Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SuperFish Keeps Coming back


  • This topic is locked This topic is locked
24 replies to this topic

#1 kingsrookie

kingsrookie

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 28 September 2014 - 04:26 PM

I have not had such an issue removing malware until this one. I say Superfish since it comes up with MalWareBytes every scan. IT is located in C:\Users\*\AppData\Local\Google\Chrome\Default\Local Storage\. Everytime Chrome opens.

 

 

I can remove the PUP, restart and be good to go until a few minutes running chrome. IE is not affected. It will not replicate. I have used Rkill to stop processes and followed with MBAM. I have used AdWCleaner and JunkWare Removal Tool. I have run a sleugh of others as well.

 

I have cleaned up the Programs list with what I feel are neccessary. No unwanted as far as I can tell. I have done my due diligence with this.

 

I have also removed Flash, Reader, and Java and have updated with latest versions from valid sites. I have disabled PepperFlash in Chrome and tried a default Flash but came back as well.

 

I have traced the infection to the registry (made a back-up first, but am pretty comfortable around it as well) and removed the points of infection there. It works great with IE but a few seconds after Chrome is opened, it's back. I have use Chameleon as well, thinking the browser themselves could be infected.

 

I believe it is a file dropper located on the computer. I thought I was successful with a program located in the TEMP directory associated with Mozilla but no luck.

 

SAS only picks up Tracking Cookies.

MBAM will pick up Superfish Located in same Directory stated earlier but no Tracking Cookies

Rkill stops SuperFish Located in same Directory stated earlier but no Tracking Cookies

 

I have tried ComboFix, AdWCleaner, JRT, MBAM, MBAM Chameleon, SAS, RogueKiller, SpyBot, Revo Uninstaller (removal of unneccessary toolbars where I think the infections started.), Hitman, Manual removal through AppData and Program Data, Manual Removal through AppWiz.cpl, Registry Entry Points associated with virus.

 

The ads are text links as well as popups. I will be happy posting logs but I am stuck with where to go next. I have done a LOT of research on this and am a computer tech so lsimple and advanced removal has thoroughly been tried but I know I'm missing something.

 

I do not want to reload this computer but will if need be but it is a cop out. I know the issue can be resolved.

 

Edit*

I have also gone into the two browsers and checked the extensions and removed everything on IE. Chrome has three, docs, sheets, and slides. I have also fully uninstalled Chrome and went with a fresh install. IE has been rolled back and reupdated.

 

Thanks,


Edited by kingsrookie, 28 September 2014 - 04:38 PM.


BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:33 PM

Posted 28 September 2014 - 05:36 PM

Have you tried resetting the hosts file?

Also, try examining the shortcuts to Google Chrome. Sometimes a hyperlink is in the Target: 


Edited by thisisu, 28 September 2014 - 05:38 PM.


#3 kingsrookie

kingsrookie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 28 September 2014 - 06:00 PM

I have checked the shortcuts in for Chrome as well as IE. Tricky adware can hide there. Both are clean and opening the intended program.

 

The Hosts file has been check as well. Only entry was a loopback address. Ran a test where I cleared the only entry and still pops up.

 

Just ran a thorough removal of Chrome, Flash, Java, Reader, (Just to cover my bases and scans have come back clean multiple times after removal. Only Chrome pulls it up) and removed a download manager associated with Epson. Re-installation failed again.

 

It seems to happen after 60 seconds has elapsed. I reduced the number of programs to 28 installed apps. Chrome included. Cleared temp folders and removed registry points again.

 

The only things I haven't touched in Program List that are not CORE programs are:

Adobe Air & Shockwave

Citrix Online Launcher

Core FTP

Epson Printer Drivers and Utilities

Chrome

GoTo Meeting

Java

MalwareBytes

MeadCo ScriptX (Verified: Is needed)

M. Office 2010

MSE

M. Silverlight

Nuance PaperPort (Scanner App)

OneTouch (Scanner App, Needed)

QuickBooks

Revo

SpyBot

SAS

TeamViewer

Visioneer Acuity(Scanner Driver)
Xerox Documate(Scanner Driver)

 

I wanted to list because I have cleaned up and removed anything that I could see as not even remotely needed or that could be removed without harm.


Edited by kingsrookie, 28 September 2014 - 06:07 PM.


#4 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:33 PM

Posted 28 September 2014 - 06:12 PM

You say this problem only occurs in Chrome, correct?

 

Try this for me:

Open Chrome

Open the settings of Chrome by entering chrome://settings/ into the address box and pressing ENTER

Go to Extensions

Place a checkmark in Developer Mode

Anything suspicious in here to you? Take a screenshot if you are unsure.

Also complete the below

 

 

Scan with Farbar Recovery Scan Tool - Download it here

frst.pngfrstscan.png

Start FRST with administator privileges.

  • Make sure the following option is checkedaddition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

Edited by thisisu, 28 September 2014 - 06:14 PM.


#5 kingsrookie

kingsrookie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 28 September 2014 - 06:28 PM

Checked Developer mode and no extensions hidden there. Even went ahead and removed Docs, Sheets, and Slides a bit earlier. It does appear to be isolated with chrome since I can view the same site with IE and not get a pop-up. Also removed GoTo Meeting since it was scheduled to startup and update when Chrome opened in Task Scheduler.

 

Here are the files requested.

