Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malwarebytes anti rootkit forged physical sector


  • This topic is locked This topic is locked
10 replies to this topic

#1 bkneeland

bkneeland

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 11 September 2014 - 01:47 PM

I have a PC that seems to have a rootkit. However when i remove it using malwarebytes anti rootkit, it comes right back when i reboot. 

 

Here is the output from my DDS scan

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.17514  BrowserJavaVersion: 10.65.2
Run by BKneeland at 14:41:16 on 2014-09-11
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\nvwmi64.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\nvwmi64.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files\Broadcom\BPowMon\BPowMon.exe
C:\Program Files\CoSoSys\Endpoint Protector\cssguard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files\CoSoSys\Endpoint Protector\EPPservice.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\Program Files (x86)\PGP Corporation\PGP Desktop\RDDService.exe
C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\UI0Detect.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Users\ABrennan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\CoSoSys\Endpoint Protector\EPPNotifier.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\mobsync.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRunOnce: [Report] \AdwCleaner\AdwCleaner[S0].txt
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [RemoteControl9] "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
mRun: [PeachtreePrefetcher.exe] C:\Program Files (x86)\Sage\Peachtree\PeachtreePrefetcher.exe /configfile:peachtreeprefetcher.winstart.config
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: [Malwarebytes Anti-Rootkit (cleanup)] "C:\ProgramData\Malwarebytes' Anti-Malware (portable)\mbamdor.exe" "C:\ProgramData\Malwarebytes' Anti-Malware (portable)"
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: NameServer = 192.168.100.45 192.168.100.51
TCP: Interfaces\{C6DE5743-409F-481B-8845-E5D1C70E6CEC} : NameServer = 192.168.100.45,192.168.100.51
TCP: Interfaces\{C6DE5743-409F-481B-8845-E5D1C70E6CEC} : DHCPNameServer = 192.168.100.45 192.168.100.51
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
AppInit_DLLs= C:\Windows\System32\PGPmapih.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
x64-Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
x64-DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\bkneeland\AppData\Roaming\Mozilla\Firefox\Profiles\4d2jsxxg.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPEltr32.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64
R? Impcd;Impcd
R? LMIRfsClientNP;LMIRfsClientNP
R? Peachtree SmartPosting 2011;Peachtree SmartPosting 2011
R? RdpVideoMiniport;Remote Desktop Video Miniport Driver
R? StorSvc;Storage Service
R? TsUsbFlt;TsUsbFlt
R? WatAdminSvc;Windows Activation Technologies Service
S? AERTFilters;Andrea RT Filters Service
S? BPowMon;Broadcom Power monitoring service
S? cssguard;cssguard
S? eamonm;eamonm
S? ekrn;ESET Service
S? Endpoint Protector;Endpoint Protector
S? epfwwfpr;epfwwfpr
S? HECIx64;Intel® Management Engine Interface
S? hmpalert;HitmanPro.Alert Support Driver
S? hmpalertsvc;HitmanPro.Alert Service
S? IAStorDataMgrSvc;Intel® Rapid Storage Technology
S? k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0
S? LMIGuardianSvc;LMIGuardianSvc
S? LMIInfo;LogMeIn Kernel Information Provider
S? LMIRfsDriver;LogMeIn Remote File System Driver
S? NVIDIA Performance Driver Service;NVIDIA Performance Driver Service
S? NVWMI;NVIDIA WMI Provider
S? PGP RDD Service;PGP RDD Service
S? pgpfs;PGP File Sharing
S? Pgpwdefs;Pgpwdefs
S? psqlWGE;Pervasive PSQL Workgroup Engine
S? PxHlpa64;PxHlpa64
S? sieflt;sieflt
S? Stereo Service;NVIDIA Stereoscopic 3D Driver Service
.
=============== Created Last 30 ================
.
2014-09-11 18:25:09 -------- d-----w- C:\Program Files (x86)\ESET
2014-09-11 17:50:42 -------- d-----w- C:\AdwCleaner
2014-09-11 17:36:27 -------- d-----w- C:\Program Files\HitmanPro
2014-09-11 17:35:53 -------- d-----w- C:\ProgramData\HitmanPro
2014-09-11 17:35:21 -------- d-----w- C:\Windows\CryptoGuard
2014-09-11 17:35:05 93144 ----a-w- C:\Windows\System32\drivers\hmpalert.sys
2014-09-11 17:35:05 548424 ----a-w- C:\Windows\System32\hmpalert.dll
2014-09-11 17:35:05 477008 ----a-w- C:\Windows\SysWow64\hmpalert.dll
2014-09-11 17:35:05 -------- d-----w- C:\Program Files (x86)\HitmanPro.Alert
2014-09-11 17:12:08 -------- d-----w- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-09-11 17:08:24 -------- d-----w- C:\antirootkit
2014-09-11 16:59:10 33512 ----a-w- C:\Windows\SysWow64\drivers\TrueSight.sys
2014-09-11 16:59:08 -------- d-----w- C:\ProgramData\RogueKiller
2014-09-11 16:35:34 -------- d-----w- C:\Users\bkneeland\AppData\Roaming\Intel Corporation
2014-09-11 16:35:31 -------- d-----w- C:\Users\bkneeland\AppData\Roaming\PGP Corporation
2014-09-11 16:32:36 -------- d-sh--w- C:\$RECYCLE.BIN
2014-09-11 16:32:34 -------- d-----w- C:\Users\bkneeland\AppData\Local\VirtualStore
2014-09-11 16:31:37 -------- d-----w- C:\Users\bkneeland\AppData\Roaming\Windows Small Business Server
2014-09-11 16:03:07 -------- d-----w- C:\Users\bkneeland\AppData\Local\temp
2014-09-11 15:42:55 98816 ----a-w- C:\Windows\sed.exe
2014-09-11 15:42:55 256000 ----a-w- C:\Windows\PEV.exe
2014-09-11 15:42:55 208896 ----a-w- C:\Windows\MBR.exe
2014-09-11 15:01:21 128728 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-09-11 15:00:27 92888 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-09-11 15:00:27 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-09-11 15:00:27 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-09-11 15:00:25 -------- d-----w- C:\ProgramData\Malwarebytes
2014-09-11 15:00:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-11 15:00:08 -------- d-----w- C:\Users\bkneeland\AppData\Local\Programs
2014-09-11 14:36:59 2620928 ----a-w- C:\Windows\System32\wucltux.dll
2014-09-11 14:36:34 97792 ----a-w- C:\Windows\System32\wudriver.dll
2014-09-11 14:36:34 92672 ----a-w- C:\Windows\SysWow64\wudriver.dll
2014-09-11 14:33:02 36864 ----a-w- C:\Windows\System32\wuapp.exe
2014-09-11 14:33:02 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2014-09-11 14:33:02 198600 ----a-w- C:\Windows\System32\wuwebv.dll
2014-09-11 14:33:02 179656 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2014-09-11 14:13:20 -------- d--h--w- C:\Windows\System32\CanonMF Uninstaller Information
2014-09-11 14:13:13 90624 ----a-w- C:\Windows\System32\CNCLSC44c.DLL
2014-09-11 14:13:13 189952 ----a-w- C:\Windows\System32\CNCLSU44c.DLL
2014-09-11 14:13:13 132096 ----a-w- C:\Windows\System32\CNCLSD44c.DLL
2014-09-11 14:13:13 118272 ----a-w- C:\Windows\System32\CNCLSI44c.DLL
2014-09-11 14:13:13 105472 ----a-w- C:\Windows\System32\CNCLST44c.DLL
2014-09-11 14:13:11 374272 ----a-w- C:\Windows\System32\CNCC530.DLL
2014-09-11 14:13:11 152576 ----a-w- C:\Windows\System32\CNCE530.DLL
2014-09-11 14:13:11 134144 ----a-w- C:\Windows\System32\CNCL530.DLL
2014-09-11 14:13:11 118272 ----a-w- C:\Windows\System32\CNCI530.DLL
2014-09-11 14:12:54 1006080 ----a-w- C:\Windows\System32\CNAS0MOK.DLL
2014-09-11 14:12:48 -------- d-----w- C:\Program Files\Canon
2014-09-10 08:56:37 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B7B3356F-55D5-4185-982D-914A3F36D21C}\offreg.dll
2014-09-10 08:55:17 11319192 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B7B3356F-55D5-4185-982D-914A3F36D21C}\mpengine.dll
2014-08-14 14:31:06 -------- d-----w- C:\Program Files\Microsoft Mouse and Keyboard Center
.
==================== Find3M  ====================
.
2014-09-10 14:37:27 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-10 14:37:27 701104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-08-05 13:20:00 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-07-11 07:02:05 98216 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
.
============= FINISH: 14:44:35.82 ===============
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional 
Boot Device: \Device\HarddiskVolume2
Install Date: 6/6/2011 11:32:23 AM
System Uptime: 9/11/2014 1:54:50 PM (1 hours ago)
.
Motherboard: Dell Inc. |  | 0XC7MM
Processor: Intel® Core™ i5 CPU         650  @ 3.20GHz | CPU 1 | 1184/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 297 GiB total, 236.133 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e978-e325-11ce-bfc1-08002be10318}
Description: Communications Port
Device ID: ACPI\PNP0501\1
Manufacturer: (Standard port types)
Name: Communications Port (COM1)
PNP Device ID: ACPI\PNP0501\1
Service: Serial
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Canon D530/D560
Device ID: USB\VID_04A9&PID_2775&MI_00\7&8766D2E&0&0000
Manufacturer: Canon
Name: Canon D530/D560
PNP Device ID: USB\VID_04A9&PID_2775&MI_00\7&8766D2E&0&0000
Service: usbscan
.
==== System Restore Points ===================
.
RP221: 8/1/2014 12:00:05 AM - Scheduled Checkpoint
RP222: 8/8/2014 12:00:08 AM - Scheduled Checkpoint
RP223: 8/14/2014 10:29:16 AM - DCInstallRestorePoint
RP224: 8/20/2014 4:56:08 AM - Windows Update
RP225: 8/28/2014 12:00:04 AM - Scheduled Checkpoint
RP226: 9/5/2014 12:00:03 AM - Scheduled Checkpoint
RP227: 9/11/2014 10:30:58 AM - Windows Update
RP228: 9/11/2014 10:46:53 AM - Installed User Profile Hive Cleanup Service
RP229: 9/11/2014 1:25:25 PM - Malwarebytes Anti-Rootkit Restore Point
RP230: 9/11/2014 1:43:20 PM - Checkpoint by HitmanPro
.
==== Installed Programs ======================
.
Adobe Flash Player 15 ActiveX
Broadcom Management Programs
Canon D530/D560
Citrix Online Launcher
Click-N-Ship for Business®
Crystal Reports 2008 Runtime SP1
CyberLink PowerDVD 9.5
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Edoc Viewer
Endpoint Protector
ESET NOD32 Antivirus
ESET Online Scanner v3
Foxit PhantomPDF
HitmanPro 3.7
HitmanPro.Alert
ImgBurn
Intel® Control Center
Intel® Rapid Storage Technology
Java 7 Update 60
Java Auto Updater
Java™ 6 Update 21 (64-bit)
Java™ 6 Update 24
LogMeIn
Malwarebytes Anti-Malware version 2.0.2.1012
Microsoft .NET Framework 4 Client Profile
Microsoft Mouse and Keyboard Center
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Business 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 11.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA 3D Vision Controller Driver 320.49
NVIDIA 3D Vision Driver 320.49
NVIDIA Control Panel 320.49
NVIDIA Graphics Driver 320.49
NVIDIA Install Application
NVIDIA nView 140.62
NVIDIA nView Desktop Manager
NVIDIA Performance Drivers
NVIDIA Stereoscopic 3D Driver
NVIDIA WMI 2.12.0
Paint.NET v3.5.10
Peachtree Accounting 2011
PeachTree Signature Ready Forms
Pervasive PSQL v10 SP2 Workgroup (32-bit)
PGP Desktop
Realtek High Definition Audio Driver
Sage Integration Services
Sage Message Center
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2898855v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2901110v2)
Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598243) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687510) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Publisher 2010 (KB2553147) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2863926) 32-Bit Edition
Stamps.com
Stamps.com Application Support for Microsoft Word 2000-2010
Stamps.com support for Microsoft Word 2000-2010
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition
Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
Update for Microsoft Visio 2010 (KB2553444) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
UPS Thermal Printer Plugin - Version 8.10
Windows Live Mesh ActiveX Control for Remote Connections
Windows Small Business Server 2008 ClientAgent
Yahoo! Detect
.
==== End Of File ===========================
 
 


BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 11 September 2014 - 01:53 PM

Hi,

please run the following scans:


Step 1

Please download TDSSKiller and save it to your Desktop.
  • Start tdsskiller.exe with administrator privileges.
  • Accept the EULA and the KSN Statement.
  • Click on Change parameters.
  • Make sure that all available options (except "Loaded modules") are checked and click OK.
  • Click on Start scan.
  • If any threats are found don't delete them but choose the Skip option for all of them.
  • Click on Report to open the log file. (It is also saved at C:\TDSSKiller.<version_date_time>_log.txt).
    Copy and paste its contents in your next reply.


