Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Undetectable recurring virus


  • This topic is locked This topic is locked
26 replies to this topic

#1 clipster

clipster

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 10 September 2014 - 01:37 AM

For a while now I've been battling a recurring virus that when active knocks out my internet connection.  No web browsing, no email, no remote access - but LAN access is unaffected.  I've run several scanners - ESET, MBAM, Emsisoft - and nothing is found.  The only thing that fixes it is Combofix - but after a week or two, the problem returns. Sometimes there's an .exe in quarantine and other times a tcpip.reg in quarantine. I've run TDSS Killer and MBR Check and no rootkits are found.  I'm hoping you can identify the type of infection and possible sources of reinfection.  Attached is a combofix log of the most recent removal.  Thanks in advance for your assistance.

ComboFix 14-09-09.01 - rpugach 09/09/2014 18:30:09.7.4 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8136.5612 [GMT -7:00]
Running from: \\PCU-SERVER\TechTools\CF\ComboFix.exe
AV: Emsisoft Anti-Malware *Enabled/Updated* {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
AV: ESET Endpoint Antivirus 5.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: Emsisoft Anti-Malware *Enabled/Updated* {3E653F0B-EA3E-10F8-1B87-CAD78F211367}
SP: ESET Endpoint Antivirus 5.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Installer\{849C5961-C4EB-471F-A360-F9D78BFBD1DA}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
.
.
((((((((((((((((((((((((( Files Created from 2014-08-10 to 2014-09-10 )))))))))))))))))))))))))))))))
.
.
2014-09-10 04:06 . 2014-09-10 04:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-09-10 04:06 . 2014-09-10 04:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-10 04:06 . 2014-09-10 04:06 -------- d-----w- c:\users\adminpcu\AppData\Local\temp
2014-09-10 04:06 . 2014-09-10 04:06 -------- d-----w- c:\users\Admin\AppData\Local\temp
2014-09-09 09:56 . 2014-09-09 09:56 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5D6342C5-D805-4E7B-9AA6-BAA5E946FA8B}\offreg.dll
2014-09-09 07:50 . 2014-08-21 03:43 11319192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5D6342C5-D805-4E7B-9AA6-BAA5E946FA8B}\mpengine.dll
2014-09-03 01:59 . 2014-09-03 01:59 -------- d-----w- c:\users\RPugach\AppData\Local\Microsoft Help
2014-08-28 05:42 . 2014-08-23 02:07 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-28 05:42 . 2014-08-23 01:45 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-08-28 05:42 . 2014-08-23 00:59 3163648 ----a-w- c:\windows\system32\win32k.sys
2014-08-19 19:20 . 2014-08-19 19:25 -------- d-----w- c:\users\RPugach\AppData\Roaming\ICAClient
2014-08-19 19:20 . 2014-08-19 19:21 -------- d-----w- c:\programdata\Citrix
2014-08-19 19:20 . 2014-08-19 19:20 -------- d-----w- c:\program files (x86)\Common Files\Citrix
2014-08-19 19:20 . 2014-08-19 19:20 -------- d-----w- c:\users\RPugach\AppData\Local\Citrix
2014-08-19 19:20 . 2014-08-19 19:20 -------- d-----w- c:\program files (x86)\Citrix
2014-08-19 00:57 . 2014-08-19 00:57 -------- d-----w- c:\programdata\Emsisoft
2014-08-19 00:41 . 2014-09-10 01:28 -------- d-----w- c:\program files (x86)\Emsisoft Anti-Malware
2014-08-18 21:41 . 2014-05-12 14:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-08-18 21:41 . 2014-08-18 21:41 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-08-18 21:41 . 2014-05-12 14:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-08-18 21:41 . 2014-05-12 14:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-08-18 21:39 . 2014-08-18 21:39 -------- d-----w- c:\users\adminpcu\AppData\Local\Programs
2014-08-18 21:32 . 2014-08-18 21:37 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-08-18 21:07 . 2014-08-18 21:07 33512 ----a-w- c:\windows\SysWow64\drivers\TrueSight.sys
2014-08-18 21:07 . 2014-08-18 21:07 -------- d-----w- c:\programdata\RogueKiller
2014-08-18 20:56 . 2014-08-18 20:58 -------- d-----w- c:\programdata\HitmanPro
2014-08-16 10:00 . 2014-06-30 22:24 8856 ----a-w- c:\windows\system32\icardres.dll
2014-08-16 10:00 . 2014-06-30 22:14 8856 ----a-w- c:\windows\SysWow64\icardres.dll
2014-08-16 10:00 . 2014-03-09 21:48 171160 ----a-w- c:\windows\system32\infocardapi.dll
2014-08-16 10:00 . 2014-03-09 21:48 1389208 ----a-w- c:\windows\system32\icardagt.exe
2014-08-16 10:00 . 2014-03-09 21:47 99480 ----a-w- c:\windows\SysWow64\infocardapi.dll
2014-08-16 10:00 . 2014-03-09 21:47 619672 ----a-w- c:\windows\SysWow64\icardagt.exe
2014-08-16 10:00 . 2014-06-06 06:16 35480 ----a-w- c:\windows\SysWow64\TsWpfWrp.exe
2014-08-16 10:00 . 2014-06-06 06:12 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
2014-08-15 10:32 . 2014-07-16 03:23 2048 ----a-w- c:\windows\system32\tzres.dll
2014-08-15 10:32 . 2014-07-16 02:46 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-08-15 10:32 . 2014-06-03 10:02 3241984 ----a-w- c:\windows\system32\msi.dll
2014-08-15 10:32 . 2014-06-03 09:29 2363392 ----a-w- c:\windows\SysWow64\msi.dll
2014-08-15 10:32 . 2014-06-03 10:02 112064 ----a-w- c:\windows\system32\consent.exe
2014-08-15 10:32 . 2014-06-03 10:02 504320 ----a-w- c:\windows\system32\msihnd.dll
2014-08-15 10:32 . 2014-06-03 10:02 1941504 ----a-w- c:\windows\system32\authui.dll
2014-08-15 10:32 . 2014-06-03 09:29 337408 ----a-w- c:\windows\SysWow64\msihnd.dll
2014-08-15 10:32 . 2014-06-03 09:29 1805824 ----a-w- c:\windows\SysWow64\authui.dll
2014-08-15 10:32 . 2014-06-16 02:10 985536 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-08-15 10:32 . 2014-07-14 02:02 1216000 ----a-w- c:\windows\system32\rpcrt4.dll
2014-08-15 10:32 . 2014-07-14 01:40 664064 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2014-08-15 05:28 . 2014-08-15 05:28 189128 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\OFFICE15\LICLUA.EXE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-08-30 16:01 . 2014-05-07 18:27 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-08-28 14:36 . 2014-04-04 22:49 590536 ----a-w- c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-08-16 10:01 . 2014-04-04 22:58 99218768 ----a-w- c:\windows\system32\MRT.exe
2014-08-05 16:20 . 2010-11-21 03:27 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-07-01 17:36 . 2014-07-01 17:36 719360 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2014-07-01 17:36 . 2014-07-01 17:36 226304 ----a-w- c:\windows\system32\elshyph.dll
2014-07-01 17:36 . 2014-07-01 17:36 185344 ----a-w- c:\windows\SysWow64\elshyph.dll
2014-07-01 17:36 . 2014-07-01 17:36 158720 ----a-w- c:\windows\SysWow64\msls31.dll
2014-07-01 17:36 . 2014-07-01 17:36 150528 ----a-w- c:\windows\SysWow64\iexpress.exe
2014-07-01 17:36 . 2014-07-01 17:36 138752 ----a-w- c:\windows\SysWow64\wextract.exe
2014-07-01 17:36 . 2014-07-01 17:36 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-07-01 17:36 . 2014-07-01 17:36 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2014-07-01 17:36 . 2014-07-01 17:36 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2014-07-01 17:36 . 2014-07-01 17:36 38400 ----a-w- c:\windows\SysWow64\imgutil.dll
2014-07-01 17:36 . 2014-07-01 17:36 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-07-01 17:36 . 2014-07-01 17:36 12800 ----a-w- c:\windows\SysWow64\mshta.exe
2014-07-01 17:36 . 2014-07-01 17:36 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2014-07-01 17:36 . 2014-07-01 17:36 61952 ----a-w- c:\windows\SysWow64\tdc.ocx
2014-07-01 17:36 . 2014-07-01 17:36 361984 ----a-w- c:\windows\SysWow64\html.iec
2014-07-01 17:36 . 2014-07-01 17:36 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll
2014-07-01 17:36 . 2014-07-01 17:36 216064 ----a-w- c:\windows\system32\msls31.dll
2014-07-01 17:35 . 2014-07-01 17:35 905728 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-07-01 17:35 . 2014-07-01 17:35 81408 ----a-w- c:\windows\system32\icardie.dll
2014-07-01 17:35 . 2014-07-01 17:35 762368 ----a-w- c:\windows\system32\ieapfltr.dll
2014-07-01 17:35 . 2014-07-01 17:35 441856 ----a-w- c:\windows\system32\html.iec
2014-07-01 17:35 . 2014-07-01 17:35 27648 ----a-w- c:\windows\system32\licmgr10.dll
2014-07-01 17:35 . 2014-07-01 17:35 247296 ----a-w- c:\windows\system32\webcheck.dll
2014-07-01 17:35 . 2014-07-01 17:35 235008 ----a-w- c:\windows\system32\url.dll
2014-07-01 17:35 . 2014-07-01 17:35 173568 ----a-w- c:\windows\system32\ieUnatt.exe
2014-07-01 17:35 . 2014-07-01 17:35 167424 ----a-w- c:\windows\system32\iexpress.exe
2014-07-01 17:35 . 2014-07-01 17:35 144896 ----a-w- c:\windows\system32\wextract.exe
2014-07-01 17:35 . 2014-07-01 17:35 1400416 ----a-w- c:\windows\system32\ieapfltr.dat
2014-07-01 17:35 . 2014-07-01 17:35 102912 ----a-w- c:\windows\system32\inseng.dll
2014-07-01 17:35 . 2014-07-01 17:35 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-07-01 17:35 . 2014-07-01 17:35 77312 ----a-w- c:\windows\system32\tdc.ocx
2014-07-01 17:35 . 2014-07-01 17:35 62976 ----a-w- c:\windows\system32\pngfilt.dll
2014-07-01 17:35 . 2014-07-01 17:35 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2014-07-01 17:35 . 2014-07-01 17:35 51200 ----a-w- c:\windows\system32\imgutil.dll
2014-07-01 17:35 . 2014-07-01 17:35 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-07-01 17:35 . 2014-07-01 17:35 149504 ----a-w- c:\windows\system32\occache.dll
2014-07-01 17:35 . 2014-07-01 17:35 13824 ----a-w- c:\windows\system32\mshta.exe
2014-07-01 17:35 . 2014-07-01 17:35 136192 ----a-w- c:\windows\system32\iepeers.dll
2014-07-01 17:35 . 2014-07-01 17:35 135680 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-07-01 17:35 . 2014-07-01 17:35 12800 ----a-w- c:\windows\system32\msfeedssync.exe
2014-06-18 02:18 . 2014-07-09 10:44 692736 ----a-w- c:\windows\system32\osk.exe
2014-06-18 01:51 . 2014-07-09 10:44 646144 ----a-w- c:\windows\SysWow64\osk.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-04-25 05:14 220632 ----a-w- c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-04-25 05:14 220632 ----a-w- c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-04-25 05:14 220632 ----a-w- c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="c:\program files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [2013-05-16 389120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe" [2011-09-20 115048]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorIcon.exe" [2013-06-28 294896]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-05-16 642816]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2013-12-21 3478392]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-12-07 2771832]
"emsisoft anti-malware"="c:\program files (x86)\emsisoft anti-malware\a2guard.exe" [2014-09-08 4867544]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2013-06-28 383368]
.
c:\users\RPugach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Send to OneNote.lnk - c:\program files\Microsoft Office 15\root\office15\ONENOTEM.EXE /tsr [2014-8-8 195248]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2013-2-1 1155912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 DellDataVault;Dell Data Vault;c:\program files\Dell\DellDataVault\DellDataVault.exe ;c:\program files\Dell\DellDataVault\DellDataVault.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 ESHASRV;ESET SHA Service;c:\program files\ESET\ESET Endpoint Antivirus\EShaSrv.exe;c:\program files\ESET\ESET Endpoint Antivirus\EShaSrv.exe [x]
R3 iaStorS;iaStorS;c:\windows\system32\drivers\iaStorS.sys;c:\windows\SYSNATIVE\drivers\iaStorS.sys [x]
R3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;c:\program files\Intel\iCLS Client\SocketHeciServer.exe;c:\program files\Intel\iCLS Client\SocketHeciServer.exe [x]
R3 InvProtectDrv;InvProtectDrv;c:\program files (x86)\Invincea\Enterprise\X64\InvProtectDrv64.sys;c:\program files (x86)\Invincea\Enterprise\X64\InvProtectDrv64.sys [x]
R3 InvProtectSvc;Invincea Enterprise Service;c:\program files (x86)\Invincea\Enterprise\X64\InvProtectSvc64.exe;c:\program files (x86)\Invincea\Enterprise\X64\InvProtectSvc64.exe [x]
R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys;c:\windows\SYSNATIVE\DRIVERS\netvsc60.sys [x]
R3 SboxDrv;SboxDrv;c:\program files (x86)\Invincea\Enterprise\Sandbox\SboxDrv.sys;c:\program files (x86)\Invincea\Enterprise\Sandbox\SboxDrv.sys [x]
R3 SboxSvc;SboxSvc;c:\program files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe;c:\program files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe [x]
R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys;c:\windows\SYSNATIVE\DRIVERS\VMBusVideoM.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 amdkmpfd;AMD PCI Root Bus Lower Filter;c:\windows\system32\DRIVERS\amdkmpfd.sys;c:\windows\SYSNATIVE\DRIVERS\amdkmpfd.sys [x]
S0 CredFltL;Dell SED PBA Filter;c:\windows\system32\DRIVERS\CredFltL.sys;c:\windows\SYSNATIVE\DRIVERS\CredFltL.sys [x]
S0 iaStorA;iaStorA;c:\windows\system32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys [x]
S0 iaStorF;iaStorF;c:\windows\system32\drivers\iaStorF.sys;c:\windows\SYSNATIVE\drivers\iaStorF.sys [x]
S0 SEDFilter;Dell SED PBA Enhancement;c:\windows\system32\DRIVERS\SEDFilter.sys;c:\windows\SYSNATIVE\DRIVERS\SEDFilter.sys [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [x]
S1 a2injectiondriver;a2injectiondriver;c:\program files (x86)\Emsisoft Anti-Malware\a2dix64.sys;c:\program files (x86)\Emsisoft Anti-Malware\a2dix64.sys [x]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files (x86)\Emsisoft Anti-Malware\a2util64.sys;c:\program files (x86)\Emsisoft Anti-Malware\a2util64.sys [x]
S1 asd2fsm;asd2fsm;c:\windows\system32\DRIVERS\asd2fsm.sys;c:\windows\SYSNATIVE\DRIVERS\asd2fsm.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S2 a2AntiMalware;Emsisoft Protection Service;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [x]
S2 DellMgmtAgent;Dell Management Agent Service;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.exe;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.exe [x]
S2 DellMgmtLoader;Dell Security Framework Loader;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Loader.exe;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Loader.exe [x]
S2 DellMgmtServer;DELL Security Framework Local Server;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.MgmtServer.exe;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.MgmtServer.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe;c:\program files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfpr.sys [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorDataMgrSvc.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 poaService;Dell PPO Service;c:\program files\Dell\PPO\poaService.exe;c:\program files\Dell\PPO\poaService.exe [x]
S2 PoaSMSrv;Dell PPO System Maintenance Service;c:\program files\Dell\PPO\poaSmSrv.exe;c:\program files\Dell\PPO\poaSmSrv.exe [x]
S2 poaTaServ;Dell PPO Track & Analyze Service;c:\program files\Dell\PPO\poaTaServ.exe;c:\program files\Dell\PPO\poaTaServ.exe [x]
S2 valWBFPolicyService;Validity WBF Policy Service;c:\windows\system32\valWBFPolicyService.exe;c:\windows\SYSNATIVE\valWBFPolicyService.exe [x]
S3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 cleanhlp;cleanhlp;c:\program files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys;c:\program files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [x]
S3 DellProf;DellProf;c:\windows\system32\drivers\DellProf.sys;c:\windows\SYSNATIVE\drivers\DellProf.sys [x]
S3 POADrvr;POADrvr;c:\windows\system32\drivers\POADrvr.sys;c:\windows\SYSNATIVE\drivers\POADrvr.sys [x]
S3 rusb3hub;Renesas Electronics USB 3.0 Hub Driver (Version 3.0);c:\windows\system32\DRIVERS\rusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\rusb3hub.sys [x]
S3 rusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver (Version 3.0);c:\windows\system32\DRIVERS\rusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\rusb3xhc.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - MBAMWebAccessControl
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-19 19:48]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-04-25 05:14 244696 ----a-w- c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-04-25 05:14 244696 ----a-w- c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-04-25 05:14 244696 ----a-w- c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-08-28 14:37 2335960 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-08-28 14:37 2335960 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-08-28 14:37 2335960 ----a-w- c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtDCpl64.exe" [2013-08-16 2908888]
"DellPoaEvents"="c:\program files\Dell\PPO\DellPoaEvents.exe" [2013-07-19 274936]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"CSFTrayApp"="c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.SystrayApp.exe" [2014-03-10 232288]
"egui"="c:\program files\ESET\ESET Endpoint Antivirus\egui.exe" [2013-10-07 4148664]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
TCP: Interfaces\{7B702A2C-769B-4EE6-BF72-6CD998FEE073}: NameServer = 192.168.1.200
FF - ProfilePath - c:\users\RPugach\AppData\Roaming\Mozilla\Firefox\Profiles\w3eizqpo.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Receiver.lnk - c:\windows\Installer\{849C5961-C4EB-471F-A360-F9D78BFBD1DA}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe /startup
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-09 21:09:23
ComboFix-quarantined-files.txt 2014-09-10 04:09
ComboFix2.txt 2014-08-18 17:27
ComboFix3.txt 2014-06-18 17:31
ComboFix4.txt 2014-06-12 02:58
ComboFix5.txt 2014-09-10 00:19
.
Pre-Run: 408,442,064,896 bytes free
Post-Run: 408,468,402,176 bytes free
.
- - End Of File - - 879509BC8FEDE8DF616081E3F9EE7C3A
5C616939100B85E558DA92B899A0FC36

