010-11-20] (Microsoft Corporation)
S3 tssecsrv; C:\Windows\System32\DRIVERS\tssecsrv.sys [31232 2013-06-14] (Microsoft Corporation)
S3 TsUsbFlt; C:\Windows\System32\drivers\tsusbflt.sys [52224 2010-11-20] (Microsoft Corporation)
S3 tunnel; C:\Windows\System32\DRIVERS\tunnel.sys [108544 2010-11-20] (Microsoft Corporation)
R0 TVALZ; C:\Windows\System32\DRIVERS\TVALZ_O.SYS [23640 2007-11-09] (TOSHIBA Corporation)
S3 uagp35; C:\Windows\system32\DRIVERS\uagp35.sys [55888 2009-07-13] (Microsoft Corporation)
S4 udfs; C:\Windows\System32\DRIVERS\udfs.sys [246784 2010-11-20] (Microsoft Corporation)
S3 uliagpkx; C:\Windows\system32\drivers\uliagpkx.sys [57424 2009-07-13] (Microsoft Corporation)
R3 umbus; C:\Windows\System32\DRIVERS\umbus.sys [39936 2010-11-20] (Microsoft Corporation)
S3 UmPass; C:\Windows\system32\DRIVERS\umpass.sys [8192 2009-07-13] (Microsoft Corporation)
R3 usbccgp; C:\Windows\System32\DRIVERS\usbccgp.sys [76288 2013-11-26] (Microsoft Corporation)
S3 usbcir; C:\Windows\system32\drivers\usbcir.sys [86016 2013-07-12] (Microsoft Corporation)
R3 usbehci; C:\Windows\System32\DRIVERS\usbehci.sys [43520 2013-11-26] (Microsoft Corporation)
R3 usbhub; C:\Windows\System32\DRIVERS\usbhub.sys [258560 2013-11-26] (Microsoft Corporation)
S3 usbohci; C:\Windows\system32\drivers\usbohci.sys [20480 2013-11-26] (Microsoft Corporation)
S3 usbprint; C:\Windows\system32\DRIVERS\usbprint.sys [19968 2009-07-13] (Microsoft Corporation)
S3 USBSTOR; C:\Windows\System32\DRIVERS\USBSTOR.SYS [76288 2011-03-10] (Microsoft Corporation)
R3 usbuhci; C:\Windows\System32\DRIVERS\usbuhci.sys [24064 2013-11-26] (Microsoft Corporation)
R3 usbvideo; C:\Windows\System32\Drivers\usbvideo.sys [146816 2013-07-12] (Microsoft Corporation)
S3 VAGUSB; C:\Windows\System32\Drivers\VAGUSB.sys [34639 2005-12-15] (FTDI Ltd.) [File not signed]
R0 vdrvroot; C:\Windows\System32\drivers\vdrvroot.sys [32832 2009-07-13] (Microsoft Corporation)
S3 vga; C:\Windows\System32\DRIVERS\vgapnp.sys [26112 2009-07-13] (Microsoft Corporation)
R1 VgaSave; C:\Windows\System32\drivers\vga.sys [25088 2009-07-13] (Microsoft Corporation)
S3 vhdmp; C:\Windows\system32\drivers\vhdmp.sys [160128 2010-11-20] (Microsoft Corporation)
S3 viaagp; C:\Windows\system32\drivers\viaagp.sys [53328 2009-07-13] (Microsoft Corporation)
S3 ViaC7; C:\Windows\system32\DRIVERS\viac7.sys [52736 2009-07-13] (Microsoft Corporation)
S3 viaide; C:\Windows\system32\drivers\viaide.sys [16976 2009-07-13] (VIA Technologies, Inc.)
R0 vmbus; C:\Windows\System32\drivers\vmbus.sys [175360 2010-11-20] (Microsoft Corporation)
S3 VMBusHID; C:\Windows\system32\drivers\VMBusHID.sys [17920 2010-11-20] (Microsoft Corporation)
R0 volmgr; C:\Windows\System32\drivers\volmgr.sys [53120 2010-11-20] (Microsoft Corporation)
R0 volmgrx; C:\Windows\System32\drivers\volmgrx.sys [297040 2009-07-13] (Microsoft Corporation)
R0 volsnap; C:\Windows\System32\drivers\volsnap.sys [245632 2010-11-20] (Microsoft Corporation)
S3 vsmraid; C:\Windows\system32\DRIVERS\vsmraid.sys [141904 2009-07-13] (VIA Technologies Inc.,Ltd)
R3 vwifibus; C:\Windows\System32\drivers\vwifibus.sys [19968 2009-07-13] (Microsoft Corporation)
R1 vwififlt; C:\Windows\System32\DRIVERS\vwififlt.sys [48128 2009-07-13] (Microsoft Corporation)
R3 vwifimp; C:\Windows\System32\DRIVERS\vwifimp.sys [14336 2009-07-13] (Microsoft Corporation)
S3 WacomPen; C:\Windows\system32\DRIVERS\wacompen.sys [21632 2009-07-13] (Microsoft Corporation)
S3 WANARP; C:\Windows\System32\DRIVERS\wanarp.sys [63488 2010-11-20] (Microsoft Corporation)
R1 Wanarpv6; C:\Windows\System32\DRIVERS\wanarp.sys [63488 2010-11-20] (Microsoft Corporation)
S3 Wd; C:\Windows\system32\DRIVERS\wd.sys [19024 2009-07-13] (Microsoft Corporation)
R0 Wdf01000; C:\Windows\System32\drivers\Wdf01000.sys [527064 2013-06-25] (Microsoft Corporation)
R1 WfpLwf; C:\Windows\System32\DRIVERS\wfplwf.sys [9728 2009-07-13] (Microsoft Corporation)
S3 WIMMount; C:\Windows\System32\drivers\wimmount.sys [19008 2009-07-13] (Microsoft Corporation)
U3 Winsock; No ImagePath
S3 WinUsb; C:\Windows\System32\DRIVERS\WinUsb.sys [35968 2010-11-20] (Microsoft Corporation)
S3 WmiAcpi; C:\Windows\system32\drivers\wmiacpi.sys [11264 2009-07-13] (Microsoft Corporation)
R1 ws2ifsl; C:\Windows\system32\drivers\ws2ifsl.sys [16384 2009-07-13] (Microsoft Corporation)
S3 WSDPrintDevice; C:\Windows\System32\DRIVERS\WSDPrint.sys [17920 2009-07-13] (Microsoft Corporation)
S3 WSDScan; C:\Windows\System32\DRIVERS\WSDScan.sys [20480 2009-07-13] (Microsoft Corporation)
S3 WudfPf; C:\Windows\System32\drivers\WudfPf.sys [66560 2012-07-25] (Microsoft Corporation)
S3 WUDFRd; C:\Windows\System32\DRIVERS\WUDFRd.sys [155136 2012-07-25] (Microsoft Corporation)
U5 BattC; C:\Windows\System32\Drivers\BattC.sys [25168 2009-07-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-07 10:02 - 2014-09-07 10:02 - 00000000 ____D () C:\Users\Cindy\AppData\Local\CrashDumps
2014-09-06 11:39 - 2014-09-07 10:05 - 00020868 _____ () C:\Users\Cindy\Desktop\Addition.txt
2014-09-06 11:37 - 2014-09-07 10:05 - 00060699 _____ () C:\Users\Cindy\Desktop\FRST.txt
2014-09-06 11:37 - 2014-09-07 10:05 - 00000000 ____D () C:\FRST
2014-09-06 11:36 - 2014-09-06 11:36 - 01096704 _____ (Farbar) C:\Users\Cindy\Desktop\FRST.exe
2014-09-03 22:45 - 2014-09-03 22:45 - 00016513 _____ () C:\Users\Cindy\Desktop\dds.txt
2014-09-03 22:31 - 2014-09-03 22:48 - 00000000 ____D () C:\Users\Cindy\Desktop\malware repair
2014-09-03 21:17 - 2014-09-03 21:17 - 00699568 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-09-03 21:17 - 2014-09-03 21:17 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-09-03 20:56 - 2014-09-03 21:07 - 00000000 ____D () C:\Windows\pss