Step 2

Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#3 bkneeland

bkneeland
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 11 September 2014 - 02:07 PM

here is the TDSS report, FRSTto follow

 

15:03:04.0557 0x1664  TDSS rootkit removing tool 3.0.0.40 Jul 10 2014 12:37:58
15:03:08.0165 0x1664  ============================================================
15:03:08.0165 0x1664  Current date / time: 2014/09/11 15:03:08.0165
15:03:08.0165 0x1664  SystemInfo:
15:03:08.0165 0x1664  
15:03:08.0165 0x1664  OS Version: 6.1.7601 ServicePack: 1.0
15:03:08.0165 0x1664  Product type: Workstation
15:03:08.0165 0x1664  ComputerName: JANGO
15:03:08.0165 0x1664  UserName: BKneeland
15:03:08.0166 0x1664  Windows directory: C:\Windows
15:03:08.0166 0x1664  System windows directory: C:\Windows
15:03:08.0166 0x1664  Running under WOW64
15:03:08.0166 0x1664  Processor architecture: Intel x64
15:03:08.0166 0x1664  Number of processors: 4
15:03:08.0166 0x1664  Page size: 0x1000
15:03:08.0166 0x1664  Boot type: Normal boot
15:03:08.0166 0x1664  ============================================================
15:03:08.0922 0x1664  KLMD registered as C:\Windows\system32\drivers\31004850.sys
15:03:10.0203 0x1664  System UUID: {45B1BC0C-F6B8-5088-52B1-2575DCC86736}
15:03:11.0067 0x1664  Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 ( 298.09 Gb ), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
15:03:11.0073 0x1664  Drive \Device\Harddisk1\DR1 - Size: 0x77700000 ( 1.87 Gb ), SectorSize: 0x200, Cylinders: 0xF3, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:03:11.0078 0x1664  ============================================================
15:03:11.0078 0x1664  \Device\Harddisk0\DR0:
15:03:11.0078 0x1664  MBR partitions:
15:03:11.0078 0x1664  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x177000
15:03:11.0078 0x1664  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x18B000, BlocksNum 0x252A3000
15:03:11.0078 0x1664  \Device\Harddisk1\DR1:
15:03:11.0079 0x1664  MBR partitions:
15:03:11.0079 0x1664  \Device\Harddisk1\DR1\Partition1: MBR, Type 0x6, StartLBA 0x1F80, BlocksNum 0x3B9880
15:03:11.0079 0x1664  ============================================================
15:03:11.0085 0x1664  Initialize success
15:03:11.0085 0x1664  ============================================================
15:03:28.0080 0x0888  ============================================================
15:03:28.0080 0x0888  Scan started
15:03:28.0080 0x0888  Mode: Manual; SigCheck; TDLFS; 
15:03:28.0080 0x0888  ============================================================
15:03:28.0080 0x0888  KSN ping started
15:03:38.0075 0x0888  KSN ping finished: true
15:03:38.0503 0x0888  ================ Scan system memory ========================
15:03:38.0503 0x0888  System memory - ok
15:03:38.0504 0x0888  ================ Scan services =============================
15:03:38.0555 0x0888  1394ohci - ok
15:03:38.0561 0x0888  ACPI - ok
15:03:38.0567 0x0888  AcpiPmi - ok
15:03:38.0588 0x0888  AdobeFlashPlayerUpdateSvc - ok
15:03:38.0592 0x0888  adp94xx - ok
15:03:38.0595 0x0888  adpahci - ok
15:03:38.0597 0x0888  adpu320 - ok
15:03:38.0601 0x0888  AeLookupSvc - ok
15:03:38.0605 0x0888  AERTFilters - ok
15:03:38.0616 0x0888  AFD - ok
15:03:38.0618 0x0888  agp440 - ok
15:03:38.0621 0x0888  ALG - ok
15:03:38.0624 0x0888  aliide - ok
15:03:38.0627 0x0888  amdide - ok
15:03:38.0629 0x0888  AmdK8 - ok
15:03:38.0632 0x0888  AmdPPM - ok
15:03:38.0635 0x0888  amdsata - ok
15:03:38.0637 0x0888  amdsbs - ok
15:03:38.0640 0x0888  amdxata - ok
15:03:38.0643 0x0888  AppID - ok
15:03:38.0646 0x0888  AppIDSvc - ok
15:03:38.0650 0x0888  Appinfo - ok
15:03:38.0652 0x0888  AppMgmt - ok
15:03:38.0660 0x0888  arc - ok
15:03:38.0663 0x0888  arcsas - ok
15:03:38.0672 0x0888  AsyncMac - ok
15:03:38.0674 0x0888  atapi - ok
15:03:38.0677 0x0888  AudioEndpointBuilder - ok
15:03:38.0680 0x0888  AudioSrv - ok
15:03:38.0684 0x0888  AxInstSV - ok
15:03:38.0687 0x0888  b06bdrv - ok
15:03:38.0689 0x0888  b57nd60a - ok
15:03:38.0693 0x0888  BDESVC - ok
15:03:38.0696 0x0888  Beep - ok
15:03:38.0706 0x0888  BFE - ok
15:03:38.0709 0x0888  BITS - ok
15:03:38.0726 0x0888  blbdrive - ok
15:03:38.0728 0x0888  bowser - ok
15:03:38.0741 0x0888  BPowMon - ok
15:03:38.0744 0x0888  BrFiltLo - ok
15:03:38.0747 0x0888  BrFiltUp - ok
15:03:38.0760 0x0888  BridgeMP - ok
15:03:38.0762 0x0888  Browser - ok
15:03:38.0765 0x0888  Brserid - ok
15:03:38.0768 0x0888  BrSerWdm - ok
15:03:38.0770 0x0888  BrUsbMdm - ok
15:03:38.0774 0x0888  BrUsbSer - ok
15:03:38.0778 0x0888  BTHMODEM - ok
15:03:38.0782 0x0888  bthserv - ok
15:03:38.0886 0x0888  catchme - ok
15:03:38.0892 0x0888  cdfs - ok
15:03:38.0898 0x0888  cdrom - ok
15:03:38.0904 0x0888  CertPropSvc - ok
15:03:38.0910 0x0888  circlass - ok
15:03:38.0915 0x0888  CLFS - ok
15:03:38.0921 0x0888  clr_optimization_v2.0.50727_32 - ok
15:03:38.0927 0x0888  clr_optimization_v2.0.50727_64 - ok
15:03:38.0946 0x0888  clr_optimization_v4.0.30319_32 - ok
15:03:38.0949 0x0888  clr_optimization_v4.0.30319_64 - ok
15:03:38.0952 0x0888  CmBatt - ok
15:03:38.0955 0x0888  cmdide - ok
15:03:38.0958 0x0888  CNG - ok
15:03:38.0961 0x0888  Compbatt - ok
15:03:38.0989 0x0888  CompositeBus - ok
15:03:38.0993 0x0888  COMSysApp - ok
15:03:39.0000 0x0888  crcdisk - ok
15:03:39.0035 0x0888  CryptSvc - ok
15:03:39.0040 0x0888  CSC - ok
15:03:39.0046 0x0888  CscService - ok
15:03:39.0052 0x0888  cssguard - ok
15:03:39.0123 0x0888  DcomLaunch - ok
15:03:39.0129 0x0888  defragsvc - ok
15:03:39.0135 0x0888  DfsC - ok
15:03:39.0141 0x0888  Dhcp - ok
15:03:39.0143 0x0888  discache - ok
15:03:39.0146 0x0888  Disk - ok
15:03:39.0177 0x0888  Dnscache - ok
15:03:39.0182 0x0888  dot3svc - ok
15:03:39.0188 0x0888  DPS - ok
15:03:39.0215 0x0888  drmkaud - ok
15:03:39.0221 0x0888  DXGKrnl - ok
15:03:39.0227 0x0888  eamonm - ok
15:03:39.0233 0x0888  EapHost - ok
15:03:39.0238 0x0888  ebdrv - ok
15:03:39.0244 0x0888  EFS - ok
15:03:39.0249 0x0888  ehdrv - ok
15:03:39.0255 0x0888  ehRecvr - ok
15:03:39.0260 0x0888  ehSched - ok
15:03:39.0263 0x0888  EhttpSrv - ok
15:03:39.0266 0x0888  ekrn - ok
15:03:39.0269 0x0888  elxstor - ok
15:03:39.0271 0x0888  Endpoint Protector - ok
15:03:39.0274 0x0888  epfwwfpr - ok
15:03:39.0277 0x0888  ErrDev - ok
15:03:39.0282 0x0888  EventSystem - ok
15:03:39.0285 0x0888  exfat - ok
15:03:39.0287 0x0888  fastfat - ok
15:03:39.0309 0x0888  Fax - ok
15:03:39.0311 0x0888  fdc - ok
15:03:39.0324 0x0888  fdPHost - ok
15:03:39.0330 0x0888  FDResPub - ok
15:03:39.0334 0x0888  FileInfo - ok
15:03:39.0340 0x0888  Filetrace - ok
15:03:39.0346 0x0888  flpydisk - ok
15:03:39.0351 0x0888  FltMgr - ok
15:03:39.0354 0x0888  FontCache - ok
15:03:39.0356 0x0888  FontCache3.0.0.0 - ok
15:03:39.0359 0x0888  FsDepends - ok
15:03:39.0361 0x0888  Fs_Rec - ok
15:03:39.0364 0x0888  fvevol - ok
15:03:39.0367 0x0888  gagp30kx - ok
15:03:39.0369 0x0888  gpsvc - ok
15:03:39.0372 0x0888  hcw85cir - ok
15:03:39.0374 0x0888  HDAudBus - ok
15:03:39.0377 0x0888  HECIx64 - ok
15:03:39.0379 0x0888  HidBatt - ok
15:03:39.0382 0x0888  HidBth - ok
15:03:39.0385 0x0888  HidIr - ok
15:03:39.0387 0x0888  hidserv - ok
15:03:39.0390 0x0888  HidUsb - ok
15:03:39.0392 0x0888  hkmsvc - ok
15:03:39.0397 0x0888  hmpalert - ok
15:03:39.0400 0x0888  hmpalertsvc - ok
15:03:39.0402 0x0888  HomeGroupListener - ok
15:03:39.0405 0x0888  HomeGroupProvider - ok
15:03:39.0407 0x0888  HpSAMD - ok
15:03:39.0410 0x0888  HTTP - ok
15:03:39.0413 0x0888  hwpolicy - ok
15:03:39.0415 0x0888  i8042prt - ok
15:03:39.0418 0x0888  iaStor - ok
15:03:39.0424 0x0888  IAStorDataMgrSvc - ok
15:03:39.0427 0x0888  iaStorV - ok
15:03:39.0432 0x0888  IDriverT - ok
15:03:39.0434 0x0888  idsvc - ok
15:03:39.0437 0x0888  iirsp - ok
15:03:39.0440 0x0888  IKEEXT - ok
15:03:39.0442 0x0888  Impcd - ok
15:03:39.0446 0x0888  IntcAzAudAddService - ok
15:03:39.0448 0x0888  intelide - ok
15:03:39.0451 0x0888  intelppm - ok
15:03:39.0454 0x0888  IPBusEnum - ok
15:03:39.0456 0x0888  IpFilterDriver - ok
15:03:39.0459 0x0888  iphlpsvc - ok
15:03:39.0461 0x0888  IPMIDRV - ok
15:03:39.0464 0x0888  IPNAT - ok
15:03:39.0466 0x0888  IRENUM - ok
15:03:39.0469 0x0888  isapnp - ok
15:03:39.0472 0x0888  iScsiPrt - ok
15:03:39.0474 0x0888  k57nd60a - ok
15:03:39.0486 0x0888  kbdclass - ok
15:03:39.0488 0x0888  kbdhid - ok
15:03:39.0491 0x0888  KeyIso - ok
15:03:39.0494 0x0888  KSecDD - ok
15:03:39.0496 0x0888  KSecPkg - ok
15:03:39.0499 0x0888  ksthunk - ok
15:03:39.0501 0x0888  KtmRm - ok
15:03:39.0504 0x0888  LanmanServer - ok
15:03:39.0507 0x0888  LanmanWorkstation - ok
15:03:39.0512 0x0888  lltdio - ok
15:03:39.0514 0x0888  lltdsvc - ok
15:03:39.0517 0x0888  lmhosts - ok
15:03:39.0556 0x0888  LMIGuardianSvc - ok
15:03:39.0559 0x0888  LMIInfo - ok
15:03:39.0562 0x0888  LMIMaint - ok
15:03:39.0564 0x0888  lmimirr - ok
15:03:39.0576 0x0888  LMIRfsClientNP - ok
15:03:39.0578 0x0888  LMIRfsDriver - ok
15:03:39.0581 0x0888  LogMeIn - ok
15:03:39.0584 0x0888  LSI_FC - ok
15:03:39.0588 0x0888  LSI_SAS - ok
15:03:39.0590 0x0888  LSI_SAS2 - ok
15:03:39.0593 0x0888  LSI_SCSI - ok
15:03:39.0596 0x0888  luafv - ok
15:03:39.0598 0x0888  Mcx2Svc - ok
15:03:39.0601 0x0888  megasas - ok
15:03:39.0603 0x0888  MegaSR - ok
15:03:39.0609 0x0888  MMCSS - ok
15:03:39.0612 0x0888  Modem - ok
15:03:39.0614 0x0888  monitor - ok
15:03:39.0621 0x0888  mouclass - ok
15:03:39.0627 0x0888  mouhid - ok
15:03:39.0641 0x0888  mountmgr - ok
15:03:39.0643 0x0888  mpio - ok
15:03:39.0653 0x0888  mpsdrv - ok
15:03:39.0655 0x0888  MpsSvc - ok
15:03:39.0658 0x0888  MRxDAV - ok
15:03:39.0661 0x0888  mrxsmb - ok
15:03:39.0663 0x0888  mrxsmb10 - ok
15:03:39.0666 0x0888  mrxsmb20 - ok
15:03:39.0669 0x0888  msahci - ok
15:03:39.0671 0x0888  msdsm - ok
15:03:39.0673 0x0888  MSDTC - ok
15:03:39.0679 0x0888  Msfs - ok
15:03:39.0681 0x0888  mshidkmdf - ok
15:03:39.0684 0x0888  msisadrv - ok
15:03:39.0686 0x0888  MSiSCSI - ok
15:03:39.0688 0x0888  msiserver - ok
15:03:39.0697 0x0888  MSKSSRV - ok
15:03:39.0700 0x0888  MSPCLOCK - ok
15:03:39.0703 0x0888  MSPQM - ok
15:03:39.0705 0x0888  MsRPC - ok
15:03:39.0709 0x0888  mssmbios - ok
15:03:39.0712 0x0888  MSTEE - ok
15:03:39.0714 0x0888  MTConfig - ok
15:03:39.0717 0x0888  Mup - ok
15:03:39.0720 0x0888  napagent - ok
15:03:39.0729 0x0888  NativeWifiP - ok