Attached Files


Edited by Oh My!, 18 September 2014 - 08:52 AM.
Posted Combofix


BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 AM

Posted 15 September 2014 - 01:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/547574 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:34 PM

Posted 18 September 2014 - 08:51 AM

Greetings clipster and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. While I review our situation please run the below for me.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop <<< Important
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

Farbar's Service Scanner

--------------------
  • Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure the following options are checked:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • FSS.txt
  • MiniToolbox report
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 clipster

clipster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 18 September 2014 - 09:37 PM

Hello Gary, I'm John and yes you can call me by that.

 

As requested - FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-09-2014
Ran by rpugach (administrator) on PCU-WRKSTN11 on 18-09-2014 17:19:06
Running from C:\Users\RPugach\Desktop
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(DigitalPersona, Inc.) C:\Program Files\Dell\Dell Data Protection\Security Tools\Authentication\Bin\DpHostW.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(DigitalPersona, Inc.) C:\Program Files\Dell\Dell Data Protection\Security Tools\Authentication\Bin\DpCardEngine.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
() C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Loader.exe
(ESET) C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
(Dell Inc.) C:\Program Files\Dell\PPO\poaService.exe
(Dell Inc.) C:\Program Files\Dell\PPO\poaSmSrv.exe
(Dell Inc.) C:\Program Files\Dell\PPO\poaTaServ.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Validity Sensors, Inc.) C:\Windows\System32\valWBFPolicyService.exe
(Dell Inc.) C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.exe
(Dell, Inc.) C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.MgmtServer.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe
(Dell Inc.) C:\Program Files\Dell\PPO\DellPoaEvents.exe
() C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.SystrayApp.exe
(ESET) C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe
(AMD) C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorIcon.exe
(Advanced Micro Devices, Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(AMD) C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\System32\mstsc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\MSOSYNC.EXE
(Dell Products, LP.) C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_11_9_900_170_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe [2908888 2013-08-15] (Realtek Semiconductor Corp.)
HKLM\...\Run: [DellPoaEvents] => C:\Program Files\Dell\PPO\DellPoaEvents.exe [274936 2013-07-19] (Dell Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [CSFTrayApp] => C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.SystrayApp.exe [232288 2014-03-10] ()
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe [4148664 2013-10-07] (ESET)
HKLM-x32\...\Run: [RUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe [115048 2011-09-20] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorIcon.exe [294896 2013-06-28] (Intel Corporation)
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642816 2013-05-16] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3478392 2013-12-20] (Adobe Systems Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [2771832 2012-12-07] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [383368 2013-06-28] (Citrix Systems, Inc.)
HKU\S-1-5-21-764110063-4023192198-2192342070-1115\...\Run: [HydraVisionDesktopManager] => C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe [389120 2013-05-16] (AMD)
AppInit_DLLs-x32: C:\PROGRA~2\Citrix\ICACLI~1\RSHook.dll => C:\Program Files (x86)\Citrix\ICA Client\RSHook.dll [256392 2013-06-28] (Citrix Systems, Inc.)
Lsa: [Notification Packages] DPPassFilter scecli
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\Users\RPugach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - DefaultScope {ACA84257-AAEF-4B4C-B1C0-7635B3D483EC} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {ACA84257-AAEF-4B4C-B1C0-7635B3D483EC} URL = https://www.google.com/search?q={searchTerms}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Handler-x32: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\..\Interfaces\{7B702A2C-769B-4EE6-BF72-6CD998FEE073}: [NameServer] 192.168.1.200

FireFox:
========
FF ProfilePath: C:\Users\RPugach\AppData\Roaming\Mozilla\Firefox\Profiles\w3eizqpo.default
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin-x32: digitalpersona.com/ChromeDPAgent -> C:\Program Files (x86)\Dell\Dell Data Protection\Security Tools Authentication\Bin\BrowserExt\components\npChromeDPAgent.dll (DigitalPersona, Inc.)
FF Plugin HKCU: anvisoft.com/AdblockPlugin -> C:\ProgramData\Anvisoft\Anvi Smart Defender 2\extensions\npAdblockPlugin.dll No File
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-04-04]
FF HKLM-x32\...\Firefox\Extensions: [dpmaxz_ng@jetpack] - C:\Program Files (x86)\Dell\Dell Data Protection\Security Tools Authentication\Bin\BrowserExt\dpchrome
FF Extension: Dell Data Protection | Security Tools - C:\Program Files (x86)\Dell\Dell Data Protection\Security Tools Authentication\Bin\BrowserExt\dpchrome [2014-04-04]
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Endpoint Antivirus\Mozilla Thunderbird
FF Extension: ESET Endpoint Security Extension - C:\Program Files\ESET\ESET Endpoint Antivirus\Mozilla Thunderbird [2014-04-24]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2013-12-20]
CHR HKLM-x32\...\Chrome\Extension: [lhmiofmipcpmhgihiecmpiekcacigpgb] - C:\ProgramData\Anvisoft\Anvi Smart Defender 2\extensions\chrome.crx [2013-12-20]
CHR HKLM-x32\...\Chrome\Extension: [ncffjdbbodifgldkcbhmiiljfcnbgjab] - C:\Program Files (x86)\Dell\Dell Data Protection\Security Tools Authentication\Bin\BrowserExt\dpchrome.crx [2014-02-10]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2369720 2014-08-01] (Microsoft Corporation)
S3 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2486272 2013-04-30] (Dell Inc.) [File not signed]
R2 DellMgmtAgent; C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.exe [248160 2014-03-10] (Dell Inc.)
R2 DellMgmtLoader; C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Loader.exe [26464 2014-03-10] ()
R2 DellMgmtServer; C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.MgmtServer.exe [33632 2014-03-10] (Dell, Inc.)
R2 DpHost; C:\Program Files\Dell\Dell Data Protection\Security Tools\Authentication\Bin\DpHostW.exe [472912 2014-02-19] (DigitalPersona, Inc.)
S3 EhttpSrv; C:\Program Files\ESET\ESET Endpoint Antivirus\EHttpSrv.exe [42048 2013-10-07] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe [1025584 2013-10-07] (ESET)
S3 ESHASRV; C:\Program Files\ESET\ESET Endpoint Antivirus\EShaSrv.exe [191368 2013-10-07] (ESET)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
S3 InvProtectSvc; C:\Program Files (x86)\Invincea\Enterprise\X64\InvProtectSvc64.exe [2947856 2013-07-30] (Invincea, Inc.)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-11-13] (Intel Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2012-07-31] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2012-07-31] (Hewlett-Packard) [File not signed]
R2 poaService; C:\Program Files\Dell\PPO\poaService.exe [641232 2013-07-19] (Dell Inc.)
R2 PoaSMSrv; C:\Program Files\Dell\PPO\poaSmSrv.exe [277712 2013-07-19] (Dell Inc.)
R2 poaTaServ; C:\Program Files\Dell\PPO\poaTaServ.exe [516304 2013-07-19] (Dell Inc.)
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-02-01] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2009-07-23] (Intuit Inc.) [File not signed]
S3 SboxSvc; C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe [124616 2013-07-30] ()
S2 tcsd_win32.exe; C:\Program Files\Dell\Dell Data Protection\Drivers\TSS\bin\tcsd_win32.exe [1636352 2012-12-10] (Security Innovation, Inc.) [File not signed]
R2 valWBFPolicyService; C:\Windows\system32\valWBFPolicyService.exe [35328 2013-10-09] (Validity Sensors, Inc.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [38144 2013-05-16] (Advanced Micro Devices, Inc.)
R1 asd2fsm; C:\Windows\System32\DRIVERS\asd2fsm.sys [35344 2014-03-26] (Anvisoft)
R0 CredFltL; C:\Windows\System32\DRIVERS\CredFltL.sys [37120 2014-03-10] ()
R3 DellProf; C:\Windows\System32\drivers\DellProf.sys [23312 2013-04-29] (Dell Computer Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [219184 2013-10-28] (ESET)
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [185224 2013-09-09] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [155896 2013-09-09] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [147096 2013-09-09] (ESET)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [26512 2013-06-28] (Intel Corporation)
S3 iaStorS; C:\Windows\system32\drivers\iaStorS.sys [660880 2013-06-28] (Intel Corporation)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHD64.sys [2191832 2013-08-15] (Realtek Semiconductor Corp.)
S3 InvProtectDrv; C:\Program Files (x86)\Invincea\Enterprise\X64\InvProtectDrv64.sys [34824 2013-07-30] ()
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-11-13] (Intel Corporation)
R3 POADrvr; C:\Windows\System32\drivers\POADrvr.sys [21264 2013-07-19] (Dell Computer Corporation)
R3 rusb3hub; C:\Windows\System32\DRIVERS\rusb3hub.sys [114568 2012-08-27] (Renesas Electronics Corporation)
R3 rusb3xhc; C:\Windows\System32\DRIVERS\rusb3xhc.sys [230280 2012-08-27] (Renesas Electronics Corporation)
S3 SboxDrv; C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxDrv.sys [202248 2013-07-30] ()
R0 SEDFilter; C:\Windows\System32\DRIVERS\SEDFilter.sys [61184 2014-03-10] (Dell Inc.)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
U3 TrueSight; C:\Windows\SysWOW64\drivers\TrueSight.sys [33512 2014-08-18] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-18 17:19 - 2014-09-18 17:19 - 00024037 _____ () C:\Users\RPugach\Desktop\FRST.txt
2014-09-18 17:18 - 2014-09-18 17:19 - 00000000 ____D () C:\FRST
2014-09-18 17:18 - 2014-09-18 17:18 - 02105856 _____ (Farbar) C:\Users\RPugach\Desktop\FRST64.exe
2014-09-11 03:03 - 2014-08-16 21:00 - 02239488 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-09-11 03:03 - 2014-08-16 21:00 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-09-11 03:03 - 2014-08-16 20:59 - 19280384 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-09-11 03:03 - 2014-08-16 20:59 - 01407488 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-09-11 03:03 - 2014-08-16 20:59 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-09-11 03:03 - 2014-08-16 20:59 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-09-11 03:03 - 2014-08-16 20:59 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 15399424 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 02655232 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 01508864 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-09-11 03:03 - 2014-08-16 20:58 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-09-11 03:03 - 2014-08-16 20:58 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 14369280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 13757440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 02055168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 01766400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 01440768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-09-11 03:03 - 2014-08-16 20:57 - 01180672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-09-11 03:03 - 2014-08-16 20:57 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-09-11 03:03 - 2014-08-16 00:25 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-09-11 03:03 - 2014-08-15 23:43 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-09-11 03:03 - 2014-08-15 23:34 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-09-11 03:03 - 2014-08-15 22:53 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2014-09-10 13:37 - 2014-07-06 19:06 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-09-10 13:37 - 2014-07-06 19:06 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-09-10 13:37 - 2014-07-06 18:40 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-09-10 13:37 - 2014-07-06 18:40 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-09-10 13:37 - 2014-07-06 18:39 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-09-09 21:09 - 2014-09-09 21:09 - 00031274 _____ () C:\ComboFix.txt
2014-09-02 18:59 - 2014-09-02 18:59 - 00000000 ____D () C:\Users\RPugach\AppData\Local\Microsoft Help
2014-08-27 22:42 - 2014-08-22 19:07 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-08-27 22:42 - 2014-08-22 18:45 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2014-08-27 22:42 - 2014-08-22 17:59 - 03163648 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-08-25 08:29 - 2014-08-25 08:29 - 00002210 _____ () C:\Users\Public\Desktop\MDsuite Workstation.lnk
2014-08-19 12:20 - 2014-08-19 12:25 - 00000000 ____D () C:\Users\RPugach\AppData\Roaming\ICAClient
2014-08-19 12:20 - 2014-08-19 12:21 - 00000000 ____D () C:\ProgramData\Citrix
2014-08-19 12:20 - 2014-08-19 12:20 - 00000000 ____D () C:\Users\RPugach\AppData\Local\Citrix
2014-08-19 12:20 - 2014-08-19 12:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix
2014-08-19 12:20 - 2014-08-19 12:20 - 00000000 ____D () C:\Program Files (x86)\Citrix