2014-09-03 20:44 - 2014-09-03 20:46 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Process Hacker 2
2014-09-03 19:42 - 2014-09-03 19:42 - 00000000 ____D () C:\Program Files\Trend Micro
2014-08-28 07:41 - 2014-08-28 07:41 - 00000000 __SHD () C:\Users\Cindy\AppData\Local\EmieUserList
2014-08-28 07:41 - 2014-08-28 07:41 - 00000000 __SHD () C:\Users\Cindy\AppData\Local\EmieSiteList
2014-08-28 02:28 - 2014-07-31 18:16 - 00307384 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-08-28 02:28 - 2014-07-25 08:51 - 17524224 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-08-28 02:28 - 2014-07-25 08:04 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-08-28 02:28 - 2014-07-25 08:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-08-28 02:28 - 2014-07-25 07:34 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-08-28 02:28 - 2014-07-25 07:34 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-08-28 02:28 - 2014-07-25 07:33 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-08-28 02:28 - 2014-07-25 07:30 - 00061952 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-08-28 02:28 - 2014-07-25 07:21 - 02184704 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-08-28 02:28 - 2014-07-25 07:18 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-08-28 02:28 - 2014-07-25 07:17 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-08-28 02:28 - 2014-07-25 07:12 - 00438784 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-08-28 02:28 - 2014-07-25 07:10 - 00112128 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-08-28 02:28 - 2014-07-25 07:10 - 00108032 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-08-28 02:28 - 2014-07-25 07:08 - 00597504 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-08-28 02:28 - 2014-07-25 07:06 - 04204032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-08-28 02:28 - 2014-07-25 06:59 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-08-28 02:28 - 2014-07-25 06:52 - 00367104 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-08-28 02:28 - 2014-07-25 06:43 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-08-28 02:28 - 2014-07-25 06:36 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-08-28 02:28 - 2014-07-25 06:34 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-08-28 02:28 - 2014-07-25 06:29 - 00239616 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-08-28 02:28 - 2014-07-25 06:13 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-08-28 02:28 - 2014-07-25 06:09 - 00663040 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-08-28 02:28 - 2014-07-25 06:07 - 02001920 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-08-28 02:28 - 2014-07-25 06:07 - 01068032 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-08-28 02:28 - 2014-07-25 06:03 - 11772928 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-08-28 02:28 - 2014-07-25 05:09 - 00704512 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-08-28 02:28 - 2014-07-25 05:05 - 01792512 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-08-28 02:28 - 2014-07-25 05:00 - 01169920 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-08-28 02:12 - 2014-08-28 02:12 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-08-28 01:37 - 2014-08-28 01:37 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2014-08-28 01:18 - 2014-06-30 17:14 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2014-08-28 01:18 - 2014-06-06 01:16 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2014-08-28 01:18 - 2014-03-09 16:47 - 00619672 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2014-08-28 01:18 - 2014-03-09 16:47 - 00099480 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2014-08-28 01:13 - 2013-05-09 23:56 - 12625408 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2014-08-28 01:13 - 2013-05-09 23:56 - 11410432 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00645120 _____ (Microsoft Corporation) C:\Windows\system32\jsIntl.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00616104 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dat
2014-08-28 01:05 - 2014-08-28 01:05 - 00610304 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2014-08-28 01:05 - 2014-08-28 01:05 - 00233472 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00208384 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00194048 _____ (Microsoft Corporation) C:\Windows\system32\elshyph.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00182272 _____ (Microsoft Corporation) C:\Windows\system32\msls31.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00151552 _____ (Microsoft Corporation) C:\Windows\system32\iexpress.exe
2014-08-28 01:05 - 2014-08-28 01:05 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\wextract.exe
2014-08-28 01:05 - 2014-08-28 01:05 - 00127488 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\IEAdvpack.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00083456 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00074240 _____ (Microsoft Corporation) C:\Windows\system32\SetIEInstalledDate.exe
2014-08-28 01:05 - 2014-08-28 01:05 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-08-28 01:05 - 2014-08-28 01:05 - 00069120 _____ (Microsoft Corporation) C:\Windows\system32\icardie.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2014-08-28 01:05 - 2014-08-28 01:05 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\pngfilt.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\mshtmler.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\imgutil.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-08-28 01:05 - 2014-08-28 01:05 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-08-28 01:04 - 2014-08-28 01:07 - 00007677 _____ () C:\Windows\IE11_main.log