15:03:39.0731 0x0888  NDIS - ok
15:03:39.0734 0x0888  NdisCap - ok
15:03:39.0737 0x0888  NdisTapi - ok
15:03:39.0739 0x0888  Ndisuio - ok
15:03:39.0742 0x0888  NdisWan - ok
15:03:39.0745 0x0888  NDProxy - ok
15:03:39.0748 0x0888  NetBIOS - ok
15:03:39.0750 0x0888  NetBT - ok
15:03:39.0753 0x0888  Netlogon - ok
15:03:39.0755 0x0888  Netman - ok
15:03:39.0758 0x0888  netprofm - ok
15:03:39.0760 0x0888  NetTcpPortSharing - ok
15:03:39.0763 0x0888  nfrd960 - ok
15:03:39.0766 0x0888  NlaSvc - ok
15:03:39.0768 0x0888  Npfs - ok
15:03:39.0771 0x0888  nsi - ok
15:03:39.0774 0x0888  nsiproxy - ok
15:03:39.0778 0x0888  Ntfs - ok
15:03:39.0780 0x0888  Null - ok
15:03:39.0793 0x0888  NVIDIA Performance Driver Service - ok
15:03:39.0796 0x0888  nvlddmkm - ok
15:03:39.0798 0x0888  nvraid - ok
15:03:39.0801 0x0888  nvstor - ok
15:03:39.0803 0x0888  nvsvc - ok
15:03:39.0831 0x0888  NVWMI - ok
15:03:39.0837 0x0888  nv_agp - ok
15:03:39.0843 0x0888  ohci1394 - ok
15:03:39.0866 0x0888  ose - ok
15:03:39.0879 0x0888  osppsvc - ok
15:03:39.0885 0x0888  p2pimsvc - ok
15:03:39.0887 0x0888  p2psvc - ok
15:03:39.0890 0x0888  Parport - ok
15:03:39.0892 0x0888  partmgr - ok
15:03:39.0895 0x0888  PcaSvc - ok
15:03:39.0897 0x0888  pci - ok
15:03:39.0900 0x0888  pciide - ok
15:03:39.0902 0x0888  pcmcia - ok
15:03:39.0905 0x0888  pcw - ok
15:03:39.0908 0x0888  Peachtree SmartPosting 2011 - ok
15:03:39.0911 0x0888  PEAUTH - ok
15:03:39.0914 0x0888  PeerDistSvc - ok
15:03:39.0917 0x0888  PerfHost - ok
15:03:39.0924 0x0888  PGP RDD Service - ok
15:03:39.0930 0x0888  PGPdisk - ok
15:03:39.0933 0x0888  pgpfs - ok
15:03:39.0937 0x0888  PGPsdkDriver - ok
15:03:39.0940 0x0888  PGPwded - ok
15:03:39.0943 0x0888  Pgpwdefs - ok
15:03:39.0945 0x0888  pla - ok
15:03:39.0954 0x0888  PlugPlay - ok
15:03:39.0956 0x0888  PNRPAutoReg - ok
15:03:39.0960 0x0888  PNRPsvc - ok
15:03:39.0962 0x0888  Point64 - ok
15:03:39.0965 0x0888  PolicyAgent - ok
15:03:39.0968 0x0888  Power - ok
15:03:39.0979 0x0888  PptpMiniport - ok
15:03:39.0982 0x0888  Processor - ok
15:03:39.0992 0x0888  ProfSvc - ok
15:03:39.0995 0x0888  ProtectedStorage - ok
15:03:40.0004 0x0888  Psched - ok
15:03:40.0015 0x0888  psqlWGE - ok
15:03:40.0018 0x0888  PxHlpa64 - ok
15:03:40.0021 0x0888  ql2300 - ok
15:03:40.0023 0x0888  ql40xx - ok
15:03:40.0027 0x0888  QWAVE - ok
15:03:40.0029 0x0888  QWAVEdrv - ok
15:03:40.0032 0x0888  RasAcd - ok
15:03:40.0035 0x0888  RasAgileVpn - ok
15:03:40.0037 0x0888  RasAuto - ok
15:03:40.0040 0x0888  Rasl2tp - ok
15:03:40.0043 0x0888  RasMan - ok
15:03:40.0046 0x0888  RasPppoe - ok
15:03:40.0049 0x0888  RasSstp - ok
15:03:40.0051 0x0888  rdbss - ok
15:03:40.0054 0x0888  rdpbus - ok
15:03:40.0056 0x0888  RDPCDD - ok
15:03:40.0060 0x0888  RDPDR - ok
15:03:40.0063 0x0888  RDPENCDD - ok
15:03:40.0067 0x0888  RDPREFMP - ok
15:03:40.0080 0x0888  RdpVideoMiniport - ok
15:03:40.0083 0x0888  RDPWD - ok
15:03:40.0087 0x0888  rdyboost - ok
15:03:40.0089 0x0888  RemoteAccess - ok
15:03:40.0092 0x0888  RemoteRegistry - ok
15:03:40.0095 0x0888  RpcEptMapper - ok
15:03:40.0097 0x0888  RpcLocator - ok
15:03:40.0099 0x0888  RpcSs - ok
15:03:40.0102 0x0888  rspndr - ok
15:03:40.0105 0x0888  s3cap - ok
15:03:40.0107 0x0888  SamSs - ok
15:03:40.0110 0x0888  sbp2port - ok
15:03:40.0112 0x0888  SCardSvr - ok
15:03:40.0116 0x0888  scfilter - ok
15:03:40.0117 0x0888  Schedule - ok
15:03:40.0120 0x0888  SCPolicySvc - ok
15:03:40.0123 0x0888  SDRSVC - ok
15:03:40.0126 0x0888  secdrv - ok
15:03:40.0128 0x0888  seclogon - ok
15:03:40.0130 0x0888  SENS - ok
15:03:40.0133 0x0888  SensrSvc - ok
15:03:40.0140 0x0888  Serenum - ok
15:03:40.0152 0x0888  Serial - ok
15:03:40.0155 0x0888  sermouse - ok
15:03:40.0161 0x0888  SessionEnv - ok
15:03:40.0164 0x0888  sffdisk - ok
15:03:40.0166 0x0888  sffp_mmc - ok
15:03:40.0169 0x0888  sffp_sd - ok
15:03:40.0171 0x0888  sfloppy - ok
15:03:40.0174 0x0888  SharedAccess - ok
15:03:40.0177 0x0888  ShellHWDetection - ok
15:03:40.0187 0x0888  sieflt - ok
15:03:40.0190 0x0888  SiSRaid2 - ok
15:03:40.0193 0x0888  SiSRaid4 - ok
15:03:40.0195 0x0888  Smb - ok
15:03:40.0200 0x0888  SNMPTRAP - ok
15:03:40.0203 0x0888  spldr - ok
15:03:40.0205 0x0888  Spooler - ok
15:03:40.0208 0x0888  sppsvc - ok
15:03:40.0210 0x0888  sppuinotify - ok
15:03:40.0213 0x0888  srv - ok
15:03:40.0215 0x0888  srv2 - ok
15:03:40.0218 0x0888  srvnet - ok
15:03:40.0220 0x0888  SSDPSRV - ok
15:03:40.0223 0x0888  SstpSvc - ok
15:03:40.0226 0x0888  Stereo Service - ok
15:03:40.0229 0x0888  stexstor - ok
15:03:40.0232 0x0888  stisvc - ok
15:03:40.0243 0x0888  storflt - ok
15:03:40.0244 0x0888  StorSvc - ok
15:03:40.0247 0x0888  storvsc - ok
15:03:40.0249 0x0888  swenum - ok
15:03:40.0252 0x0888  swprv - ok
15:03:40.0254 0x0888  SysMain - ok
15:03:40.0257 0x0888  TabletInputService - ok
15:03:40.0260 0x0888  TapiSrv - ok
15:03:40.0263 0x0888  TBS - ok
15:03:40.0265 0x0888  Tcpip - ok
15:03:40.0268 0x0888  TCPIP6 - ok
15:03:40.0271 0x0888  tcpipreg - ok
15:03:40.0276 0x0888  TDPIPE - ok
15:03:40.0278 0x0888  TDTCP - ok
15:03:40.0280 0x0888  tdx - ok
15:03:40.0283 0x0888  TermDD - ok
15:03:40.0285 0x0888  TermService - ok
15:03:40.0288 0x0888  Themes - ok
15:03:40.0290 0x0888  THREADORDER - ok
15:03:40.0294 0x0888  TrkWks - ok
15:03:40.0299 0x0888  TrueSight - ok
15:03:40.0302 0x0888  TrustedInstaller - ok
15:03:40.0305 0x0888  tssecsrv - ok
15:03:40.0309 0x0888  TsUsbFlt - ok
15:03:40.0312 0x0888  tunnel - ok
15:03:40.0314 0x0888  uagp35 - ok
15:03:40.0317 0x0888  udfs - ok
15:03:40.0322 0x0888  UI0Detect - ok
15:03:40.0324 0x0888  uliagpkx - ok
15:03:40.0327 0x0888  umbus - ok
15:03:40.0329 0x0888  UmPass - ok
15:03:40.0332 0x0888  UmRdpService - ok
15:03:40.0334 0x0888  upnphost - ok
15:03:40.0337 0x0888  usbccgp - ok
15:03:40.0339 0x0888  usbcir - ok
15:03:40.0341 0x0888  usbehci - ok
15:03:40.0344 0x0888  usbhub - ok
15:03:40.0346 0x0888  usbohci - ok
15:03:40.0353 0x0888  usbprint - ok
15:03:40.0361 0x0888  usbscan - ok
15:03:40.0364 0x0888  USBSTOR - ok
15:03:40.0366 0x0888  usbuhci - ok
15:03:40.0369 0x0888  UxSms - ok
15:03:40.0371 0x0888  VaultSvc - ok
15:03:40.0374 0x0888  vdrvroot - ok
15:03:40.0377 0x0888  vds - ok
15:03:40.0379 0x0888  vga - ok
15:03:40.0382 0x0888  VgaSave - ok
15:03:40.0384 0x0888  vhdmp - ok
15:03:40.0387 0x0888  viaide - ok
15:03:40.0389 0x0888  vmbus - ok
15:03:40.0392 0x0888  VMBusHID - ok
15:03:40.0394 0x0888  volmgr - ok
15:03:40.0397 0x0888  volmgrx - ok
15:03:40.0399 0x0888  volsnap - ok
15:03:40.0402 0x0888  vsmraid - ok
15:03:40.0404 0x0888  VSS - ok
15:03:40.0407 0x0888  vwifibus - ok
15:03:40.0410 0x0888  W32Time - ok
15:03:40.0413 0x0888  WacomPen - ok
15:03:40.0416 0x0888  WANARP - ok
15:03:40.0419 0x0888  Wanarpv6 - ok
15:03:40.0424 0x0888  WatAdminSvc - ok
15:03:40.0427 0x0888  wbengine - ok
15:03:40.0429 0x0888  WbioSrvc - ok
15:03:40.0432 0x0888  wcncsvc - ok
15:03:40.0434 0x0888  WcsPlugInService - ok
15:03:40.0437 0x0888  Wd - ok
15:03:40.0439 0x0888  Wdf01000 - ok
15:03:40.0451 0x0888  WdiServiceHost - ok
15:03:40.0453 0x0888  WdiSystemHost - ok
15:03:40.0456 0x0888  WebClient - ok
15:03:40.0459 0x0888  Wecsvc - ok
15:03:40.0461 0x0888  wercplsupport - ok
15:03:40.0464 0x0888  WerSvc - ok
15:03:40.0466 0x0888  WfpLwf - ok
15:03:40.0469 0x0888  WIMMount - ok
15:03:40.0472 0x0888  WinDefend - ok
15:03:40.0477 0x0888  WinHttpAutoProxySvc - ok
15:03:40.0479 0x0888  Winmgmt - ok
15:03:40.0482 0x0888  WinRM - ok
15:03:40.0486 0x0888  Wlansvc - ok
15:03:40.0489 0x0888  WmiAcpi - ok
15:03:40.0494 0x0888  wmiApSrv - ok
15:03:40.0496 0x0888  WMPNetworkSvc - ok
15:03:40.0499 0x0888  WPCSvc - ok
15:03:40.0501 0x0888  WPDBusEnum - ok
15:03:40.0503 0x0888  ws2ifsl - ok
15:03:40.0506 0x0888  wscsvc - ok
15:03:40.0509 0x0888  WSearch - ok
15:03:40.0512 0x0888  wuauserv - ok
15:03:40.0515 0x0888  WudfPf - ok
15:03:40.0520 0x0888  WUDFRd - ok
15:03:40.0522 0x0888  wudfsvc - ok
15:03:40.0526 0x0888  WwanSvc - ok
15:03:40.0531 0x0888  ================ Scan global ===============================
15:03:40.0532 0x0888  [ Global ] - ok
15:03:40.0533 0x0888  ================ Scan MBR ==================================
15:03:40.0559 0x0888  [ 911EAF4CA4A13B224C8F2DA807560470 ] \Device\Harddisk0\DR0
15:03:41.0005 0x0888  \Device\Harddisk0\DR0 - ok
15:03:41.0010 0x0888  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk1\DR1
15:03:41.0113 0x0888  \Device\Harddisk1\DR1 - ok
15:03:41.0114 0x0888  ================ Scan VBR ==================================
15:03:41.0117 0x0888  [ 62860E9ECB8F8ACB72FF84FC1D00ACFB ] \Device\Harddisk0\DR0\Partition1
15:03:41.0117 0x0888  \Device\Harddisk0\DR0\Partition1 - ok
15:03:41.0123 0x0888  [ F95D61B8238BA8ABAE0ABFC866D72C71 ] \Device\Harddisk0\DR0\Partition2
15:03:41.0123 0x0888  \Device\Harddisk0\DR0\Partition2 - ok
15:03:41.0130 0x0888  [ 52EF89245CF6E1132BF27912378C4178 ] \Device\Harddisk1\DR1\Partition1
15:03:41.0132 0x0888  \Device\Harddisk1\DR1\Partition1 - ok
15:03:41.0133 0x0888  ================ Scan generic autorun ======================
15:03:41.0133 0x0888  RtHDVCpl - ok
15:03:41.0135 0x0888  egui - ok
15:03:41.0138 0x0888  LogMeIn GUI - ok
15:03:41.0141 0x0888  nwiz - ok
15:03:41.0144 0x0888  Logitech Download Assistant - ok
15:03:41.0146 0x0888  IAStorIcon - ok
15:03:41.0149 0x0888  RemoteControl9 - ok
15:03:41.0151 0x0888  PDVD9LanguageShortcut - ok
15:03:41.0152 0x0888  PeachtreePrefetcher.exe - ok
15:03:41.0154 0x0888  SunJavaUpdateSched - ok
15:03:41.0155 0x0888  Malwarebytes Anti-Rootkit (cleanup) - ok
15:03:41.0156 0x0888  Report - ok
15:03:41.0157 0x0888  Google Update - ok
15:03:41.0158 0x0888  Google Update - ok
15:03:41.0159 0x0888  ChromeFrameHelper - ok
15:03:41.0161 0x0888  FlashPlayerUpdate - ok
15:03:41.0162 0x0888  Sidebar - ok
15:03:41.0163 0x0888  mctadmin - ok
15:03:41.0368 0x0888  AV detected via SS2: ESET NOD32 Antivirus 4.2, C:\Program Files\ESET\ESET NOD32 Antivirus\ecmd.exe ( 4.2.40.0 ), 0x41000 ( enabled : updated )
15:03:41.0414 0x0888  Win FW state via NFP2: enabled
15:03:51.0167 0x0888  ============================================================
15:03:51.0167 0x0888  Scan finished
15:03:51.0167 0x0888  ============================================================
15:03:51.0181 0x101c  Detected object count: 0
15:03:51.0181 0x101c  Actual detected object count: 0