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-09-2014 02
Ran by User (administrator) on USER-PC on 28-09-2014 19:21:31
Running from C:\Users\User\Downloads
Loaded Profiles: User &  (Available profiles: User)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Visioneer Inc.) C:\Program Files\Visioneer\DM3220\DM3220HV_0001_0.EXE
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Visioneer Inc.) C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(Intuit, Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXSTM.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXRCV.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [630912 2012-05-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [12288 2012-04-19] ()
HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [36168 2013-04-19] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [18248 2013-04-19] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863360 2012-02-29] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [502912 2012-02-29] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058400 2012-01-26] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-09-12] (Adobe Systems Incorporated)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-412470663-2694479649-113588399-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7763736 2014-09-19] (SUPERAntiSpyware)
HKU\S-1-5-21-412470663-2694479649-113588399-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6482200 2014-09-26] (Piriform Ltd)
HKU\S-1-5-21-412470663-2694479649-113588399-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7763736 2014-09-19] (SUPERAntiSpyware)
HKU\S-1-5-21-412470663-2694479649-113588399-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6482200 2014-09-26] (Piriform Ltd)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {04B6290C-97B8-49A1-B0A3-1312254F7C54} https://portal.carealliance.com/portal/applets/SharedSession.dll
DPF: HKLM-x32 {1663ed6a-23eb-11d2-b92f-008048fdd814} https://www6.ecastcorp.com/emr/system/smsx.cab
DPF: HKLM-x32 {A08D2318-19E6-4332-A741-87FBBD3984CD} https://portal.carealliance.com/portal/applets/mckapprun.cab
DPF: HKLM-x32 {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} https://www6.ecastcorp.com/emr/system/DynamicWebTWAIN.cab
DPF: HKLM-x32 {EB29B81A-7351-4890-8BCE-58127C3545F9} https://portal.carealliance.com/portal/applets/mckntauth.ocx
Tcpip\Parameters: [DhcpNameServer] 10.1.10.1
Tcpip\..\Interfaces\{7B44D57C-A043-4E17-8D95-9A6CBDE91089}: [NameServer] 81.218.119.15,199.203.35.75

FireFox:
========
FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\si5wdbh0.default
FF SelectedSearchEngine: StartWeb
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1209149.dll (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\User\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Extension: {{EXT_NAME}} - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\si5wdbh0.default\Extensions\jid1-eMhaOaq3SPBFDg@jetpack [2014-09-22]