2014-08-27 23:52 - 2013-11-23 13:26 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2014-08-27 23:52 - 2013-10-29 21:19 - 00301568 _____ (Microsoft Corporation) C:\Windows\system32\msieftp.dll
2014-08-27 23:51 - 2014-07-13 20:42 - 00654336 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2014-08-27 23:51 - 2014-06-15 20:44 - 00730048 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2014-08-27 23:51 - 2014-06-15 20:44 - 00219072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgmms1.sys
2014-08-27 23:51 - 2014-06-15 20:40 - 00107520 _____ (Microsoft Corporation) C:\Windows\system32\cdd.dll
2014-08-27 23:51 - 2014-03-26 09:27 - 01389056 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2014-08-27 23:51 - 2014-03-26 09:27 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-08-27 23:51 - 2014-03-26 09:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml6r.dll
2014-08-27 23:51 - 2014-03-26 09:25 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-08-27 23:51 - 2014-03-04 04:20 - 03969984 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2014-08-27 23:51 - 2014-03-04 04:20 - 03914176 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2014-08-27 23:51 - 2014-03-04 04:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll
2014-08-27 23:51 - 2014-03-04 04:17 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-08-27 23:51 - 2014-03-04 04:17 - 00293376 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2014-08-27 23:51 - 2014-03-04 04:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\cngprovider.dll
2014-08-27 23:51 - 2014-03-04 04:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\system32\adprovider.dll
2014-08-27 23:51 - 2014-03-04 04:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\system32\capiprovider.dll
2014-08-27 23:51 - 2014-03-04 04:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\dpapiprovider.dll
2014-08-27 23:51 - 2014-03-04 04:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll
2014-08-27 23:51 - 2014-03-04 04:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\system32\wincredprovider.dll
2014-08-27 23:51 - 2013-12-31 18:05 - 00420008 _____ () C:\Windows\system32\locale.nls
2014-08-27 23:51 - 2013-10-18 20:36 - 00159232 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2014-08-27 23:51 - 2013-10-03 20:58 - 00152576 _____ (Microsoft Corporation) C:\Windows\system32\SmartcardCredentialProvider.dll
2014-08-27 23:51 - 2013-10-03 20:56 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\credui.dll
2014-08-27 23:50 - 2014-08-22 20:46 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-08-27 23:50 - 2014-08-22 19:42 - 02352640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-08-27 23:50 - 2014-02-03 21:07 - 00234432 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\msiscsi.sys
2014-08-27 23:50 - 2014-02-03 21:07 - 00149440 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys
2014-08-27 23:50 - 2014-02-03 21:07 - 00027072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Diskdump.sys
2014-08-27 23:50 - 2014-02-03 21:00 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\iologmsg.dll
2014-08-27 23:50 - 2014-01-27 21:07 - 00185344 _____ (Microsoft Corporation) C:\Windows\system32\wwansvc.dll
2014-08-27 23:50 - 2013-10-11 21:04 - 00121856 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2014-08-27 23:50 - 2013-10-11 21:03 - 00163840 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2014-08-27 23:50 - 2013-10-11 20:15 - 00141824 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2014-08-27 23:50 - 2013-10-11 20:15 - 00126976 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2014-08-27 23:49 - 2014-07-15 21:46 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-08-27 23:49 - 2014-06-17 20:51 - 00646144 _____ (Microsoft Corporation) C:\Windows\system32\osk.exe
2014-08-27 23:49 - 2014-02-03 21:04 - 01230336 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-08-27 23:48 - 2014-06-06 04:44 - 00509440 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-08-27 23:48 - 2014-06-03 04:30 - 00101824 _____ (Microsoft Corporation) C:\Windows\system32\consent.exe
2014-08-27 23:48 - 2014-06-03 04:29 - 02363392 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-08-27 23:48 - 2014-06-03 04:29 - 01805824 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2014-08-27 23:48 - 2014-06-03 04:29 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2014-08-27 23:48 - 2014-05-30 02:52 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-08-27 23:48 - 2014-05-30 02:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-08-27 23:48 - 2014-05-30 02:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-08-27 23:48 - 2014-05-30 02:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-08-27 23:48 - 2014-05-30 02:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-08-27 23:48 - 2014-05-30 02:52 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-08-27 23:48 - 2014-05-30 02:52 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-08-27 23:48 - 2014-05-30 01:36 - 00338944 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-08-27 23:48 - 2014-04-04 21:25 - 01294272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-08-27 23:48 - 2014-04-04 21:24 - 00187840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\FWPKCLNT.SYS
2014-08-27 23:48 - 2014-01-23 21:18 - 01212352 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2014-08-27 23:48 - 2013-11-26 06:11 - 00240576 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2014-08-27 23:48 - 2013-10-03 20:49 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2014-08-27 23:48 - 2013-10-03 20:17 - 00177152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