#4 bkneeland

bkneeland
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 11 September 2014 - 02:11 PM

frst.txt

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-09-2014
Ran by BKneeland (administrator) on JANGO on 11-09-2014 15:08:13
Running from \\FALCON\RedirectedFolders\ABrennan\Desktop
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvwmi64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvwmi64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Broadcom Corp.) C:\Program Files\Broadcom\BPowMon\BPowMon.exe
(CoSoSys) C:\Program Files\CoSoSys\Endpoint Protector\cssguard.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
(CoSoSys) C:\Program Files\CoSoSys\Endpoint Protector\EPPservice.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
() C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
(Symantec Corporation) C:\Program Files (x86)\PGP Corporation\PGP Desktop\RDDService.exe
(Pervasive Software Inc.) C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe
(Microsoft Corporation) C:\Windows\System32\UI0Detect.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Google Inc.) C:\Users\ABrennan\AppData\Local\Google\Update\GoogleUpdate.exe
(CoSoSys) C:\Program Files\CoSoSys\Endpoint Protector\EPPNotifier.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Google Inc.) C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\chrome.exe
(Kaspersky Lab ZAO) C:\Users\ABrennan\Downloads\tdsskiller.exe
(Farbar) \\FALCON\RedirectedFolders\ABrennan\Desktop\FRST64.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8067616 2009-08-18] (Realtek Semiconductor)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2839840 2010-03-24] (ESET)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2012-11-29] (LogMeIn, Inc.)
HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2722080 2013-06-21] ()
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM-x32\...\Run: [RemoteControl9] => C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2009-07-06] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] => C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-04-29] (CyberLink Corp.)
HKLM-x32\...\Run: [PeachtreePrefetcher.exe] => C:\Program Files (x86)\Sage\Peachtree\PeachtreePrefetcher.exe [29512 2011-10-25] (Sage Software, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-11] (Oracle Corporation)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Rootkit (cleanup)] => C:\ProgramData\Malwarebytes' Anti-Malware (portable)\mbamdor.exe [54072 2014-06-03] (Malwarebytes Corporation)
HKU\S-1-5-21-2085502815-2282799138-214299463-1921\...\RunOnce: [Report] => \AdwCleaner\AdwCleaner[S0].txt
HKU\S-1-5-21-2085502815-2282799138-214299463-2647\...\Run: [Google Update] => C:\Users\ABrennan\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2012-03-20] (Google Inc.)
AppInit_DLLs: C:\Windows\System32\PGPmapih.dll => C:\Windows\System32\PGPmapih.dll [76464 2011-09-19] (Symantec Corporation)
AppInit_DLLs-x32: C:\Windows\System32\PGPmapih.dll => C:\Windows\SysWOW64\PGPmapih.dll [49648 2011-09-19] (Symantec Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Endpoint Protector Notifier.lnk
ShortcutTarget: Endpoint Protector Notifier.lnk -> C:\Program Files\CoSoSys\Endpoint Protector\EPPNotifier.exe (CoSoSys)
ShellIconOverlayIdentifiers: IconOverlayHandlerAccessible -> {3DBF5F01-3287-46EB-82CF-45AA5C241162} => C:\Windows\system32\PGPfsshl.dll (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: IconOverlayHandlerAccessible -> {3DBF5F01-3287-46EB-82CF-45AA5C241162} => C:\Windows\SysWOW64\PGPfsshl.dll (Symantec Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USREL/1
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.100.45 192.168.100.51
Tcpip\..\Interfaces\{C6DE5743-409F-481B-8845-E5D1C70E6CEC}: [NameServer] 192.168.100.45,192.168.100.51
 
FireFox:
========
FF ProfilePath: C:\Users\bkneeland\AppData\Roaming\Mozilla\Firefox\Profiles\4d2jsxxg.default
FF NetworkProxy: "type", 0
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPEltr32.dll (UPS)
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2011-10-14]
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
 