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-18 17:19 - 2014-09-18 17:19 - 00024037 _____ () C:\Users\RPugach\Desktop\FRST.txt
2014-09-18 17:19 - 2014-09-18 17:18 - 00000000 ____D () C:\FRST
2014-09-18 17:18 - 2014-09-18 17:18 - 02105856 _____ (Farbar) C:\Users\RPugach\Desktop\FRST64.exe
2014-09-18 17:16 - 2014-04-04 18:21 - 00131072 ___SH () C:\CredSED.dat
2014-09-18 17:14 - 2014-08-18 17:41 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2014-09-18 17:14 - 2014-04-24 19:42 - 00000144 _____ () C:\Windows\system32\config\netlogon.ftl
2014-09-18 17:14 - 2010-11-20 20:47 - 00211956 _____ () C:\Windows\PFRO.log
2014-09-18 17:14 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-18 17:14 - 2009-07-13 21:51 - 00039692 _____ () C:\Windows\setupact.log
2014-09-18 17:12 - 2014-03-19 12:49 - 01961234 _____ () C:\Windows\WindowsUpdate.log
2014-09-18 16:48 - 2014-03-19 12:48 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-17 12:17 - 2009-07-13 21:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-17 12:17 - 2009-07-13 21:45 - 00021312 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-14 18:05 - 2009-07-13 22:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-09-11 03:26 - 2009-07-13 22:13 - 00783606 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-11 03:02 - 2014-04-04 15:58 - 00000000 ____D () C:\Windows\system32\MRT
2014-09-11 03:02 - 2011-02-10 07:33 - 00775728 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-09-11 03:00 - 2014-04-04 15:58 - 101694776 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-09-09 21:09 - 2014-09-09 21:09 - 00031274 _____ () C:\ComboFix.txt
2014-09-09 21:09 - 2014-05-07 10:45 - 00000000 ____D () C:\Qoobox
2014-09-09 21:06 - 2009-07-13 19:34 - 00000215 _____ () C:\Windows\system.ini
2014-09-02 18:59 - 2014-09-02 18:59 - 00000000 ____D () C:\Users\RPugach\AppData\Local\Microsoft Help
2014-08-28 07:37 - 2014-04-04 15:48 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-08-28 03:42 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\rescache
2014-08-28 03:17 - 2009-07-13 21:45 - 00345024 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-08-25 08:29 - 2014-08-25 08:29 - 00002210 _____ () C:\Users\Public\Desktop\MDsuite Workstation.lnk
2014-08-25 08:29 - 2014-04-24 20:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MDsuite
2014-08-25 06:53 - 2010-11-20 20:27 - 00270496 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-08-22 19:07 - 2014-08-27 22:42 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-08-22 18:45 - 2014-08-27 22:42 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2014-08-22 17:59 - 2014-08-27 22:42 - 03163648 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-08-19 12:25 - 2014-08-19 12:20 - 00000000 ____D () C:\Users\RPugach\AppData\Roaming\ICAClient
2014-08-19 12:21 - 2014-08-19 12:20 - 00000000 ____D () C:\ProgramData\Citrix
2014-08-19 12:20 - 2014-08-19 12:20 - 00000000 ____D () C:\Users\RPugach\AppData\Local\Citrix
2014-08-19 12:20 - 2014-08-19 12:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix
2014-08-19 12:20 - 2014-08-19 12:20 - 00000000 ____D () C:\Program Files (x86)\Citrix

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-09-16 00:57

==================== End Of Log ============================

 

Addition log:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-09-2014
Ran by rpugach at 2014-09-18 17:19:24
Running from C:\Users\RPugach\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET Endpoint Antivirus 5.0 (Enabled - Up to date) {19259FAE-8396-A113-46DB-15B0E7DFA289}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: ESET Endpoint Antivirus 5.0 (Enabled - Up to date) {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 13.2.1 - Hewlett-Packard) Hidden
Adobe Acrobat XI Standard (HKLM-x32\...\{AC76BA86-1033-FFFF-BA7E-000000000006}) (Version: 11.0.06 - Adobe Systems)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.9.900.170 - Adobe Systems Incorporated)
Adobe Reader XI  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.00 - Adobe Systems Incorporated)
AMD Accelerated Video Transcoding (Version: 12.10.100.30516 - Advanced Micro Devices, Inc.) Hidden
AMD Catalyst Install Manager (HKLM\...\{0090FE16-2582-0185-73D2-292DA202F7F7}) (Version: 8.0.911.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM-x32\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AuthenTec Fingerprint Driver (Version: 1.6.2.0350 - AuthenTec) Hidden
AuthenTec WinBio FingerPrint Software 64-bit (Version: 3.4.2.1016 - AuthenTec, Inc.) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Catalyst Control Center - Branding (x32 Version: 1.00.0000 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center (x32 Version: 2013.0516.223.2363 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Graphics Previews Common (x32 Version: 2013.0516.223.2363 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center InstallProxy (x32 Version: 2013.0516.223.2363 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Localization All (x32 Version: 2013.0516.223.2363 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Profiles Desktop (x32 Version: 2013.0516.223.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Chinese Standard (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Chinese Traditional (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Czech (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Danish (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Dutch (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help English (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Finnish (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help French (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help German (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Greek (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Hungarian (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Italian (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Japanese (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Korean (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Norwegian (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Polish (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Portuguese (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Russian (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Spanish (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Swedish (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Thai (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
CCC Help Turkish (x32 Version: 2013.0516.0222.2363 - Advanced Micro Devices, Inc.) Hidden
ccc-utility64 (Version: 2013.0516.223.2363 - Advanced Micro Devices, Inc.) Hidden
Citrix Receiver (Enterprise) (HKLM-x32\...\CitrixOnlinePluginFull) (Version: 13.4.200.11 - Citrix Systems, Inc.)
Citrix Receiver (HDX Flash Redirection) (x32 Version: 13.4.200.11 - Citrix Systems, Inc.) Hidden
Citrix Receiver Inside (x32 Version: 3.4.200.45341 - Citrix Systems, Inc.) Hidden
Citrix Receiver(Aero) (x32 Version: 13.4.200.11 - Citrix Systems, Inc.) Hidden
Citrix Receiver(DV) (x32 Version: 13.4.200.11 - Citrix Systems, Inc.) Hidden
Citrix Receiver(PNA) (x32 Version: 13.4.200.11 - Citrix Systems, Inc.) Hidden
Citrix Receiver(SSON) (x32 Version: 13.4.200.11 - Citrix Systems, Inc.) Hidden
Citrix Receiver(USB) (x32 Version: 13.4.200.11 - Citrix Systems, Inc.) Hidden
CmgMasterPrerequisites (x32 Version: 1.3.0.522 - Credant Technologies Inc.) Hidden
Dell Client System Update (HKLM-x32\...\{04566294-A6B6-4462-9721-031073EB3694}) (Version: 1.3.0 - Dell Inc.)
Dell Data Protection | Client Security Framework (HKLM\...\{66C8CA72-6D54-4D00-81D5-707B15B202C4}) (Version: 8.3.0.1410 - Dell, Inc.)
Dell Data Protection | Security Tools (HKLM-x32\...\InstallShield_{812AA6D3-5BEB-4577-88B1-00998B91AB41}) (Version: 1.3.0.522 - Dell, Inc.)
Dell Data Protection | Security Tools (x32 Version: 1.3.0.522 - Dell, Inc.) Hidden
Dell Data Protection | Security Tools Authentication (HKLM\...\{CD34D7F5-F1D5-437F-AC5E-DA0D64866C3B}) (Version: 1.3.0.427 - DigitalPersona, Inc.)
Dell Data Vault (Version: 1.1.0.6 - Dell Inc.) Hidden
Dell Digital Delivery (HKLM-x32\...\{03A9F528-A754-460F-B2C1-AC125A147114}) (Version: 2.8.5000.0 - Dell Products, LP)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Dell Precision Performance Optimizer (HKLM-x32\...\{D66A3355-FEA4-4F60-8BAF-D6CBEDB396D8}) (Version: 01.07.00 - Dell Inc.) <==== ATTENTION
Dell Protected Workspace (HKLM-x32\...\{E2CAA395-66B3-4772-85E3-6134DBAB244E}) (Version: 2.3.15835 - Invincea, Inc.)
DigitalPersona TouchChip Driver (Version: 1.6.3.379 - DigitalPersona, Inc.) Hidden
ESET Endpoint Antivirus (HKLM\...\{8CD0547B-8CE7-4CAA-A413-A43B2C4D11FF}) (Version: 5.0.2225.0 - ESET, spol. s r.o.)
HydraVision (x32 Version: 4.2.252.0 - Advanced Micro Devices, Inc.) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.15.1730 - Intel Corporation)
Intel® Network Connections 18.1.59.00 (HKLM\...\PROSetDX) (Version: 18.1.59.00 - Intel)
Intel® Network Connections 18.1.59.00 (Version: 18.1.59.00 - Intel) Hidden
Intel® Rapid Storage Technology enterprise (HKLM-x32\...\{8B313BF5-9BD5-42a3-94C1-A28AF3AA51CC}) (Version: 3.7.0.1092 - Intel Corporation)
Intel® Trusted Connect Service Client (Version: 1.31.8.1 - Intel Corporation) Hidden
iTunes (HKLM\...\{B8BA155B-1E75-405F-9CB4-8A99615D09DC}) (Version: 11.1.5.5 - Apple Inc.)
MDsuite Workstation (HKLM-x32\...\{C00AC540-6E4C-4DB0-BDEE-F1FBF7DBDEBE}) (Version: 6.2.45.69 - Data Strategies, Inc.)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.5 (Version: 4.5.50709 - Microsoft Corporation) Hidden
Microsoft Office Home and Business 2013 - en-us (HKLM\...\HomeBusinessRetail - en-us) (Version: 15.0.4641.1003 - Microsoft Corporation)
Microsoft SkyDrive (HKCU\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP2 ENU (HKLM-x32\...\{3A9FC03D-C685-4831-94CF-4EDFD3749497}) (Version: 3.5.8080.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP2 x64 ENU (HKLM\...\{D4AD39AD-091E-4D33-BB2B-59F6FCB8ADC3}) (Version: 3.5.8080.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (HKLM\...\{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.60610 (Version: 11.0.60610 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.60610 (Version: 11.0.60610 - Microsoft Corporation) Hidden
Mozilla Firefox 28.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 28.0 (x86 en-US)) (Version: 28.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 28.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
O2Micro OZ776 SCR Driver (x32 Version: 1.1.4.223 - O2Micro) Hidden
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4641.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4641.1003 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4641.1003 - Microsoft Corporation) Hidden
Online Plug-in (x32 Version: 13.4.200.11 - Citrix Systems, Inc.) Hidden
QuickBooks (x32 Version: 20.0.4017.807 - Intuit Inc.) Hidden
QuickBooks Pro 2010 (HKLM-x32\...\{0700E22B-A422-40A5-BD20-04BF618CA0F9}) (Version: 20.0.4017.807 - Intuit Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5985 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{17528CE4-C333-48FB-A9E4-D841E795CDCE}) (Version: 3.0.23.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 3.0.23.0 - Renesas Electronics Corporation) Hidden
Security Innovation TSS (Version: 2.1.42 - Security Innovation) Hidden
Update for Microsoft .NET Framework 4.5 (KB2750147) (HKLM-x32\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB2750147) (Version: 1 - Microsoft Corporation)
Validity WBF DDK 495 (HKLM\...\{F622E82E-AFFA-4784-A08F-74311F5716CA}) (Version: 4.5.238.0 - Validity Sensors, Inc.)
VC_CRT_x64 (Version: 1.02.0000 - Intel Corporation) Hidden
VLC media player 1.1.1 (HKLM-x32\...\VLC media player) (Version: 1.1.1 - VideoLAN)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-764110063-4023192198-2192342070-1115_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-764110063-4023192198-2192342070-1115_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-764110063-4023192198-2192342070-1115_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-764110063-4023192198-2192342070-1115_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\FileSyncApi64.dll (Microsoft Corporation)