2014-08-27 23:47 - 2014-08-06 20:43 - 00412160 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-08-27 23:47 - 2014-08-06 20:39 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-08-27 23:47 - 2013-12-24 18:09 - 01987584 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2014-08-27 23:47 - 2013-11-26 03:16 - 03419136 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2014-08-27 23:43 - 2014-04-24 21:06 - 00626688 _____ (Microsoft Corporation) C:\Windows\system32\usp10.dll
2014-08-27 23:43 - 2014-01-28 21:06 - 00381440 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-08-27 23:43 - 2013-10-11 21:03 - 00656896 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2014-08-27 23:43 - 2013-10-11 21:01 - 00679424 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2014-08-27 23:43 - 2013-10-11 21:01 - 00216576 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2014-08-27 23:43 - 2013-10-05 14:57 - 01168384 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2014-08-27 23:42 - 2014-06-24 20:41 - 12874240 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-08-27 23:42 - 2014-03-04 04:17 - 00868352 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2014-08-27 23:42 - 2013-11-26 20:14 - 00258560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-08-27 23:42 - 2013-11-26 20:13 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-08-27 23:42 - 2013-11-26 20:13 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-08-27 23:42 - 2013-11-26 20:13 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-08-27 23:42 - 2013-11-26 20:13 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-08-27 23:42 - 2013-11-26 20:13 - 00020480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-08-27 23:42 - 2013-11-26 20:13 - 00006016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-08-27 23:41 - 2013-12-03 21:03 - 00428032 _____ (Microsoft Corporation) C:\Windows\system32\secproc.dll
2014-08-27 23:41 - 2013-12-03 21:03 - 00423936 _____ (Microsoft Corporation) C:\Windows\system32\secproc_isv.dll
2014-08-27 23:41 - 2013-12-03 21:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp_isv.dll
2014-08-27 23:41 - 2013-12-03 21:03 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\secproc_ssp.dll
2014-08-27 23:41 - 2013-12-03 21:02 - 00390144 _____ (Microsoft Corporation) C:\Windows\system32\msdrm.dll
2014-08-27 23:41 - 2013-12-03 20:54 - 00594944 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_isv.exe
2014-08-27 23:41 - 2013-12-03 20:54 - 00572416 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate.exe
2014-08-27 23:41 - 2013-12-03 20:54 - 00510976 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp.exe
2014-08-27 23:41 - 2013-12-03 20:54 - 00508928 _____ (Microsoft Corporation) C:\Windows\system32\RMActivate_ssp_isv.exe
2014-08-27 23:33 - 2014-06-05 09:26 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-08-27 23:33 - 2014-04-11 21:15 - 00136640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-08-27 23:33 - 2014-04-11 21:15 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2014-08-27 23:33 - 2014-04-11 21:12 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2014-08-27 23:33 - 2014-04-11 21:12 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2014-08-27 23:33 - 2014-04-11 21:12 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2014-08-27 23:33 - 2014-04-11 21:11 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2014-08-27 23:33 - 2013-07-04 07:16 - 00369848 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2014-08-27 23:15 - 2014-05-14 11:23 - 01973728 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-08-27 23:15 - 2014-05-14 11:23 - 00054240 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-08-27 23:15 - 2014-05-14 11:23 - 00045536 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-08-27 23:15 - 2014-05-14 11:17 - 02425856 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-08-27 23:14 - 2014-05-14 11:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-08-27 23:14 - 2014-05-14 11:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2014-08-27 23:14 - 2014-05-14 11:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-08-27 23:14 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-08-27 23:14 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-08-27 22:05 - 2014-08-27 22:39 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-08-27 20:56 - 2014-08-27 21:02 - 00033512 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-08-27 20:56 - 2014-08-27 20:56 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-08-27 20:41 - 2014-08-27 20:41 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Adobe
2014-08-27 20:11 - 2014-08-27 20:11 - 00000000 ____D () C:\Windows\ERUNT
2014-08-27 20:05 - 2014-08-27 23:34 - 00000000 ____D () C:\AdwCleaner
2014-08-14 23:04 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Awunsia
2014-08-14 13:57 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Xeequnf
2014-08-13 17:06 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Efgabyno
2014-08-12 22:51 - 2014-08-12 22:53 - 00000000 ____D () C:\Users\Cindy\Desktop\favorites backup
2014-08-12 13:01 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Ovmyivtu
2014-08-12 08:59 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Zaydcom
2014-08-09 20:53 - 2014-08-27 21:54 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Xorako
2014-08-09 19:56 - 2014-08-27 21:54 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Ekacizk
2014-08-09 13:01 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Fyyqeko
2014-08-09 00:19 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Usyrzec