Chrome:
=======
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-09-28]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-28]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-28]
CHR Extension: (Google Search) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-09-28]
CHR Extension: (Google Wallet) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-28]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-09-28]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-09-19] (SUPERAntiSpyware.com)
S4 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-05-04] (Advanced Micro Devices, Inc.) [File not signed]
R2 DM3220HV_0001_0; C:\Program Files\Visioneer\DM3220\DM3220HV_0001_0.EXE [417280 2013-05-28] (Visioneer Inc.)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)
R2 OneTouch 4.0 Monitor; C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe [229376 2013-01-31] (Visioneer Inc.) [File not signed]
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [77640 2013-04-19] (Nuance Communications, Inc.)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [55936 2011-11-13] (Advanced Micro Devices)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [122584 2014-09-28] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S3 catchme; \??\C:\threedogs\catchme.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-28 19:21 - 2014-09-28 19:22 - 00014770 _____ () C:\Users\User\Downloads\FRST.txt
2014-09-28 19:21 - 2014-09-28 19:21 - 02108928 _____ (Farbar) C:\Users\User\Downloads\FRST64.exe
2014-09-28 19:21 - 2014-09-28 19:21 - 00000000 ____D () C:\FRST
2014-09-28 19:10 - 2014-09-28 19:10 - 00000056 _____ () C:\Windows\setupact.log
2014-09-28 19:10 - 2014-09-28 19:10 - 00000000 _____ () C:\Windows\setuperr.log
2014-09-28 19:09 - 2014-09-28 19:09 - 00002806 _____ () C:\Windows\PFRO.log
2014-09-28 19:08 - 2014-09-28 19:08 - 00991232 _____ () C:\Users\User\Downloads\MicrosoftFixit50267.msi
2014-09-28 18:53 - 2014-09-28 18:53 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-09-28 18:53 - 2014-09-28 18:53 - 00002019 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2014-09-28 18:51 - 2014-09-28 18:51 - 00272808 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-09-28 18:51 - 2014-09-28 18:51 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-09-28 18:51 - 2014-09-28 18:51 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-09-28 18:51 - 2014-09-28 18:51 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-09-28 18:51 - 2014-09-28 18:51 - 00000000 ____D () C:\Program Files (x86)\Java
2014-09-28 18:50 - 2014-09-28 19:11 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-09-28 18:50 - 2014-09-28 18:55 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-09-28 18:50 - 2014-09-28 18:50 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-09-28 18:50 - 2014-09-28 18:50 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-09-28 18:50 - 2014-09-28 18:50 - 00002218 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-09-28 18:50 - 2014-09-28 18:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-09-28 18:44 - 2014-09-28 18:44 - 00010377 _____ () C:\ComboFix.txt
2014-09-28 17:54 - 2014-09-28 17:54 - 00002770 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-09-28 17:54 - 2014-09-28 17:54 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-09-28 17:54 - 2014-09-28 17:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2014-09-28 17:54 - 2014-09-28 17:54 - 00000000 ____D () C:\Program Files\CCleaner
2014-09-28 17:53 - 2014-09-28 17:53 - 04965896 _____ (Piriform Ltd) C:\Users\User\Downloads\ccsetup418.exe
2014-09-28 17:05 - 2014-09-28 17:05 - 00000000 ____D () C:\Users\User\Downloads\mbam-chameleon-3.1.4.0
2014-09-28 17:04 - 2014-09-28 17:05 - 04872677 _____ () C:\Users\User\Downloads\mbam-chameleon-3.1.4.0.zip
2014-09-28 16:52 - 2014-09-28 16:52 - 00319912 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-09-28 16:52 - 2014-09-28 16:52 - 00189352 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-09-28 16:52 - 2014-09-28 16:52 - 00189352 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-09-28 16:52 - 2014-09-28 16:52 - 00111016 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-09-28 16:52 - 2014-09-28 16:52 - 00000000 ____D () C:\Program Files\Java
2014-09-28 16:51 - 2014-09-28 16:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-09-28 16:23 - 2014-09-28 16:23 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\User\Downloads\rkill (2).exe
2014-09-28 14:41 - 2014-09-28 14:41 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-09-28 14:40 - 2014-09-28 14:41 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-09-28 14:40 - 2014-09-28 14:40 - 05472344 _____ () C:\Users\User\Downloads\RogueKillerX64.exe
2014-09-28 14:27 - 2014-09-28 14:27 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\User\Downloads\rkill (1).exe
2014-09-28 14:22 - 2014-09-28 14:22 - 00000930 _____ () C:\Users\User\Desktop\JRT.txt
2014-09-28 14:16 - 2014-09-28 14:16 - 01699276 _____ (Thisisu) C:\Users\User\Downloads\JRT (1).exe
2014-09-28 14:11 - 2014-09-28 14:11 - 00000000 ____D () C:\Windows\ERUNT
2014-09-28 14:08 - 2014-09-28 14:08 - 01699276 _____ (Thisisu) C:\Users\User\Downloads\JRT.exe
2014-09-25 09:16 - 2014-09-26 08:18 - 00000000 ____D () C:\Users\User\AppData\Roaming\.oit
2014-09-24 12:56 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-09-24 12:28 - 2014-09-28 16:24 - 00002040 _____ () C:\Users\User\Desktop\Rkill.txt
2014-09-24 12:28 - 2014-09-24 12:28 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\User\Downloads\rkill.exe
2014-09-24 12:22 - 2014-09-24 12:22 - 00001264 _____ () C:\Users\User\Desktop\Revo Uninstaller.lnk
2014-09-24 12:22 - 2014-09-24 12:22 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group
2014-09-24 12:21 - 2014-09-24 12:21 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\User\Downloads\revosetup.exe
2014-09-24 12:00 - 2014-09-24 12:34 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-09-24 12:00 - 2014-09-24 12:04 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-09-24 12:00 - 2014-09-24 12:00 - 00001391 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2014-09-24 12:00 - 2014-09-24 12:00 - 00001379 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2014-09-24 12:00 - 2014-09-24 12:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2014-09-24 12:00 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2014-09-24 11:57 - 2014-09-24 11:58 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\User\Downloads\spybot-2.4.exe
2014-09-24 11:39 - 2014-09-24 11:40 - 00271872 _____ (Secure By Design Inc.) C:\Users\User\Downloads\Ninite Java Installer.exe
2014-09-24 10:54 - 2014-09-24 13:42 - 00000000 ____D () C:\Users\User\AppData\Roaming\TeamViewer
2014-09-24 10:54 - 2014-09-24 10:54 - 00001174 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2014-09-24 10:54 - 2014-09-24 10:54 - 00001162 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2014-09-24 10:54 - 2014-09-24 10:54 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2014-09-24 10:53 - 2014-09-24 10:53 - 06588560 _____ (TeamViewer GmbH) C:\Users\User\Downloads\TeamViewer_Setup_en.exe
2014-09-23 11:07 - 2014-09-23 11:07 - 00000000 ____D () C:\found.000
2014-09-23 11:04 - 2014-09-24 12:59 - 00000000 ____D () C:\AdwCleaner
2014-09-23 11:03 - 2014-09-23 11:04 - 01373475 _____ () C:\Users\User\Downloads\AdwCleaner.exe
2014-09-22 13:23 - 2014-09-22 13:52 - 00000000 ____D () C:\ProgramData\TEMP
2014-09-22 13:20 - 2014-09-22 13:20 - 00000000 ____D () C:\SUPERDelete
2014-09-22 13:04 - 2014-09-22 13:04 - 00895120 _____ (Google Inc.) C:\Users\User\Downloads\ChromeSetup.exe
2014-09-22 09:41 - 2014-09-22 09:41 - 00271872 _____ (Secure By Design Inc.) C:\Users\User\Downloads\Ninite Reader Installer.exe
2014-09-19 09:41 - 2014-09-28 17:41 - 00000508 _____ () C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 02c0979b-466d-452b-9325-1b4a7963bdb2.job
2014-09-19 09:41 - 2014-09-27 02:00 - 00000508 _____ () C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 92cacbf4-efea-4c38-9260-457c50980981.job
2014-09-19 09:41 - 2014-09-19 09:41 - 00003578 _____ () C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task 92cacbf4-efea-4c38-9260-457c50980981
2014-09-19 09:41 - 2014-09-19 09:41 - 00003504 _____ () C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task 02c0979b-466d-452b-9325-1b4a7963bdb2
2014-09-19 09:29 - 2014-09-28 19:11 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-19 09:29 - 2014-09-19 09:29 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-19 09:29 - 2014-09-19 09:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-19 09:28 - 2014-09-28 17:06 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-19 09:28 - 2014-09-19 09:29 - 00000000 ____D () C:\Users\User\AppData\Roaming\Malwarebytes
2014-09-19 09:28 - 2014-09-19 09:29 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-19 09:28 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-18 14:31 - 2014-09-18 14:31 - 00000000 ____D () C:\Windows\Sun
2014-09-18 14:21 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-09-18 14:21 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-09-18 14:21 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-09-18 14:21 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-09-18 14:21 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-09-18 14:21 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe
2014-09-18 14:21 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe
2014-09-18 14:21 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe
2014-09-18 14:20 - 2014-09-28 18:44 - 00000000 ____D () C:\Qoobox
2014-09-18 14:20 - 2014-09-23 09:28 - 00000000 ____D () C:\Windows\erdnt
2014-09-18 13:39 - 2014-09-19 08:22 - 00000000 ___HD () C:\Users\Public\Temp
2014-09-18 13:39 - 2014-09-18 13:39 - 00000000 ____D () C:\Users\Public\Documents\ShopperPro
2014-09-18 13:37 - 2014-09-18 13:48 - 00000258 __RSH () C:\ProgramData\ntuser.pol
2014-09-15 10:52 - 2014-09-15 10:52 - 00000000 ____D () C:\Users\User\AppData\Roaming\OneTouch 4.0
2014-09-01 04:18 - 2014-09-01 04:18 - 00002086 _____ () C:\Users\User\AppData\Roaming\LWMA
2014-09-01 04:18 - 2014-09-01 04:18 - 00001248 _____ () C:\Users\User\AppData\Roaming\MEERRVDB