==================== Restore Points  =========================

16-08-2014 16:35:09 Windows Update
18-08-2014 00:39:37 Removed Dell Backup and Recovery
19-08-2014 02:58:39 Windows Update
20-08-2014 00:19:40 Windows Update
26-08-2014 12:51:23 Windows Update
28-08-2014 10:00:10 Windows Update
03-09-2014 00:34:49 Windows Update
09-09-2014 07:50:06 Windows Update
11-09-2014 10:00:11 Windows Update
17-09-2014 00:55:49 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2014-09-09 21:06 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {344834B6-30CC-46A3-86F7-A3ECEA859A1D} - System32\Tasks\Microsoft Office 15 Sync Maintenance for {10381a84-c698-40ac-a3ea-986427e76df7} PCU-WRKSTN11.PacificCoastUrology.local => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-08-28] (Microsoft Corporation)
Task: {543ECD90-FE22-42CB-99A5-94B832D5F165} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-19] (Adobe Systems Incorporated)
Task: {692A0DAB-B66F-4607-BFEA-094B281BE124} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {7F46B477-B075-40AC-AC82-A8E5F7E7AA89} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2014-08-01] (Microsoft Corporation)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-03-10 11:50 - 2014-03-10 11:50 - 00299360 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\authproxy.dll
2014-04-04 18:19 - 2014-05-20 09:19 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00026464 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Loader.exe
2014-03-10 11:50 - 2014-03-10 11:50 - 02172768 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Resources.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00027488 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Interfaces.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00082272 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Objects.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00062816 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Agent.Plugins.AuthProxy.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00070496 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Agent.Plugins.PBA.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00036192 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Agent.Plugins.SED.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00129376 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\CredSEDProxy.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00657248 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\CredCommon.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00869216 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\CryptoProvider.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00707424 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\DBManager.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00353632 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\OPALProvider.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 01496416 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\ConnectionProvider.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00047968 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\FVEProvider.dll
2014-08-28 07:37 - 2014-08-28 07:37 - 08892576 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2014-03-10 11:50 - 2014-03-10 11:50 - 00232288 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.SystrayApp.exe
2014-03-10 11:50 - 2014-03-10 11:50 - 00360800 _____ () C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.UXLib.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 20:58 - 2014-02-12 20:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-06-17 06:37 - 2014-06-17 06:37 - 00316584 _____ () C:\Program Files\Microsoft Office 15\root\office15\AppVIsvStream32.dll
2014-06-17 06:37 - 2014-06-17 06:37 - 00316584 _____ () C:\Program Files\Microsoft Office 15\Root\Office15\AppVIsvStream32.dll
2014-01-13 21:03 - 2014-01-13 21:03 - 00110088 _____ () c:\Program Files (x86)\Dell Digital Delivery\ServiceTagPlusPlus.dll
2014-09-11 03:28 - 2014-09-11 03:28 - 00019968 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\PSIClient\f0c0732e069acccb1da86c6772b90b44\PSIClient.ni.dll
2014-03-19 12:51 - 2013-11-13 14:23 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3204
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3246
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3347

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (09/18/2014 05:14:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2014 05:41:52 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/14/2014 05:41:52 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/14/2014 05:41:52 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (09/11/2014 03:22:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/09/2014 10:11:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/09/2014 10:06:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/09/2014 10:05:02 PM) (Source: MsiInstaller) (EventID: 1024) (User: PCU)
Description: Product: Adobe Acrobat XI Standard - Update 'Adobe Acrobat XI (11.0.07)' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (09/09/2014 10:05:02 PM) (Source: MsiInstaller) (EventID: 1024) (User: PCU)
Description: Product: Adobe Acrobat XI Standard - Update 'Adobe Acrobat XI (11.0.08)' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (09/09/2014 10:05:02 PM) (Source: MsiInstaller) (EventID: 11327) (User: PCU)
Description: Product: Adobe Acrobat XI Standard -- Error 1327.Invalid Drive: U:\ mapped to a user folder. The drive does not exist or could not be connected. You can either disconnect the drive or reassign the drive letter. For details refer http://kb2.adobe.com/cps/404/kb404946.html


System errors:
=============
Error: (09/18/2014 05:14:33 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (09/18/2014 05:14:31 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Security Innovation TCS service depends on the TPM Base Services service which failed to start because of the following error:
%%0

Error: (09/18/2014 05:14:32 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain PCU due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.



ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (09/16/2014 05:56:03 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (09/16/2014 05:56:02 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (09/16/2014 05:56:01 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (09/16/2014 05:56:01 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (09/16/2014 05:56:00 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (09/14/2014 06:03:53 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Canon MF8300 Series (FAX) required for printer Canon MF8300 Series (FAX) is unknown. Contact the administrator to install the driver before you log in again.

Error: (09/14/2014 06:03:51 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Canon MF8300 Series UFRII LT required for printer Canon MF8300 Series UFRII LT is unknown. Contact the administrator to install the driver before you log in again.


Microsoft Office Sessions:
=========================
Error: (09/18/2014 05:14:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/14/2014 05:41:52 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (09/14/2014 05:41:52 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (09/14/2014 05:41:52 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (09/11/2014 03:22:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/09/2014 10:11:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/09/2014 10:06:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/09/2014 10:05:02 PM) (Source: MsiInstaller) (EventID: 1024) (User: PCU)
Description: Adobe Acrobat XI StandardAdobe Acrobat XI (11.0.07)1603(NULL)(NULL)(NULL)

Error: (09/09/2014 10:05:02 PM) (Source: MsiInstaller) (EventID: 1024) (User: PCU)
Description: Adobe Acrobat XI StandardAdobe Acrobat XI (11.0.08)1603(NULL)(NULL)(NULL)

Error: (09/09/2014 10:05:02 PM) (Source: MsiInstaller) (EventID: 11327) (User: PCU)
Description: Product: Adobe Acrobat XI Standard -- Error 1327.Invalid Drive: U:\ mapped to a user folder. The drive does not exist or could not be connected. You can either disconnect the drive or reassign the drive letter. For details refer http://kb2.adobe.com/cps/404/kb404946.html(NULL)(NULL)(NULL)(NULL)(NULL)


CodeIntegrity Errors:
===================================
  Date: 2014-09-14 18:03:55.418
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-14 17:42:55.568
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-14 17:33:37.433
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-14 16:50:55.083
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-13 20:35:11.455
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-13 20:10:35.104
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-13 19:31:30.992
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-12 04:45:17.256
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-12 04:32:46.170
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-12 02:39:56.096
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Xeon® CPU E5-1607 v2 @ 3.00GHz
Percentage of memory in use: 27%
Total physical RAM: 8136.17 MB
Available physical RAM: 5909.29 MB
Total Pagefile: 16270.52 MB
Available Pagefile: 13971.76 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:463.28 GB) (Free:379.96 GB) NTFS
Drive e: (Expansion Drive) (Fixed) (Total:931.51 GB) (Free:913.98 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: 65A93A8E)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

FSS log:

 

Farbar Service Scanner Version: 21-07-2014
Ran by rpugach (administrator) on 18-09-2014 at 17:22:13
Running from "C:\Users\RPugach\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

Mini Toolbox log:

 

MiniToolBox by Farbar  Version: 21-07-2014
Ran by rpugach (administrator) on 18-09-2014 at 17:24:21
Running from "C:\Users\RPugach\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1       localhost

========================= IP Configuration: ================================

Intel® 82579LM Gigabit Network Connection = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=0.0.0.0/0 interface="Local Area Connection" nexthop=192.168.1.1 publish=Yes
add address name="Local Area Connection" address=192.168.1.111 mask=255.255.255.0


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : PCU-WRKSTN11
   Primary Dns Suffix  . . . . . . . : PacificCoastUrology.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : PacificCoastUrology.local

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel® 82579LM Gigabit Network Connection
   Physical Address. . . . . . . . . : F8-B1-56-C9-42-D0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.111(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.200
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{7B702A2C-769B-4EE6-BF72-6CD998FEE073}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  192.168.1.200

Name:    google.com
Addresses:  2607:f8b0:4004:803::1005
      74.125.228.99
      74.125.228.100
      74.125.228.101
      74.125.228.102
      74.125.228.103
      74.125.228.104
      74.125.228.105
      74.125.228.110
      74.125.228.96
      74.125.228.97
      74.125.228.98


Pinging google.com [74.125.228.99] with 32 bytes of data:
Reply from 74.125.228.99: bytes=32 time=86ms TTL=49
Reply from 74.125.228.99: bytes=32 time=87ms TTL=49

Ping statistics for 74.125.228.99:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 86ms, Maximum = 87ms, Average = 86ms
Server:  UnKnown
Address:  192.168.1.200

Name:    yahoo.com
Addresses:  206.190.36.45
      98.138.253.109
      98.139.183.24


Pinging yahoo.com [98.138.253.109] with 32 bytes of data:
Reply from 98.138.253.109: bytes=32 time=82ms TTL=46
Reply from 98.138.253.109: bytes=32 time=81ms TTL=46

Ping statistics for 98.138.253.109:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 81ms, Maximum = 82ms, Average = 81ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 11...f8 b1 56 c9 42 d0 ......Intel® 82579LM Gigabit Network Connection
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.111    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.111    266
    192.168.1.111  255.255.255.255         On-link     192.168.1.111    266
    192.168.1.255  255.255.255.255         On-link     192.168.1.111    266
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.111    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.111    266
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      192.168.1.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

**** End of log ****
 

 

For some strange reason I can't find an 'attach file' button in this reply window (I had no problem attaching a file in my original message) - EDIT: I had to post this reply, then choose Edit Post, Use Full editor in order to attach the file.  Nevertheless, Summary.zip is also included

 

- John

Attached Files


Edited by clipster, 18 September 2014 - 09:50 PM.


#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:34 PM

Posted 18 September 2014 - 10:36 PM

Hi John,

Please do this.
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3204
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3246
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3347
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

ListParts by Farbar for 64 bit Systems

--------------------
  • Please download ListParts64.exe (for 64 bit systems), or and save it to your desktop
  • Double click the icon to launch the program
  • Select Run
  • Select Scan
  • Select OK and wait for a Result - Notepad document to open on your desktop
  • Please copy and paste the contents in your reply
=============================================

Uninstalling a Program using Add/Remove Program

--------------------

I recommend the uninstalling of the below listed program(s).
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type appwiz.cpl and press Enter
  • A list of installed programs will be displayed
  • Uninstall the following by clicking on the program(s) below (and any other similar names) and selecting Remove or Uninstall

Dell Precision Performance Optimizer

  • Reboot your computer
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • ListParts report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 clipster

clipster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 22 September 2014 - 12:23 AM

Here is the Fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-09-2014
Ran by rpugach at 2014-09-21 22:15:37 Run:1
Running from C:\Users\RPugach\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} -  No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -  No File
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3204
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3246
AlternateDataStreams: C:\Windows\SysWOW64\MSIHANDLE:3347
*****************

"HKCR\PROTOCOLS\Handler\intu-help-qb3" => Key deleted successfully.
"HKCR\CLSID\{c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4}" => Key not found.
"HKCR\PROTOCOLS\Handler\qbwc" => Key deleted successfully.
"HKCR\CLSID\{FC598A64-626C-4447-85B8-53150405FD57}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=euc-jp" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=ISO-8859-1" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS936" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS949" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=MS950" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=UTF-8" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica; charset=UTF8" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=euc-jp" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=ISO-8859-1" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS936" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS949" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=MS950" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=UTF-8" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\application/x-ica;charset=UTF8" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
"HKCR\PROTOCOLS\Filter\ica" => Key deleted successfully.
"HKCR\CLSID\{CFB6322E-CC85-4d1b-82C7-893888A236BC}" => Key not found.
catchme => Service deleted successfully.
cleanhlp => Service deleted successfully.
MBAMSwissArmy => Service deleted successfully.
C:\Windows\SysWOW64\MSIHANDLE => ":3204" ADS removed successfully.
C:\Windows\SysWOW64\MSIHANDLE => ":3246" ADS removed successfully.
C:\Windows\SysWOW64\MSIHANDLE => ":3347" ADS removed successfully.

==== End of Fixlog ====

 

...and here is the Listparts Result:

 

ListParts by Farbar Version: 31-07-2014
Ran by rpugach (administrator) on 21-09-2014 at 22:18:08
Windows 7 (X64)
Running From: C:\Users\RPugach\Desktop
Language: English (United States)
************************************************************

========================= Memory info ======================

Percentage of memory in use: 27%
Total physical RAM: 8136.17 MB
Available physical RAM: 5914.74 MB
Total Pagefile: 16270.52 MB
Available Pagefile: 13977.69 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:463.28 GB) (Free:379.72 GB) NTFS
3 Drive e: (Expansion Drive) (Fixed) (Total:931.51 GB) (Free:913.98 GB) NTFS

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          476 GB      0 B        
  Disk 1    Online          931 GB      0 B        

Partitions of Disk 0:
===============

Disk ID: 31DAE505

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    OEM                 39 MB    31 KB
  Partition 2    Primary             13 GB    40 MB
  Partition 3    Primary            463 GB    13 GB

======================================================================================================

Disk: 0
Partition 1
Type  : DE
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 2
Type  : 07
Hidden: No
Active: Yes

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 1         RECOVERY     NTFS   Partition     13 GB  Healthy    System (partition with boot components) 

======================================================================================================

Disk: 0
Partition 3
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 2     C   OS           NTFS   Partition    463 GB  Healthy    Boot   

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: 65A93A8E

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            931 GB    31 KB

======================================================================================================

Disk: 1
Partition 1
Type  : 07
Hidden: No
Active: No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 3     E   Expansion D  NTFS   Partition    931 GB  Healthy           

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: 31DAE505
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=14 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=463 GB) - (Type=07 NTFS)

==============================
Partitions of Disk 1:
===============
Disk ID: 65A93A8E
Partition 1: (Not Active) - (Size=932 GB) - (Type=07 NTFS)

****** End Of Log ******

 

Plus Dell PPO has been removed.