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-07 10:05 - 2014-09-06 11:39 - 00020868 _____ () C:\Users\Cindy\Desktop\Addition.txt
2014-09-07 10:05 - 2014-09-06 11:37 - 00060699 _____ () C:\Users\Cindy\Desktop\FRST.txt
2014-09-07 10:05 - 2014-09-06 11:37 - 00000000 ____D () C:\FRST
2014-09-07 10:02 - 2014-09-07 10:02 - 00000000 ____D () C:\Users\Cindy\AppData\Local\CrashDumps
2014-09-07 09:53 - 2009-07-13 23:34 - 00026336 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-07 09:53 - 2009-07-13 23:34 - 00026336 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-07 09:50 - 2010-02-18 23:08 - 01699944 _____ () C:\Windows\WindowsUpdate.log
2014-09-07 09:47 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-07 09:47 - 2009-07-13 23:39 - 00068988 _____ () C:\Windows\setupact.log
2014-09-06 21:08 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2014-09-06 18:57 - 2010-04-08 07:49 - 00576512 ___SH () C:\Users\Cindy\Desktop\Thumbs.db
2014-09-06 13:07 - 2011-08-18 22:52 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Clip Art Collection
2014-09-06 11:36 - 2014-09-06 11:36 - 01096704 _____ (Farbar) C:\Users\Cindy\Desktop\FRST.exe
2014-09-03 22:48 - 2014-09-03 22:31 - 00000000 ____D () C:\Users\Cindy\Desktop\malware repair
2014-09-03 22:45 - 2014-09-03 22:45 - 00016513 _____ () C:\Users\Cindy\Desktop\dds.txt
2014-09-03 22:39 - 2010-02-18 21:31 - 00786598 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-03 21:18 - 2010-02-21 20:17 - 00000000 ____D () C:\Users\Cindy\AppData\Local\Adobe
2014-09-03 21:17 - 2014-09-03 21:17 - 00699568 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-09-03 21:17 - 2014-09-03 21:17 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-09-03 21:07 - 2014-09-03 20:56 - 00000000 ____D () C:\Windows\pss
2014-09-03 20:46 - 2014-09-03 20:44 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Process Hacker 2
2014-09-03 19:42 - 2014-09-03 19:42 - 00000000 ____D () C:\Program Files\Trend Micro
2014-09-01 23:03 - 2010-02-18 21:44 - 00000000 ____D () C:\Users\Cindy\Documents\kids
2014-08-28 07:41 - 2014-08-28 07:41 - 00000000 __SHD () C:\Users\Cindy\AppData\Local\EmieUserList
2014-08-28 07:41 - 2014-08-28 07:41 - 00000000 __SHD () C:\Users\Cindy\AppData\Local\EmieSiteList
2014-08-28 07:35 - 2009-07-13 23:46 - 00001515 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2014-08-28 02:41 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-08-28 02:15 - 2010-02-18 22:40 - 00114942 _____ () C:\Windows\PFRO.log
2014-08-28 02:15 - 2009-07-13 23:33 - 00439440 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-08-28 02:12 - 2014-08-28 02:12 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-08-28 02:12 - 2009-07-14 02:50 - 00000000 ____D () C:\Program Files\Windows Journal
2014-08-28 02:02 - 2010-02-18 22:08 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-08-28 01:58 - 2013-07-26 11:40 - 00000000 ____D () C:\Windows\system32\MRT
2014-08-28 01:37 - 2014-08-28 01:37 - 00000000 ____D () C:\Program Files\Common Files\DESIGNER
2014-08-28 01:07 - 2014-08-28 01:04 - 00007677 _____ () C:\Windows\IE11_main.log
2014-08-28 01:05 - 2014-08-28 01:05 - 00645120 _____ (Microsoft Corporation) C:\Windows\system32\jsIntl.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00616104 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dat
2014-08-28 01:05 - 2014-08-28 01:05 - 00610304 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00337408 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2014-08-28 01:05 - 2014-08-28 01:05 - 00233472 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00208384 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00194048 _____ (Microsoft Corporation) C:\Windows\system32\elshyph.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00182272 _____ (Microsoft Corporation) C:\Windows\system32\msls31.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00151552 _____ (Microsoft Corporation) C:\Windows\system32\iexpress.exe
2014-08-28 01:05 - 2014-08-28 01:05 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\wextract.exe
2014-08-28 01:05 - 2014-08-28 01:05 - 00127488 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\IEAdvpack.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00086016 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00083456 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00074240 _____ (Microsoft Corporation) C:\Windows\system32\SetIEInstalledDate.exe
2014-08-28 01:05 - 2014-08-28 01:05 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-08-28 01:05 - 2014-08-28 01:05 - 00069120 _____ (Microsoft Corporation) C:\Windows\system32\icardie.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\tdc.ocx
2014-08-28 01:05 - 2014-08-28 01:05 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\pngfilt.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\mshtmler.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\imgutil.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00024576 _____ (Microsoft Corporation) C:\Windows\system32\licmgr10.dll
2014-08-28 01:05 - 2014-08-28 01:05 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2014-08-28 01:05 - 2014-08-28 01:05 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2014-08-28 00:37 - 2012-11-13 22:33 - 00000000 ____D () C:\Users\Administrator
2014-08-27 23:34 - 2014-08-27 20:05 - 00000000 ____D () C:\AdwCleaner
2014-08-27 23:10 - 2009-07-13 21:04 - 00000215 _____ () C:\Windows\system.ini
2014-08-27 23:09 - 2012-11-13 23:59 - 00000000 ____D () C:\Windows\erdnt
2014-08-27 22:39 - 2014-08-27 22:05 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-08-27 21:56 - 2014-08-14 23:04 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Awunsia
2014-08-27 21:56 - 2014-08-14 13:57 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Xeequnf
2014-08-27 21:56 - 2014-08-13 17:06 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Efgabyno
2014-08-27 21:56 - 2014-08-12 13:01 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Ovmyivtu
2014-08-27 21:56 - 2014-08-12 08:59 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Zaydcom
2014-08-27 21:56 - 2014-08-09 13:01 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Fyyqeko
2014-08-27 21:56 - 2014-08-09 00:19 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Usyrzec
2014-08-27 21:56 - 2014-04-19 21:40 - 00000000 ____D () C:\Program Files\Flash Update
2014-08-27 21:56 - 2009-07-13 23:52 - 00000000 ____D () C:\Windows\addins
2014-08-27 21:54 - 2014-08-09 20:53 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Xorako
2014-08-27 21:54 - 2014-08-09 19:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Ekacizk
2014-08-27 21:45 - 2010-03-17 15:05 - 00000000 ____D () C:\Program Files\Google
2014-08-27 21:30 - 2012-11-13 22:49 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-08-27 21:02 - 2014-08-27 20:56 - 00033512 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-08-27 21:02 - 2010-12-10 21:00 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-08-27 21:02 - 2010-12-10 21:00 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy
2014-08-27 20:56 - 2014-08-27 20:56 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-08-27 20:41 - 2014-08-27 20:41 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Adobe
2014-08-27 20:41 - 2010-03-17 15:05 - 00000000 ____D () C:\Windows\system32\Adobe
2014-08-27 20:41 - 2010-02-21 20:20 - 00000000 ____D () C:\Program Files\Adobe
2014-08-27 20:41 - 2010-02-20 09:16 - 00000000 ____D () C:\Windows\system32\Macromed
2014-08-27 20:11 - 2014-08-27 20:11 - 00000000 ____D () C:\Windows\ERUNT
2014-08-27 20:10 - 2009-07-13 23:53 - 00032626 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-08-27 00:20 - 2010-02-18 21:35 - 00000000 ___RD () C:\Users\Cindy
2014-08-22 20:46 - 2014-08-27 23:50 - 00305152 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-08-22 19:42 - 2014-08-27 23:50 - 02352640 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-08-13 15:49 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-08-12 22:53 - 2014-08-12 22:51 - 00000000 ____D () C:\Users\Cindy\Desktop\favorites backup
2014-08-12 21:31 - 2014-04-23 00:36 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-08-10 09:44 - 2013-12-19 08:28 - 00000000 ____D () C:\Users\Cindy\AppData\Local\Adworks