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-28 19:22 - 2014-03-11 13:55 - 00000000 ____D () C:\Users\User\Documents\Outlook Files
2014-09-28 19:17 - 2014-03-13 10:24 - 00000000 ____D () C:\Users\User\AppData\Local\Citrix
2014-09-28 19:17 - 2009-07-14 00:45 - 00022064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-28 19:17 - 2009-07-14 00:45 - 00022064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-28 19:16 - 2009-07-14 01:13 - 00798586 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-28 19:13 - 2014-03-04 20:32 - 01618649 _____ () C:\Windows\WindowsUpdate.log
2014-09-28 19:11 - 2014-03-04 22:40 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2014-09-28 19:10 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-28 18:53 - 2014-03-04 21:50 - 00000000 ____D () C:\ProgramData\Adobe
2014-09-28 18:53 - 2014-03-04 21:50 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-09-28 18:50 - 2014-03-04 21:48 - 00000000 ____D () C:\Program Files (x86)\Google
2014-09-28 18:42 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini
2014-09-28 18:24 - 2014-03-06 11:57 - 00000000 ____D () C:\ProgramData\ABBYY
2014-09-28 18:24 - 2014-03-06 11:53 - 00000000 ____D () C:\Program Files (x86)\EPSON Software
2014-09-28 17:59 - 2014-03-20 14:53 - 00000000 ____D () C:\Users\User\AppData\Roaming\CoreFTP
2014-09-28 17:59 - 2014-03-05 12:25 - 00000000 ____D () C:\Windows\Panther
2014-09-28 17:40 - 2014-03-04 21:24 - 05582345 ____R (Swearware) C:\Users\User\Desktop\threedogs.exe
2014-09-28 17:03 - 2014-08-14 08:35 - 00000000 ____D () C:\Users\User\AppData\Local\Adobe
2014-09-28 16:53 - 2014-03-04 21:48 - 00000000 ____D () C:\Users\User\AppData\Local\Google
2014-09-28 16:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-09-28 16:45 - 2014-07-01 08:17 - 00000000 ____D () C:\Program Files\Google
2014-09-26 08:18 - 2014-03-11 16:15 - 00000000 ____D () C:\Users\User\Documents\OneTouch Docs
2014-09-25 14:38 - 2014-03-04 21:24 - 00000000 ____D () C:\Users\User\Desktop\Scanned Cards
2014-09-25 14:19 - 2014-03-04 21:24 - 00000000 ____D () C:\Users\User\Desktop\Carolina Prev Med Assoc
2014-09-25 13:34 - 2014-03-04 21:25 - 00000000 ____D () C:\Users\User\Documents\Quickbooks Backups
2014-09-24 13:04 - 2014-03-04 20:48 - 00093008 _____ () C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT
2014-09-24 13:01 - 2009-07-14 00:45 - 00363336 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-09-24 12:31 - 2009-07-13 22:34 - 00000000 _____ () C:\Windows\system32\Drivers\etc\hosts.old
2014-09-23 09:28 - 2009-07-13 22:34 - 65257472 _____ () C:\Windows\system32\config\SOFTWARE.bak
2014-09-23 09:28 - 2009-07-13 22:34 - 15466496 _____ () C:\Windows\system32\config\SYSTEM.bak
2014-09-23 09:28 - 2009-07-13 22:34 - 00176128 _____ () C:\Windows\system32\config\DEFAULT.bak
2014-09-23 09:28 - 2009-07-13 22:34 - 00028672 _____ () C:\Windows\system32\config\SECURITY.bak
2014-09-23 09:28 - 2009-07-13 22:34 - 00028672 _____ () C:\Windows\system32\config\SAM.bak
2014-09-22 12:38 - 2009-07-14 01:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-09-22 02:42 - 2010-11-20 23:27 - 00278152 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-09-19 09:41 - 2014-03-04 22:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2014-09-19 09:28 - 2014-03-04 22:39 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-19 09:28 - 2014-03-04 22:39 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-09-18 15:03 - 2009-07-13 22:34 - 00000580 _____ () C:\Windows\win.ini
2014-09-18 14:32 - 2014-03-04 20:45 - 00811332 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-09-18 14:31 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-09-18 13:47 - 2014-03-13 10:39 - 00001413 _____ () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-09-18 13:37 - 2009-07-13 23:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-09-18 13:37 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy
2014-09-18 09:06 - 2014-03-04 21:24 - 00000000 ____D () C:\Users\User\Documents\CPMA Forms and Instructions