Chrome: 
=======
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 cssguard; C:\Program Files\CoSoSys\Endpoint Protector\cssguard.exe [129032 2012-02-14] (CoSoSys)
S3 EhttpSrv; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [42336 2010-03-24] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [810120 2010-03-24] (ESET)
R2 Endpoint Protector; C:\Program Files\CoSoSys\Endpoint Protector\EPPservice.exe [72712 2012-02-14] (CoSoSys)
R2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1876816 2014-09-11] (SurfRight B.V.)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376168 2013-01-25] (LogMeIn, Inc.)
S4 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [148328 2013-01-25] (LogMeIn, Inc.)
S4 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2012-11-29] (LogMeIn, Inc.)
R2 NVIDIA Performance Driver Service; C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [4901888 2009-05-14] () [File not signed]
R2 NVWMI; C:\Windows\system32\nvwmi64.exe [1248544 2013-06-21] (NVIDIA Corporation)
S3 Peachtree SmartPosting 2011; C:\Program Files (x86)\Sage\Peachtree\SmartPostingService2011.exe [43848 2011-10-25] (Sage Software, Inc.)
R2 PGP RDD Service; C:\Program Files (x86)\PGP Corporation\PGP Desktop\RDDService.exe [1588456 2011-09-19] (Symantec Corporation)
R2 psqlWGE; C:\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe [435496 2010-04-10] (Pervasive Software Inc.)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [163888 2010-03-24] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [139704 2010-03-24] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [124760 2010-03-24] (ESET)
R2 hmpalert; C:\Windows\System32\drivers\hmpalert.sys [93144 2014-09-11] ()
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [15928 2012-11-29] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
R2 PGPdisk; C:\Windows\System32\Drivers\PGPdisk.sys [273760 2011-09-19] (Symantec Corporation)
R0 pgpfs; C:\Windows\System32\Drivers\PGPfsfd.sys [175880 2011-09-19] (Symantec Corporation)
R2 PGPsdkDriver; C:\Windows\System32\Drivers\PGPsdk.sys [51768 2011-09-19] (Symantec Corporation)
R0 PGPwded; C:\Windows\System32\Drivers\PGPwded.sys [366960 2011-09-19] (Symantec Corporation)
R0 Pgpwdefs; C:\Windows\System32\DRIVERS\Pgpwdefs.sys [15752 2011-09-19] (Symantec Corporation)
R2 sieflt; C:\Windows\System32\DRIVERS\sieflt.sys [40376 2012-02-14] (CoSoSys Ltd.)
U3 TrueSight; C:\Windows\SysWOW64\drivers\TrueSight.sys [33512 2014-09-11] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-11 15:08 - 2014-09-11 15:08 - 00000000 ____D () C:\FRST
2014-09-11 15:01 - 2014-09-11 15:02 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\ABrennan\Downloads\tdsskiller.exe
2014-09-11 14:45 - 2014-09-11 14:45 - 00008711 _____ () C:\Users\bkneeland\Desktop\attach.txt
2014-09-11 14:45 - 2014-09-11 14:44 - 00014379 _____ () C:\Users\bkneeland\Desktop\dds.txt
2014-09-11 14:37 - 2014-09-11 14:37 - 00509440 _____ (Tech Support Guy System) C:\Users\ABrennan\Downloads\SysInfo.exe
2014-09-11 14:25 - 2014-09-11 14:25 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-09-11 14:23 - 2014-09-11 14:23 - 02347384 _____ (ESET) C:\Users\ABrennan\Downloads\esetsmartinstaller_enu.exe
2014-09-11 14:15 - 2014-09-11 14:15 - 00688992 ____R (Swearware) C:\Users\ABrennan\Downloads\dds.scr
2014-09-11 13:50 - 2014-09-11 13:53 - 00000000 ____D () C:\AdwCleaner
2014-09-11 13:48 - 2014-09-11 13:50 - 00002120 _____ () C:\Users\bkneeland\Desktop\Rkill.txt
2014-09-11 13:47 - 2014-09-11 13:47 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\ABrennan\Downloads\rkill.exe
2014-09-11 13:47 - 2014-09-11 13:47 - 01370467 _____ () C:\Users\ABrennan\Downloads\AdwCleaner.exe
2014-09-11 13:36 - 2014-09-11 13:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2014-09-11 13:36 - 2014-09-11 13:36 - 00000000 ____D () C:\Program Files\HitmanPro
2014-09-11 13:35 - 2014-09-11 15:05 - 00000000 ____D () C:\Windows\CryptoGuard
2014-09-11 13:35 - 2014-09-11 13:44 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-09-11 13:35 - 2014-09-11 13:35 - 00548424 _____ (SurfRight) C:\Windows\system32\hmpalert.dll
2014-09-11 13:35 - 2014-09-11 13:35 - 00477008 _____ (SurfRight) C:\Windows\SysWOW64\hmpalert.dll
2014-09-11 13:35 - 2014-09-11 13:35 - 00093144 _____ () C:\Windows\system32\Drivers\hmpalert.sys
2014-09-11 13:35 - 2014-09-11 13:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert
2014-09-11 13:35 - 2014-09-11 13:35 - 00000000 ____D () C:\Program Files (x86)\HitmanPro.Alert
2014-09-11 13:12 - 2014-09-11 14:15 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-09-11 13:10 - 2014-09-11 13:11 - 01876816 _____ (SurfRight B.V.) C:\Users\ABrennan\Downloads\hmpalert.exe
2014-09-11 13:10 - 2014-09-11 13:10 - 11194928 _____ (SurfRight B.V.) C:\Users\ABrennan\Downloads\HitmanPro_x64.exe
2014-09-11 13:08 - 2014-09-11 13:08 - 00000000 ____D () C:\antirootkit
2014-09-11 12:59 - 2014-09-11 13:01 - 14349744 _____ (Malwarebytes Corp.) C:\Users\ABrennan\Downloads\mbar-1.07.0.1012.exe
2014-09-11 12:59 - 2014-09-11 12:59 - 00033512 _____ () C:\Windows\SysWOW64\Drivers\TrueSight.sys
2014-09-11 12:59 - 2014-09-11 12:59 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-09-11 12:58 - 2014-09-11 12:58 - 04859480 _____ () C:\Users\ABrennan\Downloads\RogueKiller.exe
2014-09-11 12:40 - 2014-09-11 12:40 - 00021986 _____ () C:\ComboFix.txt
2014-09-11 12:35 - 2014-09-11 12:35 - 00000000 ____D () C:\Users\bkneeland\Documents\PGP
2014-09-11 12:35 - 2014-09-11 12:35 - 00000000 ____D () C:\Users\bkneeland\AppData\Roaming\PGP Corporation
2014-09-11 12:35 - 2014-09-11 12:35 - 00000000 ____D () C:\Users\bkneeland\AppData\Roaming\Intel Corporation
2014-09-11 12:33 - 2014-09-11 12:33 - 00001445 _____ () C:\Users\bkneeland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-09-11 12:33 - 2014-09-11 12:33 - 00001411 _____ () C:\Users\bkneeland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2014-09-11 12:32 - 2014-09-11 12:32 - 00000000 ____D () C:\Users\bkneeland\AppData\Local\VirtualStore
2014-09-11 12:31 - 2014-09-11 12:31 - 00000000 ____D () C:\Users\bkneeland\AppData\Roaming\Windows Small Business Server
2014-09-11 12:30 - 2014-09-11 12:30 - 00002520 __RSH () C:\Users\bkneeland\ntuser.pol
2014-09-11 11:42 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-09-11 11:42 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-09-11 11:42 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-09-11 11:42 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-09-11 11:42 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-09-11 11:42 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-09-11 11:42 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-09-11 11:42 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-09-11 11:41 - 2014-09-11 12:40 - 00000000 ____D () C:\Qoobox
2014-09-11 11:40 - 2014-09-11 12:38 - 00000000 ____D () C:\Windows\erdnt
2014-09-11 11:39 - 2014-09-11 11:39 - 05576769 ____R (Swearware) C:\Users\ABrennan\Downloads\ComboFix.exe
2014-09-11 11:31 - 2014-09-11 11:31 - 05576769 _____ (Swearware) C:\Users\ABrennan\Downloads\Unconfirmed 194434.crdownload
2014-09-11 11:31 - 2014-09-11 11:31 - 00007622 _____ () C:\Users\bkneeland\AppData\Local\Resmon.ResmonCfg
2014-09-11 11:01 - 2014-09-11 13:57 - 00128728 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-11 11:00 - 2014-09-11 13:57 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-11 11:00 - 2014-09-11 11:00 - 00001104 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-11 11:00 - 2014-09-11 11:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-11 11:00 - 2014-09-11 11:00 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-11 11:00 - 2014-09-11 11:00 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-11 11:00 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-11 11:00 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-09-11 10:56 - 2014-09-11 10:58 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\ABrennan\Downloads\mbam-setup-2.0.2.1012.exe
2014-09-11 10:43 - 2014-09-11 10:46 - 00430080 _____ () C:\Users\ABrennan\Downloads\UPHClean-Setup.msi
2014-09-11 10:36 - 2014-05-14 12:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2014-09-11 10:36 - 2014-05-14 12:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2014-09-11 10:36 - 2014-05-14 12:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2014-09-11 10:36 - 2014-05-14 12:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2014-09-11 10:36 - 2014-05-14 12:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2014-09-11 10:36 - 2014-05-14 12:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2014-09-11 10:36 - 2014-05-14 12:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2014-09-11 10:36 - 2014-05-14 12:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2014-09-11 10:36 - 2014-05-14 12:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2014-09-11 10:36 - 2014-05-14 12:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2014-09-11 10:33 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2014-09-11 10:33 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2014-09-11 10:33 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2014-09-11 10:33 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2014-09-11 10:13 - 2014-09-11 10:13 - 00000000 ___HD () C:\Windows\system32\CanonMF Uninstaller Information
2014-09-11 10:13 - 2014-09-11 10:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon
2014-09-11 10:13 - 2013-02-25 19:31 - 00374272 _____ (CANON INC.) C:\Windows\system32\CNCC530.DLL
2014-09-11 10:13 - 2013-02-25 19:31 - 00189952 _____ (CANON INC.) C:\Windows\system32\CNCLSU44c.DLL
2014-09-11 10:13 - 2013-02-25 19:31 - 00152576 _____ (CANON INC.) C:\Windows\system32\CNCE530.DLL
2014-09-11 10:13 - 2013-02-25 19:31 - 00134144 _____ (CANON INC.) C:\Windows\system32\CNCL530.DLL
2014-09-11 10:13 - 2013-02-25 19:31 - 00132096 _____ (CANON INC.) C:\Windows\system32\CNCLSD44c.DLL
2014-09-11 10:13 - 2013-02-25 19:31 - 00118272 _____ (CANON INC.) C:\Windows\system32\CNCLSI44c.DLL
2014-09-11 10:13 - 2013-02-25 19:31 - 00118272 _____ (CANON INC.) C:\Windows\system32\CNCI530.DLL
2014-09-11 10:13 - 2013-02-25 19:31 - 00105472 _____ (CANON INC.) C:\Windows\system32\CNCLST44c.DLL
2014-09-11 10:13 - 2013-02-25 19:31 - 00090624 _____ (CANON INC.) C:\Windows\system32\CNCLSC44c.DLL
2014-09-11 10:13 - 2012-01-19 15:15 - 00000487 _____ () C:\Windows\system32\CNCMFP44.INI
2014-09-11 10:12 - 2014-09-11 10:12 - 00000000 ____D () C:\Program Files\Canon
2014-09-11 10:12 - 2012-08-09 12:59 - 01006080 _____ (CANON INC.) C:\Windows\system32\CNAS0MOK.DLL
2014-09-11 10:11 - 2014-09-11 10:11 - 00000000 ____D () C:\Users\ABrennan\Downloads\D560_D530_MFDrivers_W64_us_EN_3
2014-09-11 10:04 - 2014-09-11 10:05 - 32214592 _____ () C:\Users\ABrennan\Downloads\D560_D530_MFDrivers_W64_us_EN_3.exe
2014-09-02 10:16 - 2014-09-02 10:16 - 00038400 _____ () C:\Users\ABrennan\Downloads\s-pme-com-base.xls
2014-08-20 09:51 - 2014-08-20 09:51 - 00000000 ____D () C:\Users\SBSAdmin\Documents\PGP
2014-08-20 09:51 - 2014-08-20 09:51 - 00000000 ____D () C:\Users\SBSAdmin\AppData\Roaming\PGP Corporation
2014-08-20 09:51 - 2014-08-20 09:51 - 00000000 ____D () C:\Users\SBSAdmin\AppData\Local\PGP Corporation
2014-08-20 09:51 - 2014-08-20 09:51 - 00000000 ____D () C:\Users\SBSAdmin\AppData\Local\LogMeIn
2014-08-20 09:50 - 2014-08-20 09:50 - 00001411 _____ () C:\Users\SBSAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2014-08-20 09:49 - 2014-08-20 09:50 - 00001445 _____ () C:\Users\SBSAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-08-20 09:49 - 2014-08-20 09:49 - 00000000 ____D () C:\Users\SBSAdmin\AppData\Local\VirtualStore
2014-08-14 17:10 - 2014-08-14 17:10 - 00396801 _____ () C:\Users\ABrennan\Downloads\UpsExperts-Aug-14-2014.csv
2014-08-14 10:32 - 2014-08-14 10:32 - 00003118 _____ () C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe
2014-08-14 10:32 - 2014-08-14 10:32 - 00003092 _____ () C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe
2014-08-14 10:32 - 2014-08-14 10:32 - 00003090 _____ () C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_itype_exe
2014-08-14 10:32 - 2014-08-14 10:32 - 00003062 _____ () C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe
2014-08-14 10:32 - 2014-08-14 10:32 - 00003060 _____ () C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe
2014-08-14 10:32 - 2014-08-14 10:32 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_point64_01011.Wdf
2014-08-14 10:32 - 2014-08-14 10:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Mouse and Keyboard Center
2014-08-14 10:31 - 2014-08-14 10:31 - 00000000 ____D () C:\Program Files\Microsoft Mouse and Keyboard Center
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-09-11 15:08 - 2014-09-11 15:08 - 00000000 ____D () C:\FRST
2014-09-11 15:05 - 2014-09-11 13:35 - 00000000 ____D () C:\Windows\CryptoGuard
2014-09-11 15:05 - 2012-07-06 13:32 - 00000073 ___SH () C:\Windows\system32\cs4060f8epp_192.168.100.247.dat
2014-09-11 15:02 - 2014-09-11 15:01 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\ABrennan\Downloads\tdsskiller.exe
2014-09-11 14:51 - 2014-05-13 16:59 - 00000580 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2085502815-2282799138-214299463-2647.job
2014-09-11 14:45 - 2014-09-11 14:45 - 00008711 _____ () C:\Users\bkneeland\Desktop\attach.txt
2014-09-11 14:44 - 2014-09-11 14:45 - 00014379 _____ () C:\Users\bkneeland\Desktop\dds.txt
2014-09-11 14:41 - 2012-07-26 09:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-11 14:38 - 2009-07-14 01:10 - 02056749 _____ () C:\Windows\WindowsUpdate.log
2014-09-11 14:37 - 2014-09-11 14:37 - 00509440 _____ (Tech Support Guy System) C:\Users\ABrennan\Downloads\SysInfo.exe
2014-09-11 14:28 - 2012-03-20 09:03 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-2647UA.job
2014-09-11 14:28 - 2012-03-20 09:03 - 00000868 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-2647Core.job
2014-09-11 14:25 - 2014-09-11 14:25 - 00000000 ____D () C:\Program Files (x86)\ESET
2014-09-11 14:23 - 2014-09-11 14:23 - 02347384 _____ (ESET) C:\Users\ABrennan\Downloads\esetsmartinstaller_enu.exe
2014-09-11 14:15 - 2014-09-11 14:15 - 00688992 ____R (Swearware) C:\Users\ABrennan\Downloads\dds.scr
2014-09-11 14:15 - 2014-09-11 13:12 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-09-11 14:14 - 2011-12-27 14:18 - 00000928 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-6711UA.job
2014-09-11 14:02 - 2009-07-14 01:13 - 00732424 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-11 14:02 - 2009-07-14 00:45 - 00014256 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-11 14:02 - 2009-07-14 00:45 - 00014256 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-11 13:57 - 2014-09-11 11:01 - 00128728 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-11 13:57 - 2014-09-11 11:00 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-11 13:55 - 2011-06-06 12:58 - 00000120 _____ () C:\Windows\system32\config\netlogon.ftl
2014-09-11 13:55 - 2010-12-09 14:36 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-09-11 13:55 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-11 13:55 - 2009-07-14 00:51 - 00059836 _____ () C:\Windows\setupact.log
2014-09-11 13:54 - 2010-12-09 14:34 - 00120070 _____ () C:\Windows\PFRO.log
2014-09-11 13:53 - 2014-09-11 13:50 - 00000000 ____D () C:\AdwCleaner
2014-09-11 13:50 - 2014-09-11 13:48 - 00002120 _____ () C:\Users\bkneeland\Desktop\Rkill.txt
2014-09-11 13:47 - 2014-09-11 13:47 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\ABrennan\Downloads\rkill.exe
2014-09-11 13:47 - 2014-09-11 13:47 - 01370467 _____ () C:\Users\ABrennan\Downloads\AdwCleaner.exe
2014-09-11 13:44 - 2014-09-11 13:35 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-09-11 13:36 - 2014-09-11 13:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2014-09-11 13:36 - 2014-09-11 13:36 - 00000000 ____D () C:\Program Files\HitmanPro
2014-09-11 13:35 - 2014-09-11 13:35 - 00548424 _____ (SurfRight) C:\Windows\system32\hmpalert.dll
2014-09-11 13:35 - 2014-09-11 13:35 - 00477008 _____ (SurfRight) C:\Windows\SysWOW64\hmpalert.dll
2014-09-11 13:35 - 2014-09-11 13:35 - 00093144 _____ () C:\Windows\system32\Drivers\hmpalert.sys
2014-09-11 13:35 - 2014-09-11 13:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro.Alert
2014-09-11 13:35 - 2014-09-11 13:35 - 00000000 ____D () C:\Program Files (x86)\HitmanPro.Alert
2014-09-11 13:11 - 2014-09-11 13:10 - 01876816 _____ (SurfRight B.V.) C:\Users\ABrennan\Downloads\hmpalert.exe
2014-09-11 13:10 - 2014-09-11 13:10 - 11194928 _____ (SurfRight B.V.) C:\Users\ABrennan\Downloads\HitmanPro_x64.exe
2014-09-11 13:08 - 2014-09-11 13:08 - 00000000 ____D () C:\antirootkit
2014-09-11 13:01 - 2014-09-11 12:59 - 14349744 _____ (Malwarebytes Corp.) C:\Users\ABrennan\Downloads\mbar-1.07.0.1012.exe
2014-09-11 12:59 - 2014-09-11 12:59 - 00033512 _____ () C:\Windows\SysWOW64\Drivers\TrueSight.sys
2014-09-11 12:59 - 2014-09-11 12:59 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-09-11 12:58 - 2014-09-11 12:58 - 04859480 _____ () C:\Users\ABrennan\Downloads\RogueKiller.exe
2014-09-11 12:55 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-09-11 12:40 - 2014-09-11 12:40 - 00021986 _____ () C:\ComboFix.txt
2014-09-11 12:40 - 2014-09-11 11:41 - 00000000 ____D () C:\Qoobox
2014-09-11 12:40 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-09-11 12:38 - 2014-09-11 11:40 - 00000000 ____D () C:\Windows\erdnt
2014-09-11 12:35 - 2014-09-11 12:35 - 00000000 ____D () C:\Users\bkneeland\Documents\PGP
2014-09-11 12:35 - 2014-09-11 12:35 - 00000000 ____D () C:\Users\bkneeland\AppData\Roaming\PGP Corporation
2014-09-11 12:35 - 2014-09-11 12:35 - 00000000 ____D () C:\Users\bkneeland\AppData\Roaming\Intel Corporation
2014-09-11 12:33 - 2014-09-11 12:33 - 00001445 _____ () C:\Users\bkneeland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-09-11 12:33 - 2014-09-11 12:33 - 00001411 _____ () C:\Users\bkneeland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2014-09-11 12:33 - 2011-06-06 13:08 - 00000000 ____D () C:\Users\bkneeland
2014-09-11 12:32 - 2014-09-11 12:32 - 00000000 ____D () C:\Users\bkneeland\AppData\Local\VirtualStore
2014-09-11 12:32 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-09-11 12:31 - 2014-09-11 12:31 - 00000000 ____D () C:\Users\bkneeland\AppData\Roaming\Windows Small Business Server
2014-09-11 12:30 - 2014-09-11 12:30 - 00002520 __RSH () C:\Users\bkneeland\ntuser.pol
2014-09-11 12:05 - 2009-07-13 22:34 - 69730304 _____ () C:\Windows\system32\config\software.bak
2014-09-11 12:05 - 2009-07-13 22:34 - 15728640 _____ () C:\Windows\system32\config\system.bak
2014-09-11 12:05 - 2009-07-13 22:34 - 00524288 _____ () C:\Windows\system32\config\default.bak
2014-09-11 12:05 - 2009-07-13 22:34 - 00262144 _____ () C:\Windows\system32\config\security.bak
2014-09-11 11:39 - 2014-09-11 11:39 - 05576769 ____R (Swearware) C:\Users\ABrennan\Downloads\ComboFix.exe
2014-09-11 11:35 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-09-11 11:31 - 2014-09-11 11:31 - 05576769 _____ (Swearware) C:\Users\ABrennan\Downloads\Unconfirmed 194434.crdownload
2014-09-11 11:31 - 2014-09-11 11:31 - 00007622 _____ () C:\Users\bkneeland\AppData\Local\Resmon.ResmonCfg
2014-09-11 11:00 - 2014-09-11 11:00 - 00001104 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-11 11:00 - 2014-09-11 11:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-11 11:00 - 2014-09-11 11:00 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-11 11:00 - 2014-09-11 11:00 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-11 10:58 - 2014-09-11 10:56 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\ABrennan\Downloads\mbam-setup-2.0.2.1012.exe
2014-09-11 10:46 - 2014-09-11 10:43 - 00430080 _____ () C:\Users\ABrennan\Downloads\UPHClean-Setup.msi
2014-09-11 10:23 - 2012-04-25 11:19 - 00094504 _____ () C:\Users\bkneeland\AppData\Local\GDIPFONTCACHEV1.DAT
2014-09-11 10:19 - 2009-07-13 23:20 - 00000000 __RSD () C:\Windows\Media
2014-09-11 10:13 - 2014-09-11 10:13 - 00000000 ___HD () C:\Windows\system32\CanonMF Uninstaller Information
2014-09-11 10:13 - 2014-09-11 10:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon
2014-09-11 10:12 - 2014-09-11 10:12 - 00000000 ____D () C:\Program Files\Canon
2014-09-11 10:11 - 2014-09-11 10:11 - 00000000 ____D () C:\Users\ABrennan\Downloads\D560_D530_MFDrivers_W64_us_EN_3
2014-09-11 10:05 - 2014-09-11 10:04 - 32214592 _____ () C:\Users\ABrennan\Downloads\D560_D530_MFDrivers_W64_us_EN_3.exe
2014-09-11 09:30 - 2011-12-27 14:18 - 00000876 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-6711Core.job
2014-09-10 10:37 - 2012-07-26 09:04 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-09-10 10:37 - 2012-05-15 11:29 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-09-10 10:37 - 2012-05-15 11:29 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-09-02 10:16 - 2014-09-02 10:16 - 00038400 _____ () C:\Users\ABrennan\Downloads\s-pme-com-base.xls
2014-08-21 10:24 - 2013-06-05 12:31 - 00000000 ____D () C:\Users\ABrennan\AppData\Local\Paint.NET
2014-08-21 08:51 - 2012-03-09 11:57 - 00002924 __RSH () C:\Users\ABrennan\ntuser.pol
2014-08-21 08:51 - 2012-03-09 11:57 - 00000000 ____D () C:\Users\ABrennan
2014-08-20 09:51 - 2014-08-20 09:51 - 00000000 ____D () C:\Users\SBSAdmin\Documents\PGP
2014-08-20 09:51 - 2014-08-20 09:51 - 00000000 ____D () C:\Users\SBSAdmin\AppData\Roaming\PGP Corporation
2014-08-20 09:51 - 2014-08-20 09:51 - 00000000 ____D () C:\Users\SBSAdmin\AppData\Local\PGP Corporation
2014-08-20 09:51 - 2014-08-20 09:51 - 00000000 ____D () C:\Users\SBSAdmin\AppData\Local\LogMeIn
2014-08-20 09:51 - 2011-06-13 09:29 - 00094504 _____ () C:\Users\SBSAdmin\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-20 09:50 - 2014-08-20 09:50 - 00001411 _____ () C:\Users\SBSAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2014-08-20 09:50 - 2014-08-20 09:49 - 00001445 _____ () C:\Users\SBSAdmin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-08-20 09:49 - 2014-08-20 09:49 - 00000000 ____D () C:\Users\SBSAdmin\AppData\Local\VirtualStore
2014-08-19 09:08 - 2009-07-14 00:45 - 00359416 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-08-14 17:10 - 2014-08-14 17:10 - 00396801 _____ () C:\Users\ABrennan\Downloads\UpsExperts-Aug-14-2014.csv
2014-08-14 10:36 - 2012-03-09 11:59 - 00094504 _____ () C:\Users\ABrennan\AppData\Local\GDIPFONTCACHEV1.DAT
2014-08-14 10:32 - 2014-08-14 10:32 - 00003118 _____ () C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe
2014-08-14 10:32 - 2014-08-14 10:32 - 00003092 _____ () C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe
2014-08-14 10:32 - 2014-08-14 10:32 - 00003090 _____ () C:\Windows\System32\Tasks\Microsoft_Hardware_Launch_itype_exe
2014-08-14 10:32 - 2014-08-14 10:32 - 00003062 _____ () C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe
2014-08-14 10:32 - 2014-08-14 10:32 - 00003060 _____ () C:\Windows\System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe
2014-08-14 10:32 - 2014-08-14 10:32 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_Kernel_point64_01011.Wdf
2014-08-14 10:32 - 2014-08-14 10:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Mouse and Keyboard Center
2014-08-14 10:31 - 2014-08-14 10:31 - 00000000 ____D () C:\Program Files\Microsoft Mouse and Keyboard Center
2014-08-12 15:54 - 2014-05-13 16:59 - 00003610 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-2085502815-2282799138-214299463-2647
 