 

Best,

John



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:34 PM

Posted 22 September 2014 - 08:19 AM

Thank you for the reports. Please run this.

===================================================

Farbar's Recovery Scan Tool Search

--------------------
  • Launch FRST
  • Copy/paste the following in the Search Field
tcpip*
  • Click Search File(s) button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Search log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 clipster

clipster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 22 September 2014 - 10:28 PM

Here is the search log:

 

Farbar Recovery Scan Tool (x64) Version: 12-09-2014
Ran by rpugach at 2014-09-22 20:08:48
Running from C:\Users\RPugach\Desktop
Boot Mode: Normal

================== Search Files: "tcpip*" =============

C:\Windows\winsxs\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cc18cf7c2e77940e\tcpip.sys.mui
[2010-11-21 00:06][2010-11-21 00:06] 0044032 ____A (Microsoft Corporation) 13B9ADA4397762D0D9B0BCEE1FFF31C4 [File is signed]

C:\Windows\winsxs\x86_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cc18cf7c2e77940e\tcpipcfg.dll.mui
[2010-11-21 00:06][2010-11-21 00:06] 0032256 ____A (Microsoft Corporation) DEAAF3AF40EAFF97A02EF5C08774446B [File is signed]

C:\Windows\winsxs\x86_microsoft-windows-m..eplacementmanifests_31bf3856ad364e35_6.1.7601.17514_none_fdfbc5f949b9a49e\TCPIP-Replacement.man
[2009-07-13 13:54][2009-06-10 14:30] 0016292 ____A () C7CB676A695AE58C8140714EFE31788C [File is signed]

C:\Windows\winsxs\x86_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_04801f69e1dbd8e6\TCPIP-DL.man
[2009-06-10 14:30][2009-06-10 14:30] 0012003 ____A () 49C71F492BC905C93A7481CAD13F1FE9 [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ca00459dda59f6f4\tcpipcfg.dll
[2010-11-20 20:24][2010-11-20 20:24] 0181760 ____A (Microsoft Corporation) CAFC0B884E5590B5E80D84F592388B3D [File is signed]

C:\Windows\winsxs\wow64_microsoft-windows-tcpip-mof_31bf3856ad364e35_6.1.7600.16385_none_9e277fcfd3015691\tcpip.mof
[2009-06-10 14:15][2009-06-10 14:15] 0003066 ____A () EEC4A068DE477651214F6C8014ECBEC0 [File is signed]

C:\Windows\winsxs\amd64_server-help-chm.tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_818c87c5cd3b25b1\tcpip.CHM
[2010-11-21 00:06][2010-11-21 00:06] 0030960 ____A () 69AF1A43E6B11203F274900FE4DB2839 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_bfab9b4ba5f934f9\tcpipcfg.dll
[2010-11-20 20:24][2010-11-20 20:24] 0253440 ____A (Microsoft Corporation) 55DE45B116711881C852D2841E4C84DD [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_28376affe6d50544\tcpip.sys.mui
[2010-11-21 00:06][2010-11-21 00:06] 0044032 ____A (Microsoft Corporation) 147A70680DFE10726938C932C529C500 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip.resources_31bf3856ad364e35_6.1.7600.16385_en-us_28376affe6d50544\tcpipcfg.dll.mui
[2010-11-21 00:06][2010-11-21 00:06] 0032256 ____A (Microsoft Corporation) D125E8127A071E34CADB837B4EC486ED [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-mof_31bf3856ad364e35_6.1.7600.16385_none_93d2d57d9ea09496\tcpip.mof
[2009-06-10 13:31][2009-06-10 13:31] 0003066 ____A () EEC4A068DE477651214F6C8014ECBEC0 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.22648_none_11b12f2896383dd1\tcpip.sys
[2014-06-10 17:41][2014-04-04 19:37] 1897408 ____A (Microsoft Corporation) 4F80944B03112F486212DC20BE166079 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.22444_none_11ad2a34963bde27\tcpip.sys
[2014-03-19 14:22][2014-03-19 14:22] 1896896 ____A (Microsoft Corporation) 75F9106B74585D38C8FF6BB5CAD262D7 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.22378_none_1190b9b296509a2f\tcpip.sys
[2014-03-19 14:41][2014-03-19 14:41] 1900992 ____A (Microsoft Corporation) B27F13153343BC37A27EAE01634D94E1 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.22209_none_11dd678a9616f2c8\tcpip.sys
[2013-07-01 12:33][2013-07-01 12:33] 1901416 ____A (Microsoft Corporation) B8C1AAC0523E1C33AEB0EF7572144BA2 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.22124_none_11c2c45a962baed0\tcpip.sys
[2013-07-01 12:33][2013-07-01 12:33] 1902472 ____A (Microsoft Corporation) D5707FC2300AA5B04B7BFE86D40C0133 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.18438_none_113260637d1284ef\tcpip.sys
[2014-06-10 17:41][2014-04-04 19:47] 1903552 ____A (Microsoft Corporation) 04ADD18EE5CC9FBEDAEC1DD1CD0CB45E [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.18254_none_1118bb977d265d27\tcpip.sys
[2014-03-19 14:22][2014-03-19 14:22] 1903552 ____A (Microsoft Corporation) 40AF23633D197905F03AB5628C558C51 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.18203_none_114dcae97cfeb81b\tcpip.sys
[2014-03-19 14:41][2014-03-19 14:41] 1910208 ____A (Microsoft Corporation) DB74544B75566C974815E79A62433F29 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.18042_none_112187237d20143a\tcpip.sys
[2013-07-01 12:33][2013-07-01 12:33] 1913192 ____A (Microsoft Corporation) B62A953F2BF3922C8764A29C34A22899 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17964_none_110e0fbd7d2e4b88\tcpip.sys
[2013-07-01 12:33][2013-07-01 12:33] 1914248 ____A (Microsoft Corporation) 37608401DFDB388CAF66917F6B2D6FB0 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.1.7601.17514_none_114417c17d05cb37\tcpip.sys
[2010-11-20 20:24][2010-11-20 20:24] 1924480 ____A (Microsoft Corporation) 509383E505C973ED7534A06B3D19688D [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-adm_31bf3856ad364e35_6.1.7601.22124_none_91ae30e0b7c1437b\tcpip.admx
[2013-07-01 12:33][2013-07-01 12:33] 0010642 ____A () 72642743589B9BE7FDF70413243BA2A7 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-adm_31bf3856ad364e35_6.1.7601.17964_none_90f97c439ec3e033\tcpip.admx
[2013-07-01 12:33][2013-07-01 12:33] 0010642 ____A () 72642743589B9BE7FDF70413243BA2A7 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-adm_31bf3856ad364e35_6.1.7600.16385_none_8efe707fa1acdc48\tcpip.admx
[2009-06-10 13:49][2009-06-10 13:49] 0010059 ____A () AFEE9E69CA601B21AEAA5C1FD21F5A52 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-adm.resources_31bf3856ad364e35_6.1.7601.22124_en-us_35aca0a73d918fae\tcpip.adml
[2013-07-01 12:33][2013-07-01 12:33] 0013411 ____A () 6B491012442E5469E2B50604E720EF72 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-adm.resources_31bf3856ad364e35_6.1.7601.17964_en-us_34f7ec0a24942c66\tcpip.adml
[2013-07-01 12:33][2013-07-01 12:33] 0013411 ____A () 6B491012442E5469E2B50604E720EF72 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-tcpip-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_32fce046277d287b\tcpip.adml
[2010-11-21 00:06][2010-11-21 00:06] 0012773 ____A () B7961BE1157CBB9140D09B6A68DB9140 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-m..eplacementmanifests_31bf3856ad364e35_6.1.7601.17514_none_5a1a617d021715d4\TCPIP-Replacement.man
[2009-07-13 13:43][2009-06-10 13:49] 0016292 ____A () C7CB676A695AE58C8140714EFE31788C [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\TCPIP-DL.man
[2009-06-10 13:49][2009-06-10 13:49] 0012003 ____A () 49C71F492BC905C93A7481CAD13F1FE9 [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.1.7601.22124_none_e4c1e80f35326866\tcpipreg.sys
[2013-07-01 12:33][2013-07-01 12:33] 0045568 ____A (Microsoft Corporation) E187D64B585F788AB1FEC75228B7FABF [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.1.7601.17964_none_e40d33721c35051e\tcpipreg.sys
[2013-07-01 12:33][2013-07-01 12:33] 0045568 ____A (Microsoft Corporation) 1B16D0BD9841794A6E0CDE0CEF744ABC [File is signed]

C:\Windows\winsxs\amd64_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.1.7601.17514_none_e4433b761c0c84cd\tcpipreg.sys
[2010-11-20 20:23][2010-11-20 20:23] 0045056 ____A (Microsoft Corporation) DF687E3D8836BFB04FCC0615BF15A519 [File is signed]

C:\Windows\SysWOW64\tcpipcfg.dll
[2010-11-20 20:24][2010-11-20 20:24] 0181760 ____A (Microsoft Corporation) CAFC0B884E5590B5E80D84F592388B3D [File is signed]

C:\Windows\SysWOW64\wbem\tcpip.mof
[2009-06-10 14:15][2009-06-10 14:15] 0003066 ____A () EEC4A068DE477651214F6C8014ECBEC0 [File is signed]

C:\Windows\SysWOW64\migwiz\replacementmanifests\TCPIP-Replacement.man
[2009-07-13 13:54][2009-06-10 14:30] 0016292 ____A () C7CB676A695AE58C8140714EFE31788C [File is signed]

C:\Windows\SysWOW64\migwiz\dlmanifests\TCPIP-DL.man
[2009-06-10 14:30][2009-06-10 14:30] 0012003 ____A () 49C71F492BC905C93A7481CAD13F1FE9 [File is signed]

C:\Windows\SysWOW64\en-US\tcpipcfg.dll.mui
[2010-11-21 00:06][2010-11-21 00:06] 0032256 ____A (Microsoft Corporation) DEAAF3AF40EAFF97A02EF5C08774446B [File is signed]

C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui
[2010-11-21 00:06][2010-11-21 00:06] 0044032 ____A (Microsoft Corporation) 13B9ADA4397762D0D9B0BCEE1FFF31C4 [File is signed]

C:\Windows\System32\tcpipcfg.dll
[2010-11-20 20:24][2010-11-20 20:24] 0253440 ____A (Microsoft Corporation) 55DE45B116711881C852D2841E4C84DD [File is signed]

C:\Windows\System32\wbem\tcpip.mof
[2009-06-10 13:31][2009-06-10 13:31] 0003066 ____A () EEC4A068DE477651214F6C8014ECBEC0 [File is signed]

C:\Windows\System32\migwiz\replacementmanifests\TCPIP-Replacement.man
[2009-07-13 13:43][2009-06-10 13:49] 0016292 ____A () C7CB676A695AE58C8140714EFE31788C [File is signed]

C:\Windows\System32\migwiz\dlmanifests\TCPIP-DL.man
[2009-06-10 13:49][2009-06-10 13:49] 0012003 ____A () 49C71F492BC905C93A7481CAD13F1FE9 [File is signed]

C:\Windows\System32\en-US\tcpipcfg.dll.mui
[2010-11-21 00:06][2010-11-21 00:06] 0032256 ____A (Microsoft Corporation) D125E8127A071E34CADB837B4EC486ED [File is signed]

C:\Windows\System32\drivers\tcpip.sys
[2014-06-10 17:41][2014-04-04 19:47] 1903552 ____A (Microsoft Corporation) 04ADD18EE5CC9FBEDAEC1DD1CD0CB45E [File is signed]

C:\Windows\System32\drivers\tcpipreg.sys
[2013-07-01 12:33][2013-07-01 12:33] 0045568 ____A (Microsoft Corporation) 1B16D0BD9841794A6E0CDE0CEF744ABC [File is signed]

C:\Windows\System32\drivers\en-US\tcpip.sys.mui
[2010-11-21 00:06][2010-11-21 00:06] 0044032 ____A (Microsoft Corporation) 147A70680DFE10726938C932C529C500 [File is signed]

C:\Windows\PolicyDefinitions\tcpip.admx
[2013-07-01 12:33][2013-07-01 12:33] 0010642 ____A () 72642743589B9BE7FDF70413243BA2A7 [File is signed]

C:\Windows\PolicyDefinitions\en-US\tcpip.adml
[2013-07-01 12:33][2013-07-01 12:33] 0013411 ____A () 6B491012442E5469E2B50604E720EF72 [File is signed]

C:\Windows\Help\mui\0409\tcpip.CHM
[2010-11-21 00:06][2010-11-21 00:06] 0030960 ____A () 69AF1A43E6B11203F274900FE4DB2839 [File is signed]

C:\Windows\erdnt\cache64\tcpip.sys
[2014-05-07 10:49][2014-04-04 19:47] 1903552 ____A (Microsoft Corporation) 04ADD18EE5CC9FBEDAEC1DD1CD0CB45E [File is signed]

C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
[2014-05-07 10:48][2014-09-09 21:03] 0004926 ____A () 49A7F37F14A422814B911D4DF82C3DC3

====== End Of Search ======

 

 

Wanted to let you know that when I went to get this info I discovered that the computer had become infected again.  After running the FRST query you requested I ran Combofix again to restore internet connectivity.  Tonight it put a tcpip.reg in quarantine which I've attached for you to look at.  Also posting the combofix log generated after tonights scan below:

 