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

Attached Files



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:20 AM

Posted 08 September 2014 - 12:10 AM

Hi,

 

Thanks for the logs. Will reply later today since I am work right now.

 

 

Regards,

Georgi


cXfZ4wS.png


#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:20 AM

Posted 08 September 2014 - 11:46 AM

Hi,
 
 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

Let me know if the problem still persists after the fix has been performed.

 

 

Regards,
Georgi


Edited by B-boy/StyLe/, 08 September 2014 - 11:48 AM.

cXfZ4wS.png


#11 msquared

msquared
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 08 September 2014 - 07:19 PM

Georgi,

 

Sorry that took so long.  I was at work and this site is blocked from there.  I ran the fix file in FRST and so far it appears to be working.  I have no rogue instances of iexplore.exe running right now in task manager after at least 20 minutes up and running.  Yay!  Interesting that I had seen the hrejwxee.exe and gpqbmjuk.exe in my startup tab in msconfig, but I could find anything about them using a web search.  So I wasn't sure if they were the problem or not.

 

Here is the Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 07-09-2014
Ran by Cindy at 2014-09-08 19:00:50 Run:1
Running from C:\Users\Cindy\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKU\S-1-5-21-3999264683-2072094160-444931896-1003\...\Run: [Adworks] => regsvr32.exe C:\Users\Cindy\AppData\Local\Adworks\ASMweld217A.dll <===== ATTENTION
C:\Users\Cindy\AppData\Local\Adworks\ASMweld217A.dll
Folder: C:\Users\Cindy\AppData\Local\Adworks
URLSearchHook: HKCU - (No Name) - {548f6736-8fe4-4680-82f2-170d6c07e1d2} -  No File
URLSearchHook: HKCU - (No Name) - {f92a9fe4-2850-4198-b9d5-279880e49b16} -  No File
SearchScopes: HKCU - {53F935F4-0C14-42A5-892E-569EA203FB29} URL = http://websearch.ask.com/redirect?client=ie&tb=OVO2&o=2159&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=^A2E&apn_dtid=^YYYYYY^YY^US&apn_uid=bd4902a8-b7b3-4fc8-8d52-9c8726669ae4&apn_sauid=FFA100D5-39F4-4C20-80B5-311BFC0EA643
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=246&itype=n&ver=13001&tm=417&src=ds&p={searchTerms}
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = http://search.conduit.com/Results.aspx?gd=&ctid=CT3325565&octid=EB_ORIGINAL_CTID&ISID=M05A9ACD3-F41C-4C9F-8D8F-C3FBBFA9FFDD&SearchSource=58&CUI=&UM=5&UP=SP418157B1-A13B-4247-9FD5-9A4EEB0DF587&q={searchTerms}&SSPV=
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKCU - No Name - {548F6736-8FE4-4680-82F2-170D6C07E1D2} -  No File
Toolbar: HKCU - No Name - {F92A9FE4-2850-4198-B9D5-279880E49B16} -  No File
CHR DefaultSearchKeyword: Default -> conduit.search
CHR DefaultSearchProvider: Default -> Conduit Search
CHR DefaultSuggestURL: Default -> http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
2014-08-14 23:04 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Awunsia
2014-08-14 13:57 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Xeequnf
2014-08-13 17:06 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Efgabyno
2014-08-12 13:01 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Ovmyivtu
2014-08-12 08:59 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Zaydcom
2014-08-09 20:53 - 2014-08-27 21:54 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Xorako
2014-08-09 19:56 - 2014-08-27 21:54 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Ekacizk
2014-08-09 13:01 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Fyyqeko
2014-08-09 00:19 - 2014-08-27 21:56 - 00000000 ____D () C:\Users\Cindy\AppData\Roaming\Usyrzec
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
AlternateDataStreams: C:\ProgramData\TEMP:52D76DB8
AlternateDataStreams: C:\ProgramData\TEMP:CFBB419A
C:\Users\Cindy\AppData\Local\qtwturjj.exe
C:\Users\Cindy\AppData\Local\lwkqklfi.exe
reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hrejwxee" /f
reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gpqbmjuk" /f
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
cmd: bitsadmin /reset /allusers
emptytemp:
end
*****************

Processes closed successfully.
HKU\S-1-5-21-3999264683-2072094160-444931896-1003\Software\Microsoft\Windows\CurrentVersion\Run\\Adworks => value deleted successfully.
C:\Users\Cindy\AppData\Local\Adworks\ASMweld217A.dll => Moved successfully.