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-09-26 13:10

==================== End Of Log ============================

 

Additions.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-09-2014 02
Ran by User at 2014-09-28 19:23:09
Running from C:\Users\User\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 4.0.0.1390 - Adobe Systems Incorporated)
Adobe AIR (x32 Version: 4.0.0.1390 - Adobe Systems Incorporated) Hidden
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.9.149 - Adobe Systems, Inc.)
AMD Accelerated Video Transcoding (Version: 2.00.0002 - Advanced Micro Devices, Inc.) Hidden
AMD APP SDK Runtime (Version: 10.0.873.1 - Advanced Micro Devices Inc.) Hidden
AMD Catalyst Install Manager (HKLM\...\{DD562794-C098-A1E5-66ED-10E8BD1C84C5}) (Version: 3.0.864.0 - Advanced Micro Devices, Inc.)
AMD Fuel (Version: 2012.0504.1554.26509 - Advanced Micro Devices, Inc.) Hidden
AMD VISION Engine Control Center (x32 Version: 2012.0504.1554.26509 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center InstallProxy (x32 Version: 2012.0504.1554.26509 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Localization All (x32 Version: 2012.0504.1554.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Chinese Standard (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Chinese Traditional (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Czech (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Danish (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Dutch (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help English (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Finnish (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help French (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help German (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Greek (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Hungarian (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Italian (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Japanese (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Korean (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Norwegian (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Polish (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Portuguese (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Russian (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Spanish (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Swedish (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Thai (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
CCC Help Turkish (x32 Version: 2012.0504.1553.26509 - Advanced Micro Devices, Inc.) Hidden
ccc-utility64 (Version: 2012.0504.1554.26509 - Advanced Micro Devices, Inc.) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 4.18 - Piriform)
Citrix Online Launcher (HKLM-x32\...\{B025BA0B-64A6-46DE-9D64-32965C83CCA9}) (Version: 1.0.179 - Citrix)
Core FTP LE (x64) (HKLM-x32\...\CoreFTP(x64)) (Version:  - )
Definition update for Microsoft Office 2010 (KB982726) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{E14AE329-F210-4EDD-B775-290821C66C1F}) (Version:  - Microsoft)
EPSON Connect version 1.0 (HKLM-x32\...\EPSON Connect_is1) (Version: 1.0 - Epson America Inc.)
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.4.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM-x32\...\{44F72193-F59C-4303-BAE8-E3E4BC1C122C}) (Version: 3.01.0003 - Seiko Epson Corporation)
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.30.00 - SEIKO EPSON CORPORATION)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON WF-2540 Series Printer Uninstall (HKLM\...\EPSON WF-2540 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.5.00 - SEIKO EPSON CORPORATION)
Google Chrome (HKLM-x32\...\{F8136D8B-7B8B-3FC6-BF42-EEAF643C5C4F}) (Version: 66.3.32892 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden
Java 7 Update 67 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F06417067FF}) (Version: 7.0.670 - Oracle)
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Java Auto Updater (x32 Version: 2.1.67.1 - Oracle, Inc.) Hidden
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
MeadCo ScriptX (v7.0.0.8 (x86)) (HKLM-x32\...\{F2682E66-3DEF-4066-AD9F-70DDB96CDDCC}) (Version: 7.0.8 - Mead & Co Ltd.)
Microsoft .NET Framework 1.1 (HKLM-x32\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office 2010 Service Pack 1 (SP1) (x32 Version:  - Microsoft) Hidden
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Business 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.6029.1000 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.4.0304.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.4.304.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4048 (HKLM\...\{91415F19-4C22-3609-A105-92ED3522D83C}) (Version: 9.0.30729.4048 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4048 (HKLM-x32\...\{5B1F2843-B379-3FF2-B0D3-64DD143ED53A}) (Version: 9.0.30729.4048 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Nuance PaperPort 14 (HKLM-x32\...\{43A4BB54-C319-4207-8948-42E79E66F47F}) (Version: 14.5.0000 - Nuance Communications, Inc.)
OneTouch 4 ScanSoft OmniPage 16.2 OCR Module (HKLM-x32\...\{F80376CE-BB27-4757-B2A1-F3873F7FC457}) (Version: 2.0.0 - Visioneer)
OneTouch 4.6 (HKLM-x32\...\{AF8B1525-17EF-4D2E-A018-8D79CE260BA8}) (Version: 4.6.1513.1316 - Visioneer Inc.)
QuickBooks Pro 2005 (HKLM-x32\...\{14374622-0900-4056-BA06-C87C900AF9E6}) (Version:  - )
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.72.410.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6959 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1018 - SUPERAntiSpyware.com)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
Visioneer Acuity Assets V1 (HKLM-x32\...\{8D4A39B4-5D75-462C-89A2-81C1D887B9B5}) (Version: 5.1.812.11295 - Visioneer)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WinRAR 5.01 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)
Xerox DocuMate 3220 Driver (HKLM-x32\...\{1122C086-8788-4A44-A341-97A9E0D912D2}) (Version: 5.1.13.5279 - Visioneer Inc.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

28-09-2014 20:25:45 Removed Java 7 Update 67 (64-bit)
28-09-2014 22:24:29 Revo Uninstaller's restore point - Download Navigator
28-09-2014 22:24:38 Removed Download Navigator
28-09-2014 22:25:17 Revo Uninstaller's restore point - Google Chrome
28-09-2014 22:25:43 Removed Google Chrome
28-09-2014 22:27:08 Revo Uninstaller's restore point - Java 7 Update 67
28-09-2014 22:27:16 Removed Java 7 Update 67
28-09-2014 22:28:49 Revo Uninstaller's restore point - K-Lite Codec Pack 10.3.5 Full
28-09-2014 22:29:59 Revo Uninstaller's restore point - Adobe Reader XI (11.0.09)
28-09-2014 22:32:23 Revo Uninstaller's restore point - Adobe Flash Player 15 Plugin
28-09-2014 23:08:42 Installed Microsoft Fix it 50267