ComboFix 14-09-22.01 - rpugach 09/22/2014  20:16:10.8.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.8136.6689 [GMT -7:00]
Running from: c:\techtools\ComboFix.exe
AV: ESET Endpoint Antivirus 5.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: ESET Endpoint Antivirus 5.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-23 to 2014-09-23  )))))))))))))))))))))))))))))))
.
.
2014-09-23 03:18 . 2014-09-23 03:18    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-09-23 03:18 . 2014-09-23 03:18    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-09-23 03:18 . 2014-09-23 03:18    --------    d-----w-    c:\users\adminpcu\AppData\Local\temp
2014-09-23 03:18 . 2014-09-23 03:18    --------    d-----w-    c:\users\Admin\AppData\Local\temp
2014-09-22 15:13 . 2014-09-22 15:13    75888    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{AB11F47B-67DB-4E7E-976C-8F7CEB2DFF06}\offreg.dll
2014-09-22 05:39 . 2014-09-22 05:39    --------    d-----w-    c:\program files (x86)\Dell Digital Delivery
2014-09-21 22:50 . 2014-09-21 22:50    --------    d-----w-    c:\users\RPugach\AppData\Local\CrashDumps
2014-09-19 11:50 . 2014-09-09 02:05    11578928    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{AB11F47B-67DB-4E7E-976C-8F7CEB2DFF06}\mpengine.dll
2014-09-19 00:18 . 2014-09-23 03:08    --------    d-----w-    C:\FRST
2014-09-10 20:37 . 2014-07-07 02:06    728064    ----a-w-    c:\windows\system32\kerberos.dll
2014-09-10 20:37 . 2014-07-07 01:40    550912    ----a-w-    c:\windows\SysWow64\kerberos.dll
2014-09-10 20:37 . 2014-07-07 02:06    1460736    ----a-w-    c:\windows\system32\lsasrv.dll
2014-09-10 20:37 . 2014-07-07 01:40    22016    ----a-w-    c:\windows\SysWow64\secur32.dll
2014-09-10 20:37 . 2014-07-07 01:39    96768    ----a-w-    c:\windows\SysWow64\sspicli.dll
2014-09-03 01:59 . 2014-09-03 01:59    --------    d-----w-    c:\users\RPugach\AppData\Local\Microsoft Help
2014-08-28 05:42 . 2014-08-23 02:07    404480    ----a-w-    c:\windows\system32\gdi32.dll
2014-08-28 05:42 . 2014-08-23 01:45    311808    ----a-w-    c:\windows\SysWow64\gdi32.dll
2014-08-28 05:42 . 2014-08-23 00:59    3163648    ----a-w-    c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-11 10:00 . 2014-04-04 22:58    101694776    ----a-w-    c:\windows\system32\MRT.exe
2014-08-28 14:36 . 2014-04-04 22:49    590536    ----a-w-    c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2014-08-25 13:53 . 2010-11-21 03:27    270496    ------w-    c:\windows\system32\MpSigStub.exe
2014-08-18 21:07 . 2014-08-18 21:07    33512    ----a-w-    c:\windows\SysWow64\drivers\TrueSight.sys
2014-07-25 09:35 . 2014-07-25 09:35    875688    ----a-w-    c:\windows\SysWow64\msvcr120_clr0400.dll
2014-07-25 06:47 . 2014-07-25 06:47    869544    ----a-w-    c:\windows\system32\msvcr120_clr0400.dll
2014-07-16 03:23 . 2014-08-15 10:32    2048    ----a-w-    c:\windows\system32\tzres.dll
2014-07-16 02:46 . 2014-08-15 10:32    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2014-07-14 02:02 . 2014-08-15 10:32    1216000    ----a-w-    c:\windows\system32\rpcrt4.dll
2014-07-14 01:40 . 2014-08-15 10:32    664064    ----a-w-    c:\windows\SysWow64\rpcrt4.dll
2014-07-01 17:36 . 2014-07-01 17:36    719360    ----a-w-    c:\windows\SysWow64\mshtmlmedia.dll
2014-07-01 17:36 . 2014-07-01 17:36    226304    ----a-w-    c:\windows\system32\elshyph.dll
2014-07-01 17:36 . 2014-07-01 17:36    185344    ----a-w-    c:\windows\SysWow64\elshyph.dll
2014-07-01 17:36 . 2014-07-01 17:36    158720    ----a-w-    c:\windows\SysWow64\msls31.dll
2014-07-01 17:36 . 2014-07-01 17:36    150528    ----a-w-    c:\windows\SysWow64\iexpress.exe
2014-07-01 17:36 . 2014-07-01 17:36    138752    ----a-w-    c:\windows\SysWow64\wextract.exe
2014-07-01 17:36 . 2014-07-01 17:36    1054720    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-07-01 17:36 . 2014-07-01 17:36    73728    ----a-w-    c:\windows\SysWow64\SetIEInstalledDate.exe
2014-07-01 17:36 . 2014-07-01 17:36    48640    ----a-w-    c:\windows\SysWow64\mshtmler.dll
2014-07-01 17:36 . 2014-07-01 17:36    38400    ----a-w-    c:\windows\SysWow64\imgutil.dll
2014-07-01 17:36 . 2014-07-01 17:36    137216    ----a-w-    c:\windows\SysWow64\ieUnatt.exe
2014-07-01 17:36 . 2014-07-01 17:36    12800    ----a-w-    c:\windows\SysWow64\mshta.exe
2014-07-01 17:36 . 2014-07-01 17:36    110592    ----a-w-    c:\windows\SysWow64\IEAdvpack.dll
2014-07-01 17:36 . 2014-07-01 17:36    61952    ----a-w-    c:\windows\SysWow64\tdc.ocx
2014-07-01 17:36 . 2014-07-01 17:36    361984    ----a-w-    c:\windows\SysWow64\html.iec
2014-07-01 17:36 . 2014-07-01 17:36    23040    ----a-w-    c:\windows\SysWow64\licmgr10.dll
2014-07-01 17:36 . 2014-07-01 17:36    216064    ----a-w-    c:\windows\system32\msls31.dll
2014-07-01 17:35 . 2014-07-01 17:35    905728    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2014-07-01 17:35 . 2014-07-01 17:35    81408    ----a-w-    c:\windows\system32\icardie.dll
2014-07-01 17:35 . 2014-07-01 17:35    762368    ----a-w-    c:\windows\system32\ieapfltr.dll
2014-07-01 17:35 . 2014-07-01 17:35    441856    ----a-w-    c:\windows\system32\html.iec
2014-07-01 17:35 . 2014-07-01 17:35    27648    ----a-w-    c:\windows\system32\licmgr10.dll
2014-07-01 17:35 . 2014-07-01 17:35    247296    ----a-w-    c:\windows\system32\webcheck.dll
2014-07-01 17:35 . 2014-07-01 17:35    235008    ----a-w-    c:\windows\system32\url.dll
2014-07-01 17:35 . 2014-07-01 17:35    173568    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-07-01 17:35 . 2014-07-01 17:35    167424    ----a-w-    c:\windows\system32\iexpress.exe
2014-07-01 17:35 . 2014-07-01 17:35    144896    ----a-w-    c:\windows\system32\wextract.exe
2014-07-01 17:35 . 2014-07-01 17:35    1400416    ----a-w-    c:\windows\system32\ieapfltr.dat
2014-07-01 17:35 . 2014-07-01 17:35    102912    ----a-w-    c:\windows\system32\inseng.dll
2014-07-01 17:35 . 2014-07-01 17:35    92160    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2014-07-01 17:35 . 2014-07-01 17:35    77312    ----a-w-    c:\windows\system32\tdc.ocx
2014-07-01 17:35 . 2014-07-01 17:35    62976    ----a-w-    c:\windows\system32\pngfilt.dll
2014-07-01 17:35 . 2014-07-01 17:35    52224    ----a-w-    c:\windows\system32\msfeedsbs.dll
2014-07-01 17:35 . 2014-07-01 17:35    51200    ----a-w-    c:\windows\system32\imgutil.dll
2014-07-01 17:35 . 2014-07-01 17:35    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2014-07-01 17:35 . 2014-07-01 17:35    149504    ----a-w-    c:\windows\system32\occache.dll
2014-07-01 17:35 . 2014-07-01 17:35    13824    ----a-w-    c:\windows\system32\mshta.exe
2014-07-01 17:35 . 2014-07-01 17:35    136192    ----a-w-    c:\windows\system32\iepeers.dll
2014-07-01 17:35 . 2014-07-01 17:35    135680    ----a-w-    c:\windows\system32\IEAdvpack.dll
2014-07-01 17:35 . 2014-07-01 17:35    12800    ----a-w-    c:\windows\system32\msfeedssync.exe
2014-06-30 22:24 . 2014-08-16 10:00    8856    ----a-w-    c:\windows\system32\icardres.dll
2014-06-30 22:14 . 2014-08-16 10:00    8856    ----a-w-    c:\windows\SysWow64\icardres.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-04-25 05:14    220632    ----a-w-    c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-04-25 05:14    220632    ----a-w-    c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-04-25 05:14    220632    ----a-w-    c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="c:\program files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [2013-05-16 389120]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"RUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe" [2011-09-20 115048]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorIcon.exe" [2013-06-28 294896]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2013-05-16 642816]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2013-12-21 3478392]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-12-07 2771832]
"ConnectionCenter"="c:\program files (x86)\Citrix\ICA Client\concentr.exe" [2013-06-28 383368]
.
c:\users\RPugach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Send to OneNote.lnk - c:\program files\Microsoft Office 15\root\office15\ONENOTEM.EXE /tsr [2014-8-8 195248]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2013-2-1 1155912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    REG_MULTI_SZ       DPPassFilter scecli
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 DellDigitalDelivery;Dell Digital Delivery Service;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe;c:\program files (x86)\Dell Digital Delivery\DeliveryService.exe [x]
R3 DellProf;DellProf;c:\windows\system32\drivers\DellProf.sys;c:\windows\SYSNATIVE\drivers\DellProf.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 ESHASRV;ESET SHA Service;c:\program files\ESET\ESET Endpoint Antivirus\EShaSrv.exe;c:\program files\ESET\ESET Endpoint Antivirus\EShaSrv.exe [x]
R3 iaStorS;iaStorS;c:\windows\system32\drivers\iaStorS.sys;c:\windows\SYSNATIVE\drivers\iaStorS.sys [x]
R3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;c:\program files\Intel\iCLS Client\SocketHeciServer.exe;c:\program files\Intel\iCLS Client\SocketHeciServer.exe [x]
R3 InvProtectDrv;InvProtectDrv;c:\program files (x86)\Invincea\Enterprise\X64\InvProtectDrv64.sys;c:\program files (x86)\Invincea\Enterprise\X64\InvProtectDrv64.sys [x]
R3 InvProtectSvc;Invincea Enterprise Service;c:\program files (x86)\Invincea\Enterprise\X64\InvProtectSvc64.exe;c:\program files (x86)\Invincea\Enterprise\X64\InvProtectSvc64.exe [x]
R3 netvsc;netvsc;c:\windows\system32\DRIVERS\netvsc60.sys;c:\windows\SYSNATIVE\DRIVERS\netvsc60.sys [x]
R3 POADrvr;POADrvr;c:\windows\system32\drivers\POADrvr.sys;c:\windows\SYSNATIVE\drivers\POADrvr.sys [x]
R3 SboxDrv;SboxDrv;c:\program files (x86)\Invincea\Enterprise\Sandbox\SboxDrv.sys;c:\program files (x86)\Invincea\Enterprise\Sandbox\SboxDrv.sys [x]
R3 SboxSvc;SboxSvc;c:\program files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe;c:\program files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe [x]
R3 SynthVid;SynthVid;c:\windows\system32\DRIVERS\VMBusVideoM.sys;c:\windows\SYSNATIVE\DRIVERS\VMBusVideoM.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 amdkmpfd;AMD PCI Root Bus Lower Filter;c:\windows\system32\DRIVERS\amdkmpfd.sys;c:\windows\SYSNATIVE\DRIVERS\amdkmpfd.sys [x]
S0 CredFltL;Dell SED PBA Filter;c:\windows\system32\DRIVERS\CredFltL.sys;c:\windows\SYSNATIVE\DRIVERS\CredFltL.sys [x]
S0 iaStorA;iaStorA;c:\windows\system32\drivers\iaStorA.sys;c:\windows\SYSNATIVE\drivers\iaStorA.sys [x]
S0 iaStorF;iaStorF;c:\windows\system32\drivers\iaStorF.sys;c:\windows\SYSNATIVE\drivers\iaStorF.sys [x]
S0 SEDFilter;Dell SED PBA Enhancement;c:\windows\system32\DRIVERS\SEDFilter.sys;c:\windows\SYSNATIVE\DRIVERS\SEDFilter.sys [x]
S1 asd2fsm;asd2fsm;c:\windows\system32\DRIVERS\asd2fsm.sys;c:\windows\SYSNATIVE\DRIVERS\asd2fsm.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys;c:\windows\SYSNATIVE\DRIVERS\ctxusbm.sys [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 ClickToRunSvc;Microsoft Office ClickToRun Service;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe;c:\program files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [x]
S2 DellMgmtAgent;Dell Management Agent Service;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.exe;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.exe [x]
S2 DellMgmtLoader;Dell Security Framework Loader;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Loader.exe;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Loader.exe [x]
S2 DellMgmtServer;DELL Security Framework Local Server;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.MgmtServer.exe;c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.MgmtServer.exe [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe;c:\program files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfpr.sys [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorDataMgrSvc.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 valWBFPolicyService;Validity WBF Policy Service;c:\windows\system32\valWBFPolicyService.exe;c:\windows\SYSNATIVE\valWBFPolicyService.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 rusb3hub;Renesas Electronics USB 3.0 Hub Driver (Version 3.0);c:\windows\system32\DRIVERS\rusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\rusb3hub.sys [x]
S3 rusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver (Version 3.0);c:\windows\system32\DRIVERS\rusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\rusb3xhc.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-19 19:48]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-04-25 05:14    244696    ----a-w-    c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-04-25 05:14    244696    ----a-w-    c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-04-25 05:14    244696    ----a-w-    c:\users\RPugach\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro1 (ErrorConflict)]
@="{8BA85C75-763B-4103-94EB-9470F12FE0F7}"
[HKEY_CLASSES_ROOT\CLSID\{8BA85C75-763B-4103-94EB-9470F12FE0F7}]
2014-08-28 14:37    2335960    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro2 (SyncInProgress)]
@="{CD55129A-B1A1-438E-A425-CEBC7DC684EE}"
[HKEY_CLASSES_ROOT\CLSID\{CD55129A-B1A1-438E-A425-CEBC7DC684EE}]
2014-08-28 14:37    2335960    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrivePro3 (InSync)]
@="{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}"
[HKEY_CLASSES_ROOT\CLSID\{E768CD3B-BDDC-436D-9C13-E1B39CA257B1}]
2014-08-28 14:37    2335960    ----a-w-    c:\program files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtDCpl64.exe" [2013-08-16 2908888]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"CSFTrayApp"="c:\program files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.SystrayApp.exe" [2014-03-10 232288]
"egui"="c:\program files\ESET\ESET Endpoint Antivirus\egui.exe" [2013-10-07 4148664]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\program files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
TCP: Interfaces\{7B702A2C-769B-4EE6-BF72-6CD998FEE073}: NameServer = 192.168.1.200
FF - ProfilePath - c:\users\RPugach\AppData\Roaming\Mozilla\Firefox\Profiles\w3eizqpo.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_170_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_170.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-22  20:19:56
ComboFix-quarantined-files.txt  2014-09-23 03:19
ComboFix2.txt  2014-09-10 04:09
ComboFix3.txt  2014-08-18 17:27
ComboFix4.txt  2014-06-18 17:31
ComboFix5.txt  2014-09-23 03:15
.
Pre-Run: 407,655,976,960 bytes free
Post-Run: 407,237,984,256 bytes free
.
- - End Of File - - D65740BA9A9E517A755BB2EC7160F449
5C616939100B85E558DA92B899A0FC36
 

 

Best,

John

Attached Files


Edited by clipster, 22 September 2014 - 10:31 PM.