========================= Folder: C:\Users\Cindy\AppData\Local\Adworks ========================

2014-08-09 20:28 - 2014-08-09 20:28 - 0237328 _____ () C:\Users\Cindy\AppData\Local\Adworks\ASMweld217A.txt

====== End of Folder: ======

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{548f6736-8fe4-4680-82f2-170d6c07e1d2} => value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{f92a9fe4-2850-4198-b9d5-279880e49b16} => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{53F935F4-0C14-42A5-892E-569EA203FB29}" => Key deleted successfully.
"HKCR\CLSID\{53F935F4-0C14-42A5-892E-569EA203FB29}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}" => Key deleted successfully.
"HKCR\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}" => Key deleted successfully.
"HKCR\CLSID\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{548F6736-8FE4-4680-82F2-170D6C07E1D2} => value deleted successfully.
"HKCR\CLSID\{548F6736-8FE4-4680-82F2-170D6C07E1D2}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F92A9FE4-2850-4198-B9D5-279880E49B16} => value deleted successfully.
"HKCR\CLSID\{F92A9FE4-2850-4198-B9D5-279880E49B16}" => Key not found.
Chrome DefaultSearchKeyword deleted successfully.
CHR DefaultSearchProvider: Default -> Conduit Search ==> The Chrome "Settings" can be used to fix the entry.
Chrome DefaultSuggestURL deleted successfully.
C:\Users\Cindy\AppData\Roaming\Awunsia => Moved successfully.
C:\Users\Cindy\AppData\Roaming\Xeequnf => Moved successfully.
C:\Users\Cindy\AppData\Roaming\Efgabyno => Moved successfully.
C:\Users\Cindy\AppData\Roaming\Ovmyivtu => Moved successfully.
C:\Users\Cindy\AppData\Roaming\Zaydcom => Moved successfully.
C:\Users\Cindy\AppData\Roaming\Xorako => Moved successfully.
C:\Users\Cindy\AppData\Roaming\Ekacizk => Moved successfully.
C:\Users\Cindy\AppData\Roaming\Fyyqeko => Moved successfully.
C:\Users\Cindy\AppData\Roaming\Usyrzec => Moved successfully.
C:\ProgramData\TEMP => ":373E1720" ADS removed successfully.
C:\ProgramData\TEMP => ":52D76DB8" ADS removed successfully.
C:\ProgramData\TEMP => ":CFBB419A" ADS removed successfully.
"C:\Users\Cindy\AppData\Local\qtwturjj.exe" => File/Directory not found.
"C:\Users\Cindy\AppData\Local\lwkqklfi.exe" => File/Directory not found.

========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hrejwxee" /f =========

The operation completed successfully.

 

========= End of Reg: =========

========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gpqbmjuk" /f =========

The operation completed successfully.

 

========= End of Reg: =========

=========  netsh winsock reset catalog =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {9D6F2199-FA4A-4FCC-9B3F-D57E0434B84E}.
Unable to cancel {2222332F-CAAB-4823-8279-603D66AF77C7}.
Unable to cancel {B6A08F5F-717E-4A0A-B787-9AAE1ABD0505}.
Unable to cancel {1EEE1E66-71E1-490A-9F2E-0CCB3C74BBA4}.
0 out of 4 jobs canceled.

========= End of CMD: =========

EmptyTemp: => Removed 691.7 MB temporary data.

The system needed a reboot.

==== End of Fixlog ====



#12 msquared

msquared
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 08 September 2014 - 08:19 PM

Update: about 75 minutes now and still no rogue instances of iexplore.exe have started up.  So it appears to be fixed.  Awesome!  I haven't done anything else yet.  I assume there is some cleanup that I need to do, as well as other follow-up?



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:20 AM

Posted 09 September 2014 - 04:11 AM

Hello,

 

Nice work! We managed to deal with the trojan. :)

 

However I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mbam-setup-2.0.2.1012.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#14 msquared

msquared
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 09 September 2014 - 06:28 PM

Georgi, I have completed those steps as directed.  Here are the results.

 

 

 

STEP 1 - Rkill log:

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2014 BleepingComputer.com

More Information about Rkill can be found at this link:

 http://www.bleepingcomputer.com/forums/topic308364.html

 

Program started at: 09/09/2014 04:01:20 PM in x86 mode.

Windows Version: Windows 7 Professional Service Pack 1

 

Checking for Windows services to stop:

 

 * No malware services found to stop.

 

Checking for processes to terminate:

 

 * No malware processes found to kill.

 

Checking Registry for malware related settings:

 

 * No issues found in the Registry.

 

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

 

Performing miscellaneous checks:

 

 * No issues found.

 

Checking Windows Service Integrity:

 

 * No issues found.

 

Searching for Missing Digital Signatures:

 

 * No issues found.

 

Checking HOSTS File:

 

 * HOSTS file entries found:

 

  127.0.0.1       localhost

 

Program finished at: 09/09/2014 04:03:21 PM

Execution time: 0 hours(s), 2 minute(s), and 1 seconds(s)

 

 

 

STEP 2 - RogueKiller

 

RogueKiller report: http://pastebin.com/3TXvND3q

 

 

 

STEP 3 - TDSSKiller

 

TDSSKiller report: http://pastebin.com/DYRSH0LQ

 

 

 

STEP 4 - Malwarebytes

 

Malwarebytes log:

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 9/9/2014

Scan Time: 5:54:44 PM

Logfile:

Administrator: Yes

 

Version: 2.00.2.1012

Malware Database: v2014.09.09.06

Rootkit Database: v2014.08.21.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x86

File System: NTFS

User: Cindy

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 371798

Time Elapsed: 14 min, 15 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

 

STEP 5 - HitmanPro

 

HitmanPro log:

HitmanPro 3.7.9.225
www.hitmanpro.com
 
   Computer name . . . . : CINDYSLAPTOP
   Windows . . . . . . . : 6.1.1.7601.X86/2
   User name . . . . . . : Cindyslaptop\Cindy
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Free
 
   Scan date . . . . . . : 2014-09-09 18:14:26
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 3m 29s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 41
 
   Objects scanned . . . : 1,495,474
   Files scanned . . . . : 70,318
   Remnants scanned  . . : 525,567 files / 899,589 keys
 
Suspicious files ____________________________________________________________
 
   C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST-OlderVersion\FRST.exe
      Size . . . . . . . : 1,096,704 bytes
      Age  . . . . . . . : 3.3 days (2014-09-06 11:36:21)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : A4E18A6E5B48219EE5D3DCE3FFFEC8A21B8BF1F187BC206A27A45860B5F1B00C
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
          0.0s C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST.exe
          0.0s C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST.exe
          0.0s C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST.exe
          0.0s C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST.exe
          0.0s C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST-OlderVersion\FRST.exe
 