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2013-09-03 17:19 - 00000833 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0D256A5C-C438-4D7A-8AAC-2EAF7A7BA736} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-09-28] (Google Inc.)
Task: {33930302-9C24-44A3-9E72-8FB42BECC191} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-09-28] (Google Inc.)
Task: {9463E807-CE62-4F85-A4DE-8C96830C51A0} - System32\Tasks\SUPERAntiSpyware Scheduled Task 92cacbf4-efea-4c38-9260-457c50980981 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {96617D56-28E0-4F7D-9254-1F9BEC6D120B} - System32\Tasks\SUPERAntiSpyware Scheduled Task 02c0979b-466d-452b-9325-1b4a7963bdb2 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {F9154E55-5DBE-4CCD-B239-EE1B2DAF2C16} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-09-26] (Piriform Ltd)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 02c0979b-466d-452b-9325-1b4a7963bdb2.job => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 92cacbf4-efea-4c38-9260-457c50980981.job => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

==================== Loaded Modules (whitelisted) =============

2012-05-04 16:47 - 2012-05-04 16:47 - 00369152 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2014-09-24 12:00 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-09-24 12:00 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2014-09-24 12:00 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-09-24 12:00 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2014-09-24 12:00 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2009-07-13 17:03 - 2009-07-13 21:15 - 00364544 _____ () C:\Windows\SysWOW64\msjetoledb40.dll
2014-09-28 18:50 - 2014-09-23 00:06 - 01098056 _____ () C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\libglesv2.dll
2014-09-28 18:50 - 2014-09-23 00:06 - 00174408 _____ () C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\libegl.dll
2014-09-28 18:50 - 2014-09-23 00:07 - 08577864 _____ () C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\pdf.dll
2014-09-28 18:50 - 2014-09-23 00:07 - 00331592 _____ () C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\ppGoogleNaClPluginChrome.dll
2014-09-28 18:50 - 2014-09-23 00:06 - 01660232 _____ () C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\ffmpegsumo.dll
2014-09-28 18:50 - 2014-09-23 00:07 - 14891848 _____ () C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\PepperFlash\pepflashplayer.dll
2011-03-17 00:11 - 2011-03-17 00:11 - 04297568 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf
2010-12-21 01:15 - 2010-12-21 01:15 - 01041248 _____ () C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:373E1720

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: ABBYY.Licensing.FineReader.Sprint.9.0 => 2
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: AMD External Events Utility => 2
MSCONFIG\Services: AMD FUEL Service => 2
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: gusvc => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\startupreg: EPLTarget =>
MSCONFIG\startupreg: ISUSPM => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler
MSCONFIG\startupreg: Logitech Download Assistant => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
MSCONFIG\startupreg: RTHDVCPL => "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s

========================= Accounts: ==========================

Administrator (S-1-5-21-412470663-2694479649-113588399-500 - Administrator - Disabled)
ASPNET (S-1-5-21-412470663-2694479649-113588399-1003 - Limited - Enabled)
Guest (S-1-5-21-412470663-2694479649-113588399-501 - Limited - Disabled)
User (S-1-5-21-412470663-2694479649-113588399-1000 - Administrator - Enabled) => C:\Users\User

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/28/2014 07:11:06 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/28/2014 07:10:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/28/2014 07:08:44 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (09/28/2014 06:32:24 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (09/28/2014 06:29:59 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (09/28/2014 06:28:49 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (09/28/2014 06:27:20 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (09/28/2014 06:27:08 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (09/28/2014 06:25:43 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (09/28/2014 06:25:17 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.


System errors:
=============
Error: (09/28/2014 06:42:11 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (09/28/2014 06:39:50 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (09/28/2014 05:48:47 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (09/28/2014 05:46:16 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (09/28/2014 05:35:41 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The FastPlayer Updater Service service failed to start due to the following error:
%%2

Error: (09/28/2014 04:45:35 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The FastPlayer Updater Service service failed to start due to the following error:
%%2

Error: (09/28/2014 04:11:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The FastPlayer Updater Service service failed to start due to the following error:
%%2

Error: (09/28/2014 02:58:23 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The FastPlayer Updater Service service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (09/28/2014 07:11:06 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"C:\Program Files (x86)\Epson Software\FAX Utility\Resource\FULEPPRes.dll

Error: (09/28/2014 07:10:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/28/2014 07:08:44 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (09/28/2014 06:32:24 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (09/28/2014 06:29:59 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (09/28/2014 06:28:49 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (09/28/2014 06:27:20 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (09/28/2014 06:27:08 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (09/28/2014 06:25:43 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (09/28/2014 06:25:17 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service FastPlayer Updater Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.


CodeIntegrity Errors:
===================================
  Date: 2014-09-23 09:55:45.762
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-23 09:55:45.701
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-23 09:55:45.640
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-23 09:43:20.165
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-23 09:43:20.092
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-23 09:43:20.020
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-23 09:23:46.464
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-19 09:36:06.372
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-19 09:36:06.310
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-09-19 09:36:06.248
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\PCTRunner\pcwtc64f.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: AMD FX™-4300 Quad-Core Processor
Percentage of memory in use: 51%
Total physical RAM: 3839.18 MB
Available physical RAM: 1867.44 MB
Total Pagefile: 7676.54 MB
Available Pagefile: 5362.23 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:432.76 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 64B961F8)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#6 kingsrookie

kingsrookie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 28 September 2014 - 06:29 PM

Also I wanted to notate an error. It DOES happen in IE as well. Just takes a bit longer to propogate there hence why I didn't see it. Thought this was valid info.