#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:34 PM

Posted 22 September 2014 - 10:46 PM

OK, I will look through this tomorrow.  Please hold off on taking any independent actions or running any programs unless requested.  We need to deliberately stay in step.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:34 PM

Posted 23 September 2014 - 05:40 PM

Did you export the tcpip.reg file from your registry?


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 clipster

clipster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 24 September 2014 - 12:01 AM

No - that file (tcpip.reg) was in the combofix quarantine folder after I ran the scan.  I included it since I thought it might provide some insight as to what the virus/malware was doing.



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:34 PM

Posted 24 September 2014 - 12:42 PM

That is not an infected file.

Please run this.

===================================================

Malwarebytes Anti-Rootkit - Scan Only

--------------------
  • Download Malwarebytes Anti-Rootkit (mbar) and save it to your desktop
  • Double click the mbar icon and select Run
  • Click OK to install it on your desktop
  • If you receive a User Account Control prompt allow it to run
  • If you receive the following screen select Yes and your computer will be restarted

dda-driver-warning.png

  • Click Next on the following screen (or something that looks similar)

start-screen.png

  • On the Update Database: screen click Update to download the latest definition updates then click Next

database-update.png

  • On the Scan System: screen place checkmarks in the Drivers, Sectors, and System boxes (should be checked by default) then click Scan. Please be patient and allow the process to complete

scan-system.png

  • Click the Exit button not Cleanup
  • A system-log report will be created in the mbar folder, please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • MBAR log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 clipster

clipster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 25 September 2014 - 02:08 AM

Here is the MBAR log:

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1012

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Non-administrative

Internet Explorer version: 10.0.9200.17089

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.992000 GHz
Memory total: 8531390464, free: 7354691584

Downloaded database version: v2014.09.25.03
Downloaded database version: v2014.09.19.01
=======================================
Initializing...
------------ Kernel report ------------
     09/24/2014 23:33:38
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\iaStorA.sys
\SystemRoot\system32\drivers\storport.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\system32\DRIVERS\SEDFilter.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\system32\drivers\iaStorF.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\amdkmpfd.sys
\SystemRoot\system32\DRIVERS\CredFltL.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\asd2fsm.sys
\SystemRoot\system32\DRIVERS\eamonm.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\ehdrv.sys
C:\Program Files\ESET\ESET Endpoint Antivirus\em006_64.dat
C:\Program Files\ESET\ESET Endpoint Antivirus\em018_64.dat
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\ctxusbm.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\TeeDriverx64.sys
\SystemRoot\system32\DRIVERS\e1c62x64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\rusb3xhc.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTDVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\rusb3hub.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_iaStorA.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\drivers\AtihdW76.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\epfwwfpr.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\drivers\rdpdr.sys
\SystemRoot\system32\drivers\tdtcp.sys
\SystemRoot\System32\DRIVERS\tssecsrv.sys
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\??\C:\Windows\system32\Drivers\PROCEXP113.SYS
\SystemRoot\System32\cdd.dll
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\gdi32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\wininet.dll
\Windows\System32\imm32.dll
\Windows\System32\normaliz.dll
\Windows\System32\imagehlp.dll
\Windows\System32\urlmon.dll
\Windows\System32\psapi.dll
\Windows\System32\usp10.dll
\Windows\System32\ole32.dll
\Windows\System32\shell32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\kernel32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\lpk.dll
\Windows\System32\sechost.dll
\Windows\System32\msctf.dll
\Windows\System32\setupapi.dll
\Windows\System32\clbcatq.dll
\Windows\System32\shlwapi.dll
\Windows\System32\oleaut32.dll
\Windows\System32\iertutil.dll
\Windows\System32\advapi32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\difxapi.dll
\Windows\System32\msvcrt.dll
\Windows\System32\user32.dll
\Windows\System32\nsi.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\comctl32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\devobj.dll
\Windows\System32\wintrust.dll
\Windows\System32\userenv.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\msasn1.dll
\Windows\System32\profapi.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa800e745790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007a\
Lower Device Object: 0xfffffa800e745060
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800862b060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000005d\
Lower Device Object: 0xfffffa80087399c0
Lower Device Driver Name: \Driver\iaStorA\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800862b060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8008566b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800862b060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8008557880, DeviceName: Unknown, DriverName: \Driver\SEDFilter\
DevicePointer: 0xfffffa8008556ba0, DeviceName: Unknown, DriverName: \Driver\iaStorF\
DevicePointer: 0xfffffa8008541890, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa80087399c0, DeviceName: \Device\0000005d\, DriverName: \Driver\iaStorA\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 31DAE505

Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 80262

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920  Numsec = 28553216
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 28635136  Numsec = 971577344

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 512110190592 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-1000195216-1000215216)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa800e745790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800ef30b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800e745790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800eecc250, DeviceName: Unknown, DriverName: \Driver\SEDFilter\
DevicePointer: 0xfffffa800ec76680, DeviceName: Unknown, DriverName: \Driver\iaStorF\
DevicePointer: 0xfffffa800e745060, DeviceName: \Device\0000007a\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 65A93A8E

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 1953520065

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 1000204886016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-81920-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:34 PM

Posted 25 September 2014 - 08:21 AM

No issues there.

When you run Combofix to repair your internet are you getting the same "infected file" deletions each time or do you see any type of pattern?

Please run this.

===================================================

OTL

--------------------
  • Please download OTL and save it to your desktop
  • Double click on the otlicon.png icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the runscan.png button.
  • Copy and paste the two reports in your next reply.

OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized


===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • OTL logs (2)

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 clipster

clipster
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:34 PM

Posted 25 September 2014 - 10:30 PM

As for the combofix infections, no pattern can be found - here is a snapshot of my quarantine folder:

 

5/3/14 - [random characters].xps.vir

8/14/14 - Receiver link.vir

8/19/14 - [random].exe.vir

 

Registry entries in quarantine:

 

5/7/14 - Toolbar-locked.reg.dat

6/11/14 - Safeboot-[random].sys.reg.dat

6/22/14 - Wow64node-toolbar-locked.reg.dat

 

 

Here is the OTL log:

 

OTL logfile created on: 9/25/2014 8:25:28 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Techtools
64bit- Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.17089)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
7.95 Gb Total Physical Memory | 6.28 Gb Available Physical Memory | 79.07% Memory free
15.89 Gb Paging File | 14.21 Gb Available in Paging File | 89.40% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 463.28 Gb Total Space | 379.19 Gb Free Space | 81.85% Space Free | Partition Type: NTFS
Drive E: | 931.51 Gb Total Space | 913.98 Gb Free Space | 98.12% Space Free | Partition Type: NTFS
 
Computer Name: PCU-WRKSTN11 | User Name: rpugach | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/08/06 17:58:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Techtools\OTL.exe
PRC - [2013/12/20 23:04:50 | 003,478,392 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
PRC - [2013/12/20 23:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013/11/13 14:23:18 | 000,390,616 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2013/11/13 14:23:08 | 000,169,432 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
PRC - [2013/10/07 10:29:40 | 001,025,584 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe
PRC - [2013/06/28 16:17:32 | 000,294,896 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorIcon.exe
PRC - [2013/06/28 16:17:32 | 000,015,344 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorDataMgrSvc.exe
PRC - [2013/06/28 03:09:08 | 000,891,272 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
PRC - [2013/06/28 03:06:34 | 000,383,368 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
PRC - [2013/06/28 02:45:04 | 000,100,744 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe
PRC - [2013/06/10 03:05:46 | 001,485,128 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe
PRC - [2013/05/16 00:12:56 | 000,389,120 | ---- | M] (AMD) -- C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
PRC - [2013/02/01 20:55:48 | 001,155,912 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2013/02/01 19:27:40 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2011/09/20 07:17:44 | 000,115,048 | ---- | M] (Renesas Electronics Corporation) -- C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014/09/11 03:29:55 | 001,358,336 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\d8d39c50a61cf86666e90503ed4784ba\System.WorkflowServices.ni.dll
MOD - [2014/09/11 03:29:41 | 001,707,008 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\352290f32be5a65dc4142796273f069e\System.ServiceModel.Web.ni.dll
MOD - [2014/09/11 03:28:19 | 000,029,184 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorDataMgrSvcInt#\8afba6b17d615383e780e834856ec273\IAStorDataMgrSvcInterfaces.ni.dll
MOD - [2014/09/11 03:28:17 | 000,032,256 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\3aa95e32932c976512cb261456328aba\IAStorCommon.ni.dll
MOD - [2014/09/11 03:28:15 | 000,341,504 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\5de5e84cc31af868702c468165787e01\IAStorUtil.ni.dll
MOD - [2014/09/11 03:26:47 | 001,084,928 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\fb57a4603c9eeb122ae1c85034ef7921\System.IdentityModel.ni.dll
MOD - [2014/09/11 03:26:46 | 002,347,008 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\00c35eb74751496223e687c7f827836b\System.Runtime.Serialization.ni.dll
MOD - [2014/09/11 03:26:45 | 017,477,120 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\ef55438a0f6ddd26952bbd816d094390\System.ServiceModel.ni.dll
MOD - [2014/09/11 03:26:34 | 000,256,000 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\bea43e490631da53463fe45e89b907b1\SMDiagnostics.ni.dll
MOD - [2014/09/11 03:23:46 | 011,922,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\349461c3a273efc2b4bd643c2645bd70\System.Web.ni.dll
MOD - [2014/09/11 03:23:25 | 012,435,968 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3f2952ec748f60fbb5deacfc4db0a2a3\System.Windows.Forms.ni.dll
MOD - [2014/09/11 03:23:21 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\8b7f86e5a6f0aa23f4b25dfeeaa6b318\System.Drawing.ni.dll
MOD - [2014/09/11 03:23:18 | 005,467,648 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\3fad44f7fd9f6c117eb02265ab63f80d\System.Xml.ni.dll
MOD - [2014/09/11 03:23:15 | 000,978,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\5bf56d6064af88d8812a3f78e0dfd376\System.Configuration.ni.dll
MOD - [2014/09/11 03:23:06 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\95854f4f1f37b8eab1b1e3d7103b48ef\System.ni.dll
MOD - [2014/09/11 03:23:02 | 011,497,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
MOD - [2014/02/12 20:58:32 | 000,073,544 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2014/02/12 20:58:10 | 001,044,808 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2014/08/12 00:56:36 | 002,428,088 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe -- (ClickToRunSvc)
SRV:64bit: - [2014/03/19 14:41:50 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2014/03/10 11:50:28 | 000,033,632 | ---- | M] (Dell, Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.MgmtServer.exe -- (DellMgmtServer)
SRV:64bit: - [2014/03/10 11:50:26 | 000,248,160 | ---- | M] (Dell Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.exe -- (DellMgmtAgent)
SRV:64bit: - [2014/03/10 11:50:26 | 000,026,464 | ---- | M] () [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.Loader.exe -- (DellMgmtLoader)
SRV:64bit: - [2014/02/19 15:23:12 | 000,472,912 | ---- | M] (DigitalPersona, Inc.) [Auto | Running] -- C:\Program Files\Dell\Dell Data Protection\Security Tools\Authentication\Bin\DpHostW.exe -- (DpHost)
SRV:64bit: - [2013/10/09 06:11:30 | 000,035,328 | ---- | M] (Validity Sensors, Inc.) [Auto | Running] -- C:\Windows\SysNative\valWBFPolicyService.exe -- (valWBFPolicyService)
SRV:64bit: - [2013/10/07 10:31:20 | 000,191,368 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Endpoint Antivirus\EShaSrv.exe -- (ESHASRV)
SRV:64bit: - [2013/10/07 10:30:56 | 000,042,048 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Endpoint Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV:64bit: - [2013/10/07 10:29:40 | 001,025,584 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe -- (ekrn)
SRV:64bit: - [2013/08/27 12:32:30 | 000,828,376 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe -- (Intel®
SRV:64bit: - [2013/08/27 12:32:14 | 000,747,520 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\iCLS Client\HeciServer.exe -- (Intel®
SRV:64bit: - [2013/05/16 01:52:48 | 000,241,152 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2013/01/03 12:38:52 | 000,183,200 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Windows\SysNative\IPROSetMonitor.exe -- (Intel®
SRV:64bit: - [2012/12/10 11:43:20 | 001,636,352 | ---- | M] (Security Innovation, Inc.) [Auto | Stopped] -- C:\Program Files\Dell\Dell Data Protection\Drivers\TSS\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV:64bit: - [2009/07/13 18:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2014/04/10 14:30:14 | 000,202,248 | ---- | M] (Dell Products, LP.) [Auto | Stopped] -- C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe -- (DellDigitalDelivery)
SRV - [2014/03/20 15:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2014/03/19 12:48:58 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/03/15 01:40:31 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/12/20 23:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/11/13 14:23:18 | 000,390,616 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2013/11/13 14:23:08 | 000,169,432 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe -- (jhi_service)
SRV - [2013/07/30 11:14:42 | 000,124,616 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxSvc.exe -- (SboxSvc)
SRV - [2013/07/30 11:14:40 | 002,947,856 | ---- | M] (Invincea, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Invincea\Enterprise\X64\InvProtectSvc64.exe -- (InvProtectSvc)
SRV - [2013/06/28 16:17:32 | 000,015,344 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorDataMgrSvc.exe -- (IAStorDataMgrSvc)
SRV - [2013/02/01 19:27:40 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2012/07/08 22:40:10 | 000,104,912 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2009/07/23 21:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2014/03/26 22:24:32 | 000,035,344 | ---- | M] (Anvisoft) [File_System | System | Running] -- C:\Windows\SysNative\drivers\asd2fsm.sys -- (asd2fsm)
DRV:64bit: - [2014/03/10 11:38:28 | 000,061,184 | ---- | M] (Dell Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\SEDFilter.sys -- (SEDFilter)
DRV:64bit: - [2014/03/10 11:38:28 | 000,037,120 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\CredFltL.sys -- (CredFltL)
DRV:64bit: - [2013/11/13 14:23:10 | 000,099,288 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\TeeDriverx64.sys -- (MEIx64)
DRV:64bit: - [2013/10/28 11:27:28 | 000,219,184 | ---- | M] (ESET) [File_System | System | Running] -- C:\Windows\SysNative\drivers\eamonm.sys -- (eamonm)
DRV:64bit: - [2013/09/09 13:55:48 | 000,155,896 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ehdrv.sys -- (ehdrv)
DRV:64bit: - [2013/09/09 13:55:48 | 000,147,096 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\epfwwfpr.sys -- (epfwwfpr)
DRV:64bit: - [2013/08/15 18:05:50 | 002,191,832 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RTDVHD64.sys -- (IntcAzAudAddService)
DRV:64bit: - [2013/07/19 08:39:00 | 000,021,264 | ---- | M] (Dell Computer Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\POADrvr.sys -- (POADrvr)
DRV:64bit: - [2013/07/01 12:33:48 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2013/07/01 12:33:40 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2013/07/01 12:33:40 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2013/06/28 16:16:40 | 000,660,880 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\iaStorS.sys -- (iaStorS)
DRV:64bit: - [2013/06/28 16:16:38 | 000,582,032 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStorA.sys -- (iaStorA)
DRV:64bit: - [2013/06/28 16:16:38 | 000,026,512 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStorF.sys -- (iaStorF)
DRV:64bit: - [2013/06/28 02:19:30 | 000,093,544 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ctxusbm.sys -- (ctxusbm)
DRV:64bit: - [2013/05/16 03:09:42 | 011,664,384 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2013/05/16 01:27:04 | 000,581,120 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2013/05/16 00:10:44 | 000,038,144 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdkmpfd.sys -- (amdkmpfd)
DRV:64bit: - [2013/04/29 13:13:21 | 000,023,312 | ---- | M] (Dell Computer Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\DellProf.sys -- (DellProf)
DRV:64bit: - [2013/03/18 16:51:08 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2013/02/21 01:40:52 | 000,033,616 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\iqvw64e.sys -- (NAL)
DRV:64bit: - [2013/02/20 22:14:04 | 000,495,888 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress)
DRV:64bit: - [2013/02/14 06:41:10 | 000,096,768 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtihdW76.sys -- (AtiHDAudioService)
DRV:64bit: - [2012/08/27 17:51:00 | 000,230,280 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rusb3xhc.sys -- (rusb3xhc)
DRV:64bit: - [2012/08/27 17:50:58 | 000,114,568 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\rusb3hub.sys -- (rusb3hub)
DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2010/11/20 20:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 20:23:48 | 000,168,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netvsc60.sys -- (netvsc)
DRV:64bit: - [2010/11/20 20:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 20:23:48 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VMBusVideoM.sys -- (SynthVid)
DRV:64bit: - [2010/11/20 20:23:47 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2010/11/20 20:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 20:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2009/07/13 18:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 18:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 18:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 13:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 13:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 13:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 13:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2014/08/18 14:07:50 | 000,033,512 | ---- | M] () [Kernel | On_Demand | Unknown] -- C:\Windows\SysWOW64\drivers\TrueSight.sys -- (TrueSight)
DRV - [2013/07/30 11:14:42 | 000,202,248 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Invincea\Enterprise\Sandbox\SboxDrv.sys -- (SboxDrv)
DRV - [2013/07/30 11:14:40 | 000,034,824 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Program Files (x86)\Invincea\Enterprise\X64\InvProtectDrv64.sys -- (InvProtectDrv)
DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-764110063-4023192198-2192342070-1115\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
IE - HKU\S-1-5-21-764110063-4023192198-2192342070-1115\..\SearchScopes,DefaultScope = {ACA84257-AAEF-4B4C-B1C0-7635B3D483EC}
IE - HKU\S-1-5-21-764110063-4023192198-2192342070-1115\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR
IE - HKU\S-1-5-21-764110063-4023192198-2192342070-1115\..\SearchScopes\{ACA84257-AAEF-4B4C-B1C0-7635B3D483EC}: "URL" = https://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-21-764110063-4023192198-2192342070-1115\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-764110063-4023192198-2192342070-1115\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:28.0
FF - user.js - File not found
 