   C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST.exe
      Size . . . . . . . : 1,097,728 bytes
      Age  . . . . . . . : 3.3 days (2014-09-06 11:36:21)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 48EDAF37E8B824E2FFE2DEF51B4B5F493610BC72DDBF16400920869BE4F6C815
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
          0.0s C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST.exe
          0.0s C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST.exe
          0.0s C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST.exe
          0.0s C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST.exe
          0.0s C:\Users\Cindy\Desktop\malware repair\FRST progarm and logs\FRST-OlderVersion\FRST.exe
 
   C:\Users\Cindy\Desktop\malware repair\FSS.exe
      Size . . . . . . . : 415,232 bytes
      Age  . . . . . . . : 5.8 days (2014-09-03 22:35:26)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : 149759CADFDF8C19A4104C7DB08BA490D33CFBD29785640385239087B79E1FD2
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -0.6s C:\Users\Cindy\Desktop\malware repair\adwcleaner_3.308.exe
         -0.5s C:\Users\Cindy\Desktop\malware repair\aswMBR.exe
         -0.3s C:\Users\Cindy\Desktop\malware repair\ComboFix.exe
         -0.0s C:\Users\Cindy\Desktop\malware repair\dds.com
          0.0s C:\Users\Cindy\Desktop\malware repair\ESET Online Scanner.url
          0.0s C:\Users\Cindy\Desktop\malware repair\FSS.exe
          0.0s C:\Users\Cindy\Desktop\malware repair\HiJackThis.msi
          0.1s C:\Users\Cindy\Desktop\malware repair\iExplore.exe
          0.2s C:\Users\Cindy\Desktop\malware repair\JRT.exe
          0.2s C:\Users\Cindy\Desktop\mbam-setup-2.0.2.1012.exe
          1.1s C:\Users\Cindy\Desktop\malware repair\mbar-1.07.0.1012.exe
          1.8s C:\Users\Cindy\Desktop\malware repair\OTC.exe
          1.8s C:\Users\Cindy\Desktop\malware repair\OTL text commands 1.txt
          1.9s C:\Users\Cindy\Desktop\malware repair\OTL.exe
          2.0s C:\Users\Cindy\Desktop\malware repair\processhacker-2.33-setup.exe
          2.7s C:\$RECYCLE.BIN\S-1-5-21-3999264683-2072094160-444931896-1003\$RL9AQEH.exe
          2.9s C:\$RECYCLE.BIN\S-1-5-21-3999264683-2072094160-444931896-1003\$RZE43ON.exe
          3.2s C:\Users\Cindy\Desktop\malware repair\SecurityCheck.exe
          3.2s C:\$RECYCLE.BIN\S-1-5-21-3999264683-2072094160-444931896-1003\$RAZ1PH6.exe
          3.4s C:\Users\Cindy\Desktop\malware repair\TFC.exe
          3.5s C:\Users\Cindy\Desktop\malware repair\System Volume Information\
          3.5s C:\Users\Cindy\Desktop\malware repair\System Volume Information\IndexerVolumeGuid
 
 
Potential Unwanted Programs _________________________________________________
 
   ask.com
   C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default\Web Data
 
   conduit.search
   C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default\Web Data
 
   search.conduit.com
   C:\Users\Cindy\AppData\Local\Google\Chrome\User Data\Default\Web Data
 
   HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622\ (Linkey)
   HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622\ (Linkey)
   HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_F06DEFF2-5B9C-490D-910F-35D3A9119622\ (Linkey)
   HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\ (FLV Player)
   HKU\S-1-5-18\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\ (FLV Player)
   HKU\S-1-5-19\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\ (FLV Player)
   HKU\S-1-5-21-3999264683-2072094160-444931896-1003\Software\AppDataLow\Software\AskToolbar\ (AskBar)
   HKU\S-1-5-21-3999264683-2072094160-444931896-1003\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\ (FLV Player)
   HKU\S-1-5-21-3999264683-2072094160-444931896-1003\Software\Linkey\ (Linkey)
   HKU\S-1-5-21-3999264683-2072094160-444931896-1003\Software\Microsoft\Internet Explorer\Approved Extensions\{54739D49-AC03-4C57-9264-C5195596B3A1} (Linkey)
   HKU\S-1-5-21-3999264683-2072094160-444931896-1003\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}\ (AskBar)
   HKU\S-1-5-21-3999264683-2072094160-444931896-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{54739D49-AC03-4C57-9264-C5195596B3A1}\ (Linkey)
   HKU\S-1-5-21-3999264683-2072094160-444931896-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ (Yontoo)
 
Cookies _____________________________________________________________________
 
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\1M9CMAEW.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\1SFM6IM0.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\23R4FUB4.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\29E9MLEK.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\36U6QUNW.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\3S0DNU83.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\679JBUPC.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\6DKNXJ80.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\9P7VZUEQ.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\EI4J8H8E.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\G62YZ69N.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\HH52W2KE.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\IRQIEVZJ.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\MWGWRE3K.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\N0YYPZ7S.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\OE90XPF9.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\PNWLTXKT.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\Q12FQQE6.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\UB381KT9.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\WT1CMNG0.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\X6BUW8Y9.txt
   C:\Users\Cindy\AppData\Roaming\Microsoft\Windows\Cookies\YA7RATN4.txt
 
 


#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:20 AM

Posted 10 September 2014 - 03:12 AM

Hello,

 

Let's get rid of the leftovers:

 

Please download the following file =>  and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Also I'd like us to scan your machine with ESET OnlineScan:

 

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Run ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is  checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png

 

 

 

And finally let's check for outdated and vulnerable software on your pc:

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users