Some content of TEMP:
====================
C:\Users\bkneeland\AppData\Local\temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-09-06 00:06
 
==================== End Of Log ============================

addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 10-09-2014
Ran by BKneeland at 2014-09-11 15:09:26
Running from \\FALCON\RedirectedFolders\ABrennan\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: ESET NOD32 Antivirus 4.2 (Enabled - Up to date) {CB0F8167-5331-BA19-698E-64816B6801A5}
AS: ESET NOD32 Antivirus 4.2 (Enabled - Up to date) {706E6083-750B-B597-533E-5FF310EF4B18}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Broadcom Management Programs (HKLM\...\{5DB87A63-9420-48CC-9F9A-B8801D38D6B5}) (Version: 12.35.01 - Broadcom Corporation)
Canon D530/D560 (HKLM\...\{50D00125-863A-47ee-BB02-9CB950BEDE16}) (Version: 4.1.0.1 - CANON INC.)
Citrix Online Launcher (HKLM-x32\...\{F17C3DC2-2ACA-4B0E-BDBF-ACE61B14E7CD}) (Version: 1.0.183 - Citrix)
Click-N-Ship for Business® (HKLM-x32\...\{15C77FC3-8137-4A5E-8F81-F559045DD6B0}) (Version: 4.1.450.0 - United States Postal Service)
Crystal Reports 2008 Runtime SP1 (HKLM-x32\...\{C484CC8D-03CF-4022-89C4-DB4F02E8A15B}) (Version: 12.1.0.882 - Business Objects)
CyberLink PowerDVD 9.5 (HKLM-x32\...\InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}) (Version: 9.5.1.3225 - CyberLink Corp.)
CyberLink PowerDVD 9.5 (x32 Version: 9.5.1.3225 - CyberLink Corp.) Hidden
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{A3AD381D-848C-4478-80DC-228E37309308}) (Version:  - Microsoft)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
Endpoint Protector (HKLM\...\{DD7C81D5-34CE-4EA9-9809-054027ACC7A9}) (Version: 4.0.38 - CoSoSys Ltd.)
ESET NOD32 Antivirus (HKLM\...\{EFF43CCD-6619-4781-915B-E8D167E9393A}) (Version: 4.2.40.0 - ESET, spol s r. o.)
Foxit PhantomPDF (HKLM\...\{6A4318B1-BB04-4DE4-88B0-3CEE13537BAF}) (Version: 5.4.0.902 - Foxit Corporation)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.225 - SurfRight B.V.)
HitmanPro.Alert (HKLM\...\HitmanPro.Alert) (Version: 2.6.5.77 - SurfRight B.V.)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.0.1014 - Intel Corporation)
Java 7 Update 60 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217060FF}) (Version: 7.0.600 - Oracle)
Java Auto Updater (x32 Version: 2.1.65.20 - Oracle, Inc.) Hidden
Java™ 6 Update 21 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416021FF}) (Version: 6.0.210 - Oracle)
Java™ 6 Update 24 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216021FF}) (Version: 6.0.240 - Oracle)
LogMeIn (HKLM-x32\...\{36E0F777-19FE-4454-BB2D-84206758EA85}) (Version: 4.1.2651 - LogMeIn, Inc.)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (Version: 2.3.188.0 - Microsoft Corporation) Hidden
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office 2010 Service Pack 1 (SP1) (x32 Version:  - Microsoft) Hidden
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Business 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Mozilla Firefox 11.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 11.0 (x86 en-US)) (Version: 11.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NVIDIA 3D Vision Controller Driver 320.49 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 320.49 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 320.49 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 320.49 - NVIDIA Corporation)
NVIDIA Control Panel 320.49 (Version: 320.49 - NVIDIA Corporation) Hidden
NVIDIA Graphics Driver 320.49 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 320.49 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.124.810 - NVIDIA Corporation) Hidden
NVIDIA nView 140.62 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NView) (Version: 140.62 - NVIDIA Corporation)
NVIDIA nView Desktop Manager (Version: 125.14 - NVIDIA Corporation) Hidden
NVIDIA Performance Drivers (HKLM\...\{4C0A8D65-4286-4B58-87FE-18AD24289285}) (Version: 2.0.0.18 - NVIDIA Corporation)
NVIDIA Stereoscopic 3D Driver (x32 Version: 7.17.13.2049 - NVIDIA Corporation) Hidden
NVIDIA WMI 2.12.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVWMI) (Version: 2.12.0 - NVIDIA Corporation)
Paint.NET v3.5.10 (HKLM\...\{529125EF-E3AC-4B74-97E6-F688A7C0F1C0}) (Version: 3.60.0 - dotPDN LLC)
Peachtree Accounting 2011 (HKLM-x32\...\InstallShield_{FC87D80E-5BC6-4EE8-9B09-EBA4F9C0A1C2}) (Version: 18.00.00 - Sage Software, Inc.)
Peachtree Accounting 2011 (x32 Version: 18.00.00 - Sage Software, Inc.) Hidden
PeachTree Signature Ready Forms (x32 Version: 6.11.1 - Sage Software SB, Inc.) Hidden
Pervasive PSQL v10 SP2 Workgroup (32-bit) (HKLM-x32\...\Pervasive PSQL v10 SP2 Workgroup (32-bit)) (Version: 10.10.126 - Pervasive Software)
Pervasive PSQL v10 SP2 Workgroup (32-bit) (x32 Version: 10.20.034 - Pervasive Software) Hidden
PGP Desktop (HKLM\...\{095189BC-4BDA-4D98-B15C-538F2010588C}) (Version: 10.2.0.1950 - PGP Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5919 - Realtek Semiconductor Corp.)
Sage Integration Services (HKLM-x32\...\Integration Services) (Version: 2.2.2240 - Sage Technology)
Sage Message Center (x32 Version: 2.00.0000 - Sage Software Inc.) Hidden
Stamps.com (x32 Version: 11.1.0.2691 - Stamps.com, Inc.) Hidden
Stamps.com Application Support for Microsoft Word 2000-2010 (x32 Version: 8.7.0.1506 - Stamps.com, Inc.) Hidden
Stamps.com support for Microsoft Word 2000-2010 (HKLM-x32\...\Stamps.com support for Microsoft Word 2000-2010) (Version:  - Stamps.com, Inc.)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2533523) (Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (HKLM-x32\...\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2600217) (Version: 1 - Microsoft Corporation)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B4A38370-2ADB-46B0-A1B0-0C4A2F7DCA31}) (Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{D3C85176-ACCC-4AF0-817D-1BC803303B74}) (Version:  - Microsoft)
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{4EEA3D3E-989C-4DF4-AB0A-3042C0C12AA3}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2494150) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{3FCFD88F-4D13-4F38-8625-ABABEA7F61EA}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553065) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{A8686D24-1E89-43A1-973E-05A258D2B3F8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{18B3CF2A-73F7-4716-B1AE-86D68726D408}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition (HKLM-x32\...\{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{73E67A3A-8D61-44EF-90C2-1697C3DBE668}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2566458) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{EFB525A0-E1C0-4E32-9968-FE401BC87363}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DADF7E25-FFA4-4D02-BE84-1DAE62C18516}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{F4284D93-7AE8-4309-8CF3-9AD394F35F3A}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{287A1E92-9E41-4BC1-8920-B3D0E9220800}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{ED31DE9A-3E13-4E2C-9106-E0D8AFFB9FA6}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{9D69691D-823D-4C3E-9B12-563A3F520366}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{B1FA5E8C-2342-45AF-8A62-5E860042F8DF}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{ECFE33A3-B8B7-439A-ADE4-59FBD29EF9B8}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{35698CB7-AAA2-4577-B505-DBFF504AEF23}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{9CFD026D-EB1C-48C2-9DD2-8E8875F251B2}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{5AA578BB-759C-40FD-9661-A737C0884541}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{83B1B530-7D9E-4C6A-907F-E979CEE9C295}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition (HKLM-x32\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{82F87E28-B18E-46D6-A399-E2F19CF5949B}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition (HKLM-x32\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{5E8EB600-8B94-429E-873E-98369C6DC1BC}) (Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{EFF5EBA3-40AD-4859-85E7-3C1CF4F297EB}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition (HKLM-x32\...\{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{9865DC3A-2898-48D9-B96A-46397571C934}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{51CCA922-A0CC-47C4-8910-6936D97CAC2E}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{DCE104A1-1875-4469-A83D-A5BFA6C4640F}) (Version:  - Microsoft)
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{2AB483F1-C86E-427A-83B4-23889B03512D}) (Version:  - Microsoft)
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (HKLM-x32\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{1EEFF749-6F29-4F0B-AB08-4C6EA52AA110}) (Version:  - Microsoft)
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{BC6DFBFD-16DD-47E1-A7EF-2C062930FA4F}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM-x32\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{334AA0A1-2BB1-4D74-B66A-2B2C4D9C2C87}) (Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{2BA40F82-F3A4-441C-BF1A-ED4C42FF4872}) (Version:  - Microsoft)
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition (HKLM-x32\...\{90140000-002A-0000-1000-0000000FF1CE}_Office14.SingleImage_{F9F5A080-AF38-4966-9A6B-C43DCA465035}) (Version:  - Microsoft)
Update for Microsoft Visio 2010 (KB2553444) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{799005D3-9B70-4219-AFE0-BC479614CC4D}) (Version:  - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{8C55AA83-54C2-4236-A622-78440A411DC5}) (Version:  - Microsoft)
UPS Thermal Printer Plugin - Version 8.10 (HKLM-x32\...\{BB2F9840-531D-4C8E-9F19-A101ECD9ABC0}) (Version:  - )
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Small Business Server 2008 ClientAgent (HKLM\...\{E4FF4DF1-F99C-49AC-B398-BE0887432846}) (Version: 6.0.5601.0 - Microsoft Corporation)
Yahoo! Detect (HKLM-x32\...\YTdetect) (Version:  - )
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-2085502815-2282799138-214299463-2647_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\ABrennan\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2085502815-2282799138-214299463-2647_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\ABrennan\AppData\Local\Citrix\GoToMeeting\1350\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-2085502815-2282799138-214299463-2647_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\ABrennan\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2085502815-2282799138-214299463-2647_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\ABrennan\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2085502815-2282799138-214299463-2647_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\ABrennan\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
 