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Citrix.com/npican: C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI updater: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF - HKLM\Software\MozillaPlugins\digitalpersona.com/ChromeDPAgent: C:\Program Files (x86)\Dell\Dell Data Protection\Security Tools Authentication\Bin\BrowserExt\components\npChromeDPAgent.dll (DigitalPersona, Inc.)
FF - HKCU\Software\MozillaPlugins\anvisoft.com/AdblockPlugin: C:\ProgramData\Anvisoft\Anvi Smart Defender 2\extensions\npAdblockPlugin.dll File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\web2pdfextension@web2pdf.adobedotcom: C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014/04/04 21:09:30 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\dpmaxz_ng@jetpack: C:\Program Files (x86)\Dell\Dell Data Protection\Security Tools Authentication\Bin\BrowserExt\dpchrome [2014/04/04 18:20:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 28.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 28.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Endpoint Antivirus\Mozilla Thunderbird [2014/04/24 20:00:43 | 000,000,000 | ---D | M]
 
[2014/04/24 19:57:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\RPugach\AppData\Roaming\mozilla\Extensions
[2014/04/24 20:05:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\RPugach\AppData\Roaming\mozilla\Firefox\Profiles\w3eizqpo.default\extensions
[2014/05/07 21:05:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2014/04/24 19:56:49 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
O1 HOSTS File: ([2014/09/09 21:06:30 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2:64bit: - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O2:64bit: - BHO: (Adobe Acrobat Create PDF Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
O2:64bit: - BHO: (Microsoft SkyDrive Pro Browser Helper) - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
O2:64bit: - BHO: (Adobe Acrobat Create PDF from Selection) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe Acrobat Create PDF Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\office15\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Adobe Acrobat Create PDF from Selection) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3:64bit: - HKLM\..\Toolbar: (Adobe Acrobat Create PDF Toolbar) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe Acrobat Create PDF Toolbar) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3:64bit: - HKU\S-1-5-21-764110063-4023192198-2192342070-1115\..\Toolbar\WebBrowser: (Adobe Acrobat Create PDF Toolbar) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-764110063-4023192198-2192342070-1115\..\Toolbar\WebBrowser: (Adobe Acrobat Create PDF Toolbar) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [CSFTrayApp] "C:\Program Files\Dell\Dell Data Protection\Client Security Framework\Dell.SecurityManager.SystrayApp.exe" showtraymin File not found
O4:64bit: - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe (ESET)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtDCpl64.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files (x86)\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology enterprise\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [RUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe (Renesas Electronics Corporation)
O4 - HKLM..\Run: [StartCCC] c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-764110063-4023192198-2192342070-1115..\Run: [HydraVisionDesktopManager] C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe (AMD)
O4 - Startup: C:\Users\RPugach\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk = C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-764110063-4023192198-2192342070-1115\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-764110063-4023192198-2192342070-1115\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE (Microsoft Corporation)
O8:64bit: - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll (Microsoft Corporation)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9:64bit: - Extra Button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9:64bit: - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesX64\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PacificCoastUrology.local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7B702A2C-769B-4EE6-BF72-6CD998FEE073}: NameServer = 192.168.1.200
O18:64bit: - Protocol\Handler\osf - No CLSID value found
O18 - Protocol\Handler\osf {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\office15\MSOSB.DLL (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/09/24 23:33:38 | 000,128,728 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/09/24 23:33:16 | 000,092,888 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014/09/22 20:20:06 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2014/09/21 22:39:26 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Dell Digital Delivery
[2014/09/21 22:17:43 | 000,957,952 | ---- | C] (Farbar) -- C:\Users\RPugach\Desktop\ListParts64.exe
[2014/09/21 22:15:28 | 002,105,856 | ---- | C] (Farbar) -- C:\Users\RPugach\Desktop\FRST64.exe
[2014/09/21 15:50:39 | 000,000,000 | ---D | C] -- C:\Users\RPugach\AppData\Local\CrashDumps
[2014/09/18 17:18:34 | 000,000,000 | ---D | C] -- C:\FRST
[2014/09/11 03:03:22 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2014/09/11 03:03:21 | 000,451,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtmsft.dll
[2014/09/11 03:03:21 | 000,281,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxtrans.dll
[2014/09/11 03:03:21 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msrating.dll
[2014/09/11 03:03:21 | 000,163,840 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msrating.dll
[2014/09/11 03:03:21 | 000,080,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2014/09/11 03:03:21 | 000,051,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ie4uinit.exe
[2014/09/11 03:03:20 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2014/09/11 03:03:20 | 000,391,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2014/09/11 03:03:20 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesetup.dll
[2014/09/11 03:03:20 | 000,061,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesetup.dll
[2014/09/11 03:03:19 | 000,855,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2014/09/11 03:03:19 | 000,690,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2014/09/11 03:03:19 | 000,603,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2014/09/11 03:03:19 | 000,109,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iesysprep.dll
[2014/09/11 03:03:19 | 000,089,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RegisterIEPKEYs.exe
[2014/09/11 03:03:19 | 000,071,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RegisterIEPKEYs.exe
[2014/09/11 03:03:19 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iernonce.dll
[2014/09/11 03:03:18 | 003,959,296 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2014/09/11 03:03:18 | 000,136,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iesysprep.dll
[2014/09/11 03:03:18 | 000,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iernonce.dll
[2014/09/11 03:03:16 | 001,508,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2014/09/11 03:03:16 | 001,440,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2014/09/10 13:37:49 | 001,460,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\lsasrv.dll
[2014/09/02 18:59:36 | 000,000,000 | ---D | C] -- C:\Users\RPugach\AppData\Local\Microsoft Help
[2014/08/27 22:42:18 | 000,404,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\gdi32.dll
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014/09/25 19:48:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/09/24 23:51:09 | 000,021,312 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/09/24 23:51:09 | 000,021,312 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/09/24 23:46:59 | 000,678,422 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/09/24 23:46:59 | 000,127,532 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/09/24 23:44:18 | 000,131,072 | -HS- | M] () -- C:\CredSED.dat
[2014/09/24 23:42:47 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/09/24 23:42:44 | 2103,574,527 | -HS- | M] () -- C:\hiberfil.sys
[2014/09/24 23:33:38 | 000,128,728 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/09/24 23:33:16 | 000,092,888 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014/09/22 21:09:23 | 000,800,700 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2014/09/22 18:02:12 | 000,783,606 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/09/21 22:17:50 | 000,957,952 | ---- | M] (Farbar) -- C:\Users\RPugach\Desktop\ListParts64.exe
[2014/09/18 17:18:20 | 002,105,856 | ---- | M] (Farbar) -- C:\Users\RPugach\Desktop\FRST64.exe
[2014/09/09 21:06:30 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2014/08/28 03:17:16 | 000,345,024 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[1 C:\Windows\SysNative\*.tmp files -> C:\Windows\SysNative\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014/08/18 14:07:50 | 000,033,512 | ---- | C] () -- C:\Windows\SysWow64\drivers\TrueSight.sys
[2014/06/11 19:53:58 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2014/05/07 10:46:38 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2014/05/07 10:46:38 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2014/05/07 10:46:37 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2014/05/07 10:46:37 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2014/04/24 20:08:21 | 000,000,090 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2014/04/24 19:49:00 | 000,408,576 | ---- | C] () -- C:\Windows\SysWow64\hpcc3140.DLL
[2014/04/04 18:19:43 | 000,002,794 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2014/04/04 18:19:42 | 000,000,206 | ---- | C] () -- C:\Windows\hbcikrnl.ini
[2014/03/19 14:26:54 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2014/03/19 14:26:54 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2014/03/19 14:26:51 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2014/03/19 14:26:44 | 000,798,734 | ---- | C] () -- C:\Windows\SysWow64\amdocl_ld32.exe
[2014/03/19 14:26:43 | 000,995,342 | ---- | C] () -- C:\Windows\SysWow64\amdocl_as32.exe
[2014/03/19 13:00:28 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2013/08/27 12:00:08 | 000,001,536 | ---- | C] () -- C:\Windows\SysWow64\IusEventLog.dll
[2012/11/26 23:18:46 | 000,038,912 | ---- | C] () -- C:\Windows\SysWow64\kdbsdk32.dll
 
========== ZeroAccess Check ==========
 
[2009/07/13 21:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/03/24 19:43:12 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/03/24 19:09:54 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 18:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 20:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 18:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

< End of report >

 

 

EDIT:  Couldn't find extra.txt


Edited by clipster, 25 September 2014 - 10:36 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users