 

A run of Rkill and MBAM Posted same two PUP's (SuperFish) as always. Just now


Edited by kingsrookie, 28 September 2014 - 06:30 PM.


#7 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:33 PM

Posted 28 September 2014 - 07:18 PM

Alright, let's try this:

 

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.

  • Copy the entire content of the codebox below and paste into the notepad document:
    start
    U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
    GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    File: C:\Program Files\Visioneer\DM3220\DM3220HV_0001_0.EXE
    S3 catchme; \??\C:\threedogs\catchme.sys [X]
    S3 MSICDSetup; \??\D:\CDriver64.sys [X]
    S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
    cmd: type C:\Windows\system32\Drivers\etc\hosts
    hosts:
    C:\Users\User\AppData\Local\Google\Chrome\Default\Local Storage\http_www.superfish.com_0.localstorage
    C:\Users\User\AppData\Local\Google\Chrome\Default\Local Storage\http_www.superfish.com_0.localstorage-journal
    C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage
    C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal
    AlternateDataStreams: C:\ProgramData\TEMP:373E1720
    cmd: type C:\ComboFix.txt
    Folder: C:\Users\User\AppData\Roaming\.oit
    cmd: type C:\Users\User\Desktop\Rkill.txt
    Folder: C:\Users\Public\Documents\ShopperPro
    Folder: C:\Users\User\AppData\Roaming\MEERRVDB
    C:\Users\User\AppData\Roaming\MEERRVDB
    emptytemp:
    end
     
  • Click FileSave As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply


Edited by thisisu, 28 September 2014 - 07:20 PM.


#8 kingsrookie

kingsrookie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 28 September 2014 - 07:25 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-09-2014 02
Ran by User at 2014-09-28 20:22:15 Run:1
Running from C:\Users\User\Downloads
Loaded Profile: User (Available profiles: User & test)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
File: C:\Program Files\Visioneer\DM3220\DM3220HV_0001_0.EXE
S3 catchme; \??\C:\threedogs\catchme.sys [X]
S3 MSICDSetup; \??\D:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\D:\NTIOLib_X64.sys [X]
cmd: type C:\Windows\system32\Drivers\etc\hosts
hosts:
C:\Users\User\AppData\Local\Google\Chrome\Default\Local Storage\http_www.superfish.com_0.localstorage
C:\Users\User\AppData\Local\Google\Chrome\Default\Local Storage\http_www.superfish.com_0.localstorage-journal
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
cmd: type C:\ComboFix.txt
Folder: C:\Users\User\AppData\Roaming\.oit
cmd: type C:\Users\User\Desktop\Rkill.txt
Folder: C:\Users\Public\Documents\ShopperPro
Folder: C:\Users\User\AppData\Roaming\MEERRVDB
emptytemp:
end
*****************

C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
AppMgmt => Service deleted successfully.

========================= File: C:\Program Files\Visioneer\DM3220\DM3220HV_0001_0.EXE ========================

MD5: DCFE8C0083A7E0C84EE990B77513246C
Creation and modification date: 2014-03-07 14:21 - 2013-05-28 00:08
Size: 0417280
Attributes: ----A
Company Name: Visioneer Inc.
Internal Name: DM3220HV.BIN
Original Name: DM3220HV.BIN
Product Name: Xerox DocuMate 3220 Scanner Driver
Description: Xerox DocuMate 3220 HAL
File Version: 5.1.13.5279
Product Version: 5.1.0.0
Copyright: Copyright ©  2013, Visioneer Inc.

====== End Of File: ======

catchme => Service deleted successfully.
MSICDSetup => Service deleted successfully.
NTIOLib_1_0_C => Service deleted successfully.

=========  type C:\Windows\system32\Drivers\etc\hosts =========

# Copyright © 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handle within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost
========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
"C:\Users\User\AppData\Local\Google\Chrome\Default\Local Storage\http_www.superfish.com_0.localstorage" => File/Directory not found.
"C:\Users\User\AppData\Local\Google\Chrome\Default\Local Storage\http_www.superfish.com_0.localstorage-journal" => File/Directory not found.
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage => Moved successfully.
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal => Moved successfully.
C:\ProgramData\TEMP => ":373E1720" ADS removed successfully.