==================== Restore Points  =========================
 
01-08-2014 04:00:05 Scheduled Checkpoint
08-08-2014 04:00:08 Scheduled Checkpoint
14-08-2014 14:29:16 DCInstallRestorePoint
20-08-2014 08:56:08 Windows Update
28-08-2014 04:00:04 Scheduled Checkpoint
05-09-2014 04:00:03 Scheduled Checkpoint
11-09-2014 14:30:58 Windows Update
11-09-2014 14:46:53 Installed User Profile Hive Cleanup Service
11-09-2014 17:25:25 Malwarebytes Anti-Rootkit Restore Point
11-09-2014 17:43:20 Checkpoint by HitmanPro
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:34 - 2014-09-11 12:32 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {13FAF6BE-F234-42D0-8513-B8C2A459FBC4} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-2647Core => C:\Users\ABrennan\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-20] (Google Inc.)
Task: {190E81EB-5098-4465-9D07-69357A516CD5} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-6711Core => C:\Users\arodriguez\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-27] (Google Inc.)
Task: {1D595F95-8B30-4853-B2CD-BCDF56205F00} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {27F8FAD3-106D-4A9F-BE4F-836B781D473A} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {4F5DB703-73CA-4C9E-9984-11EA4B64E3BB} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {771AE884-8AC7-4D28-9EE1-76FF5DB0751B} - System32\Tasks\G2MUpdateTask-S-1-5-21-2085502815-2282799138-214299463-2647 => C:\Users\ABrennan\AppData\Local\Citrix\GoToMeeting\1558\g2mupdate.exe [2014-08-12] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {80D8DF0D-0AB1-4886-9461-8CAAAEE80D40} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2014-03-19] (Microsoft)
Task: {88DA4271-66AD-4F7A-808A-94B6EE6BCB2D} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {A1DBF68B-E61B-4300-8C74-ADD70856960D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-10] (Adobe Systems Incorporated)
Task: {B4C16212-D7C1-402A-8493-272DCED5C5D9} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-6711UA => C:\Users\arodriguez\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-27] (Google Inc.)
Task: {FEA59322-88A9-4A57-B35F-48D772EEFB17} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-2647UA => C:\Users\ABrennan\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-20] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2085502815-2282799138-214299463-2647.job => C:\Users\ABrennan\AppData\Local\Citrix\GoToMeeting\1558\g2mupdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-2647Core.job => C:\Users\ABrennan\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-2647UA.job => C:\Users\ABrennan\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-6711Core.job => C:\Users\arodriguez\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2085502815-2282799138-214299463-6711UA.job => C:\Users\arodriguez\AppData\Local\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2013-08-20 11:16 - 2013-06-21 06:23 - 00087328 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2009-05-14 13:01 - 2009-05-14 13:01 - 04901888 _____ () C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
2014-05-09 09:53 - 2014-05-09 09:53 - 00170496 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\bfd5296be62268bc7a31a424f0d1ad5f\IsdiInterop.ni.dll
2010-12-09 12:51 - 2010-03-03 22:08 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2014-09-05 09:09 - 2014-08-29 22:49 - 01098056 _____ () C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\37.0.2062.103\libglesv2.dll
2014-09-05 09:09 - 2014-08-29 22:49 - 00174408 _____ () C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\37.0.2062.103\libegl.dll
2014-09-05 09:09 - 2014-08-29 22:49 - 08577864 _____ () C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\37.0.2062.103\pdf.dll
2014-09-05 09:09 - 2014-08-29 22:49 - 00331592 _____ () C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\37.0.2062.103\ppGoogleNaClPluginChrome.dll
2014-09-05 09:09 - 2014-08-29 22:49 - 01660232 _____ () C:\Users\ABrennan\AppData\Local\Google\Chrome\Application\37.0.2062.103\ffmpegsumo.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cssguard => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Endpoint Protector => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cssguard => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Endpoint Protector => ""="Service"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
==================== Faulty Device Manager Devices =============
 
Name: Communications Port (COM1)
Description: Communications Port
Class Guid: {4d36e978-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard port types)
Service: Serial
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Canon D530/D560
Description: Canon D530/D560
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Canon
Service: usbscan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (09/11/2014 02:37:09 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error: (09/11/2014 02:24:58 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error: (09/11/2014 02:24:54 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.
 
Error: (09/11/2014 00:50:51 PM) (Source: Windows Search Service) (EventID: 3084) (User: )
Description: Failed to load protocol handler Csc. Error description: Illegal operation attempted on a registry key that has been marked for deletion.  (HRESULT : 0x800703fa).
 
Error: (09/11/2014 00:31:39 PM) (Source: Group Policy Registry) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply user policy settings for 'IE8_single_process_fix {7AB0CBAA-5577-40E8-8A84-B83740C9F868}' because it failed with error code '0x80070035 The network path was not found.'%apply00790275
 
Error: (09/11/2014 00:31:37 PM) (Source: Group Policy Drive Maps) (EventID: 8194) (User: NT AUTHORITY)
Description: The client-side extension could not apply user policy settings for 'IMEDECS Default SBSUsers Policy {680FF840-A972-4C10-A4A6-3BD0623A53E2}' because it failed with error code '0x80070035 The network path was not found.'%apply00790275
 
Error: (09/11/2014 00:31:35 PM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 502) (User: IMEDECS)
Description: Failed to apply policy and redirect folder "Desktop" to "\\FALCON\RedirectedFolders\bkneeland\Desktop".
 Redirection options=0x80009021.
 The following error occurred: "Failed to redirect because the destination directory "\\FALCON\RedirectedFolders\bkneeland\Desktop" is offline".
 Error details: "The network path was not found.
".
 
Error: (09/11/2014 00:31:35 PM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 502) (User: IMEDECS)
Description: Failed to apply policy and redirect folder "Documents" to "\\FALCON\RedirectedFolders\bkneeland\My Documents".
 Redirection options=0x80009021.
 The following error occurred: "Failed to redirect because the destination directory "\\FALCON\RedirectedFolders\bkneeland\My Documents" is offline".
 Error details: "The network path was not found.
".
 
Error: (09/11/2014 00:31:35 PM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 502) (User: IMEDECS)
Description: Failed to apply policy and redirect folder "Music" to "\\FALCON\RedirectedFolders\bkneeland\My Documents\My Music".
 Redirection options=0x80009021.
 The following error occurred: "Failed to redirect because the destination directory "\\FALCON\RedirectedFolders\bkneeland\My Documents\My Music" is offline".
 Error details: "The network path was not found.
".
 
Error: (09/11/2014 00:31:35 PM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 502) (User: IMEDECS)
Description: Failed to apply policy and redirect folder "Pictures" to "\\FALCON\RedirectedFolders\bkneeland\My Documents\My Pictures".
 Redirection options=0x80009021.
 The following error occurred: "Failed to redirect because the destination directory "\\FALCON\RedirectedFolders\bkneeland\My Documents\My Pictures" is offline".
 Error details: "The network path was not found.
".
 
 
System errors:
=============
Error: (09/11/2014 00:59:10 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\SysWow64\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
 
Error: (09/11/2014 00:48:38 PM) (Source: TermService) (EventID: 1067) (User: )
Description: The terminal server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted.
.
 
Error: (09/11/2014 00:46:33 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: IMEDECS)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (09/11/2014 00:46:25 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
 
Error: (09/11/2014 00:46:23 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain IMEDECS due to the following: 
%%1311
 
This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.
 
 
 
ADDITIONAL INFO
 
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.
 
Error: (09/11/2014 00:44:36 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (09/11/2014 00:31:36 PM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain IMEDECS due to the following: 
%%1311
 
This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.
 
 
 
ADDITIONAL INFO
 
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.
 
Error: (09/11/2014 00:13:29 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1058) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows attempted to read the file \\imedecs.com\SysVol\imedecs.com\Policies\{0FBF8453-51C6-4AC2-A7E4-7D4EAD117554}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following: 
a) Name Resolution/Network Connectivity to the current domain controller. 
B) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). 
c) The Distributed File System (DFS) client has been disabled.
 
Error: (09/11/2014 00:10:22 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (09/11/2014 00:04:56 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
 
Microsoft Office Sessions:
=========================
Error: (09/11/2014 02:37:09 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\ABrennan\Downloads\esetsmartinstaller_enu.exe
 
Error: (09/11/2014 02:24:58 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\ABrennan\Downloads\esetsmartinstaller_enu.exe
 
Error: (09/11/2014 02:24:54 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\ABrennan\Downloads\esetsmartinstaller_enu.exe
 
Error: (09/11/2014 00:50:51 PM) (Source: Windows Search Service) (EventID: 3084) (User: )
Description: CscIllegal operation attempted on a registry key that has been marked for deletion.  (HRESULT : 0x800703fa)
 
Error: (09/11/2014 00:31:39 PM) (Source: Group Policy Registry) (EventID: 8194) (User: NT AUTHORITY)
Description: applyuserIE8_single_process_fix {7AB0CBAA-5577-40E8-8A84-B83740C9F868}0x80070035 The network path was not found.
 
Error: (09/11/2014 00:31:37 PM) (Source: Group Policy Drive Maps) (EventID: 8194) (User: NT AUTHORITY)
Description: applyuserIMEDECS Default SBSUsers Policy {680FF840-A972-4C10-A4A6-3BD0623A53E2}0x80070035 The network path was not found.
 
Error: (09/11/2014 00:31:35 PM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 502) (User: IMEDECS)
Description: Desktop\\FALCON\RedirectedFolders\bkneeland\Desktop0x80009021Failed to redirect because the destination directory "\\FALCON\RedirectedFolders\bkneeland\Desktop" is offlineThe network path was not found.
 
Error: (09/11/2014 00:31:35 PM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 502) (User: IMEDECS)
Description: Documents\\FALCON\RedirectedFolders\bkneeland\My Documents0x80009021Failed to redirect because the destination directory "\\FALCON\RedirectedFolders\bkneeland\My Documents" is offlineThe network path was not found.
 
Error: (09/11/2014 00:31:35 PM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 502) (User: IMEDECS)
Description: Music\\FALCON\RedirectedFolders\bkneeland\My Documents\My Music0x80009021Failed to redirect because the destination directory "\\FALCON\RedirectedFolders\bkneeland\My Documents\My Music" is offlineThe network path was not found.
 
Error: (09/11/2014 00:31:35 PM) (Source: Microsoft-Windows-Folder Redirection) (EventID: 502) (User: IMEDECS)
Description: Pictures\\FALCON\RedirectedFolders\bkneeland\My Documents\My Pictures0x80009021Failed to redirect because the destination directory "\\FALCON\RedirectedFolders\bkneeland\My Documents\My Pictures" is offlineThe network path was not found.
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-09-11 15:01:28.691
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-11 14:47:18.988
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-11 14:40:42.693
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-11 14:20:31.190
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-11 14:15:18.022
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-11 13:55:04.540
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-11 13:46:25.455
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-09-11 11:59:54.532
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-09-11 11:59:54.454
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2011-06-13 09:39:48.863
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5 CPU 650 @ 3.20GHz
Percentage of memory in use: 71%
Total physical RAM: 1975.11 MB
Available physical RAM: 568.35 MB
Total Pagefile: 3950.23 MB
Available Pagefile: 1998.93 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:297.32 GB) (Free:236.2 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: EC0328C2)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=750 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=297.3 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 1.9 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=1.9 GB) - (Type=06)
 
==================== End Of Log ============================


#5 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 11 September 2014 - 02:29 PM

Can you please post the log file from Malwarebytes Antirootkit that shows this forged physical sector.

And in addition please do this:


Please download Emsisoft MBR Master and save it to your desktop.
  • Execute the mbrmastr.exe.
  • Click on Backup MBR and save it as emsi to your desktop.
  • Close the program.
  • Add the emsi.mbr that has been saved to a zip-archive (right-click on it -> Send To ->Compressed (zipped) folder) and attach this zip-file to your next post.
  • In addition there's a textfile MBRMastr_<date>_<time>.txt on the desktop. Please copy and paste its contents in your next reply.


#6 bkneeland

bkneeland
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 11 September 2014 - 02:35 PM

here is the log from anti-rootkit

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 8.0.7601.17514
 
Java version: 1.6.0_24
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.192000 GHz
Memory total: 2071056384, free: 364216320
 
Downloaded database version: v2014.09.11.06
Downloaded database version: v2014.09.10.02
=======================================
Initializing...
------------ Kernel report ------------
     09/11/2014 13:12:08
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\vmbus.sys
\SystemRoot\system32\drivers\winhv.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PGPfsfd.sys
\SystemRoot\system32\DRIVERS\Pgpwdefs.sys
\SystemRoot\System32\Drivers\PGPwded.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\ehdrv.sys
C:\Program Files\ESET\ESET NOD32 Antivirus\em006_64.dat
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\Drivers\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\lmimirr.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\eamonm.sys
\SystemRoot\system32\DRIVERS\sieflt.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\Drivers\PGPdisk.SYS
\SystemRoot\system32\DRIVERS\epfwwfpr.sys
\??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys
\??\C:\Windows\system32\drivers\LMIRfsDriver.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\PGPsdk.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\System32\drivers\rdpdr.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\drivers\tdtcp.sys
\SystemRoot\System32\DRIVERS\tssecsrv.sys
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\system32\DRIVERS\k57nd60a.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\wininet.dll
\Windows\System32\difxapi.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\oleaut32.dll
\Windows\System32\advapi32.dll
\Windows\System32\psapi.dll
\Windows\System32\comdlg32.dll
\Windows\System32\msctf.dll
\Windows\System32\normaliz.dll
\Windows\System32\sechost.dll
\Windows\System32\Wldap32.dll
\Windows\System32\ws2_32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\usp10.dll
\Windows\System32\imm32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\urlmon.dll
\Windows\System32\shell32.dll
\Windows\System32\clbcatq.dll
\Windows\System32\iertutil.dll
\Windows\System32\kernel32.dll
\Windows\System32\setupapi.dll
\Windows\System32\lpk.dll
\Windows\System32\gdi32.dll
\Windows\System32\nsi.dll
\Windows\System32\ole32.dll
\Windows\System32\user32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\wintrust.dll
\Windows\System32\devobj.dll
\Windows\System32\KernelBase.dll
\Windows\System32\comctl32.dll
\Windows\System32\crypt32.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa8005ad0060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\00000070\
Lower Device Object: 0xfffffa8005ad0b60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80028d6060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa80025ad050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80028d6060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80028d7030, DeviceName: Unknown, DriverName: \Driver\PGPwded\
DevicePointer: 0xfffffa80028d6b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80028d6060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80025ad050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: UNKNOWN
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
<<<3>>>
Volume: C:
File system type: UNKNOWN
Alternate device has been used.
<<<2>>>
<<<3>>>
Volume: C:
File system type: UNKNOWN
<<<2>>>
<<<3>>>
Volume: C:
File system type: UNKNOWN
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
<<<3>>>
Volume: C:
File system type: UNKNOWN
Alternate device has been used.
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: EC0328C2
 
Partition information:
 
    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 80262
 
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920  Numsec = 1536000
    Partition file system is NTFS
    Partition is bootable
Failed to read VBR on partition 1.
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1617920  Numsec = 623521792
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 320072933376 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-62-625122448-625142448)...
Sectors 625122448 - 625139711 --> [Forged physical sectors]
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa8005ad0060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8005ade030, DeviceName: Unknown, DriverName: \Driver\PGPwded\
DevicePointer: 0xfffffa8005accad0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa8005ad0060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8005ad0b60, DeviceName: \Device\00000070\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C3072E18
 
Partition information:
 
    Partition 0 type is Other (0x6)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 8064  Numsec = 3905664
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 2003828736 bytes
Sector size: 512 bytes
 
Done!
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-1025744009-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-625122448-u.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-625122448-k.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1012
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x64
 
Account is Administrative
 
Internet Explorer version: 8.0.7601.17514
 
Java version: 1.6.0_24
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.192000 GHz
Memory total: 2071056384, free: 820637696
 
=======================================
Initializing...
------------ Kernel report ------------
     09/11/2014 13:57:44
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\vmbus.sys
\SystemRoot\system32\drivers\winhv.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\PGPfsfd.sys
\SystemRoot\system32\DRIVERS\Pgpwdefs.sys
\SystemRoot\System32\Drivers\PGPwded.sys
\SystemRoot\System32\Drivers\PxHlpa64.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\ehdrv.sys
C:\Program Files\ESET\ESET NOD32 Antivirus\em006_64.dat
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\Drivers\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\HECIx64.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\k57nd60a.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\lmimirr.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_iaStor.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\eamonm.sys
\SystemRoot\system32\DRIVERS\sieflt.sys
\SystemRoot\System32\drivers\hmpalert.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\Drivers\PGPdisk.SYS
\SystemRoot\system32\DRIVERS\epfwwfpr.sys
\??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys
\??\C:\Windows\system32\drivers\LMIRfsDriver.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\PGPsdk.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\System32\drivers\rdpdr.sys
\SystemRoot\system32\drivers\tdtcp.sys
\SystemRoot\System32\DRIVERS\tssecsrv.sys
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\system32\drivers\spsys.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\imm32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\oleaut32.dll
\Windows\System32\msctf.dll
\Windows\System32\nsi.dll
\Windows\System32\advapi32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\psapi.dll
\Windows\System32\clbcatq.dll
\Windows\System32\ws2_32.dll
\Windows\System32\normaliz.dll
\Windows\System32\lpk.dll
\Windows\System32\shlwapi.dll
\Windows\System32\shell32.dll
\Windows\System32\kernel32.dll
\Windows\System32\sechost.dll
\Windows\System32\comdlg32.dll
\Windows\System32\Wldap32.dll
\Windows\System32\gdi32.dll
\Windows\System32\iertutil.dll
\Windows\System32\setupapi.dll
\Windows\System32\difxapi.dll
\Windows\System32\ole32.dll
\Windows\System32\user32.dll
\Windows\System32\urlmon.dll
\Windows\System32\imagehlp.dll
\Windows\System32\usp10.dll
\Windows\System32\wininet.dll
\Windows\System32\wintrust.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\KernelBase.dll
\Windows\System32\crypt32.dll
\Windows\System32\devobj.dll
\Windows\System32\comctl32.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa80056c9790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000007b\
Lower Device Object: 0xfffffa80056c9060
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80028d9060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IAAStorageDevice-1\
Lower Device Object: 0xfffffa80025af050
Lower Device Driver Name: \Driver\iaStor\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80028d9060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80028da030, DeviceName: Unknown, DriverName: \Driver\PGPwded\
DevicePointer: 0xfffffa80028d9b90, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80028d9060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80025af050, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: UNKNOWN
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
<<<3>>>
Volume: C:
File system type: UNKNOWN
Alternate device has been used.
<<<2>>>
<<<3>>>
Volume: C:
File system type: UNKNOWN
<<<2>>>
<<<3>>>
Volume: C:
File system type: UNKNOWN
Can't access volume using primary device, the volume might be encrypted.
<<<2>>>
<<<3>>>
Volume: C:
File system type: UNKNOWN
Alternate device has been used.
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: EC0328C2
 
Partition information:
 
    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 80262
 
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920  Numsec = 1536000
    Partition file system is NTFS
    Partition is bootable
Failed to read VBR on partition 1.
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 1617920  Numsec = 623521792
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 320072933376 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-62-625122448-625142448)...
Sectors 625122448 - 625139711 --> [Forged physical sectors]
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xfffffa80056c9790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80056f9030, DeviceName: Unknown, DriverName: \Driver\PGPwded\
DevicePointer: 0xfffffa80056c4040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80056c9790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80056c9060, DeviceName: \Device\0000007b\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\partmgr\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C3072E18
 
Partition information:
 
    Partition 0 type is Other (0x6)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 8064  Numsec = 3905664
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 2003828736 bytes
Sector size: 512 bytes
 
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-1025744009-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-625122448-u.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\LBA-0-625122448-k.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished


#7 bkneeland

bkneeland
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 11 September 2014 - 02:37 PM

here is the emsi zip, i do not see the MBR txt file though

Attached Files

  • Attached File  emsi.zip   532bytes   2 downloads


#8 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 11 September 2014 - 03:02 PM

Hi,

these alleged forged sectors are very likely a false alarm that is caused by the disk encryption that you use.
What was the reason to do all those scans (with Malwarebytes Antirootkit and others) to begin with? Are you experiencing any strange symptoms or problems?

#9 bkneeland

bkneeland
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:29 PM

Posted 11 September 2014 - 03:12 PM

I a so glad to hear that!

 

The original reason to do the scans was a really slow PC. I saw errors in the event log referencing another profile (Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. ) so i did a Malwarebytes scan.

 

The general Malwarebytes scan found Exploit.Drop.2 in another user profile on this machine so I quarantined it. Then just trying to be thorough I ran the rootkit scanner and found what was posted, I was afraid the removal of whatever Exploit.Drop.2 was left a residual rootkit. After i thought I removed the rootkit, I ran combofix  for a final cleaning and upon reboot caused the cascading windows while trying to show the results.  Switching  to another user allowed combofix to properly finish and display the results. However I was concerned so I re-ran the anti-rootkit and then saw that it still found malware. 

 

I know I probably shouldn't have run combofix, but its saved my bacon a few times before without issue. When it failed i figured i should check with the experts. 

 

Thank you for all your help today, i really appreciate it ... Do you think I should run anything else on this machine?



#10 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 11 September 2014 - 03:21 PM

Alright. No I don't think that any additional scans are necessary.
But what you should do is to update Java 7 and uninstall the old Java 6 versions.
Other than that we're done.

My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!

#11 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:29 AM

Posted 19 September 2014 - 02:58 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users