=========  type C:\ComboFix.txt =========

ComboFix 14-09-29.02 - User 09/28/2014  18:38:15.6.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3839.2202 [GMT -4:00]
Running from: c:\users\User\Desktop\threedogs.exe
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2014-08-28 to 2014-09-28  )))))))))))))))))))))))))))))))
.
.
2014-09-28 22:42 . 2014-09-28 22:42    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-09-28 21:54 . 2014-09-28 21:54    --------    d-----w-    c:\program files\CCleaner
2014-09-28 20:52 . 2014-09-28 20:52    319912    ----a-w-    c:\windows\system32\javaws.exe
2014-09-28 20:52 . 2014-09-28 20:52    111016    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2014-09-28 20:52 . 2014-09-28 20:52    189352    ----a-w-    c:\windows\system32\javaw.exe
2014-09-28 20:52 . 2014-09-28 20:52    189352    ----a-w-    c:\windows\system32\java.exe
2014-09-28 20:52 . 2014-09-28 20:52    --------    d-----w-    c:\program files\Java
2014-09-28 20:47 . 2014-09-28 20:47    --------    d-----w-    c:\users\User\AppData\Local\Diagnostics
2014-09-28 18:41 . 2014-09-28 18:41    37624    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-09-28 18:40 . 2014-09-28 18:41    --------    d-----w-    c:\programdata\RogueKiller
2014-09-28 18:12 . 2014-09-09 02:05    11578928    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0017A30E-9B94-46FC-AA28-2E8A1011B852}\mpengine.dll
2014-09-28 18:11 . 2014-09-28 18:11    --------    d-----w-    c:\windows\ERUNT
2014-09-26 12:29 . 2014-09-17 17:20    1188440    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{67566125-6418-4941-A13B-17B28515CB69}\gapaengine.dll
2014-09-26 12:28 . 2014-09-09 02:05    11578928    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-09-25 13:16 . 2014-09-26 12:18    --------    d-----w-    c:\users\User\AppData\Roaming\.oit
2014-09-24 16:56 . 2010-08-30 12:34    536576    ----a-w-    c:\windows\SysWow64\sqlite3.dll
2014-09-24 16:22 . 2014-09-24 16:22    --------    d-----w-    c:\program files (x86)\VS Revo Group
2014-09-24 16:00 . 2013-09-20 14:49    21040    ----a-w-    c:\windows\system32\sdnclean64.exe
2014-09-24 16:00 . 2014-09-24 16:34    --------    d-----w-    c:\programdata\Spybot - Search & Destroy
2014-09-24 16:00 . 2014-09-24 16:04    --------    d-----w-    c:\program files (x86)\Spybot - Search & Destroy 2
2014-09-24 14:54 . 2014-09-24 17:42    --------    d-----w-    c:\users\User\AppData\Roaming\TeamViewer
2014-09-24 14:54 . 2014-09-24 14:54    --------    d-----w-    c:\program files (x86)\TeamViewer
2014-09-23 15:07 . 2014-09-23 15:07    --------    d-----w-    C:\found.000
2014-09-23 15:04 . 2014-09-24 16:59    --------    d-----w-    C:\AdwCleaner
2014-09-22 17:20 . 2014-09-22 17:20    --------    d-----w-    C:\SUPERDelete
2014-09-19 13:29 . 2014-09-28 21:08    122584    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-19 13:28 . 2014-09-28 21:06    92888    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-09-19 13:28 . 2014-05-12 11:26    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-09-19 13:28 . 2014-09-19 13:29    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-09-19 13:28 . 2014-09-19 13:29    --------    d-----w-    c:\users\User\AppData\Roaming\Malwarebytes
2014-09-18 18:31 . 2014-09-18 18:31    --------    d-----w-    c:\windows\Sun
2014-09-18 17:39 . 2014-09-19 12:22    --------    d--h--w-    c:\users\Public\Temp
2014-09-15 14:52 . 2014-09-15 14:52    --------    d-----w-    c:\users\User\AppData\Roaming\OneTouch 4.0
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-22 06:42 . 2010-11-21 03:27    278152    ------w-    c:\windows\system32\MpSigStub.exe
2014-09-17 17:20 . 2014-03-07 14:27    1188440    ------w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2014-09-19 7763736]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2014-09-26 6482200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-05-04 630912]
"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2013-04-19 36168]
"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2013-04-19 18248]
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
"FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2012-02-29 863360]
"FUFAXRCV"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe" [2012-02-29 502912]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2012-01-26 1058400]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-15 806912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
R4 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AODDriver4.1;AODDriver4.1;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
S2 DM3220HV_0001_0;DM3220HV_0001_0;c:\program files\Visioneer\DM3220\DM3220HV_0001_0.EXE;c:\program files\Visioneer\DM3220\DM3220HV_0001_0.EXE [x]
S2 EpsonCustomerParticipation;EpsonCustomerParticipation;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe;c:\program files\EPSON\EpsonCustomerParticipation\EPCP.exe [x]
S2 EpsonScanSvc;Epson Scanner Service;c:\windows\system32\EscSvc64.exe;c:\windows\SYSNATIVE\EscSvc64.exe [x]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys;c:\windows\SYSNATIVE\DRIVERS\amdiox64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-28 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-412470663-2694479649-113588399-1000.job
- c:\users\User\AppData\Local\Citrix\GoToMeeting\1694\g2mupdate.exe [2014-09-16 16:45]
.
2014-09-28 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 02c0979b-466d-452b-9325-1b4a7963bdb2.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-11-07 20:08]
.
2014-09-27 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 92cacbf4-efea-4c38-9260-457c50980981.job
- c:\program files\SUPERAntiSpyware\SASTask.exe [2013-11-07 20:08]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 1266912]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <-loopback>
Trusted Zone: ecastcorp.com\www6
TCP: DhcpNameServer = 10.1.10.1
TCP: Interfaces\{7B44D57C-A043-4E17-8D95-9A6CBDE91089}: NameServer = 81.218.119.15,199.203.35.75
DPF: {04B6290C-97B8-49A1-B0A3-1312254F7C54} - hxxps://portal.carealliance.com/portal/applets/SharedSession.dll
DPF: {A08D2318-19E6-4332-A741-87FBBD3984CD} - hxxps://portal.carealliance.com/portal/applets/mckapprun.cab
DPF: {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} - hxxps://www6.ecastcorp.com/emr/system/DynamicWebTWAIN.cab
DPF: {EB29B81A-7351-4890-8BCE-58127C3545F9} - hxxps://portal.carealliance.com/portal/applets/mckntauth.ocx
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-28  18:44:14
ComboFix-quarantined-files.txt  2014-09-28 22:44
ComboFix2.txt  2014-09-28 21:50
ComboFix3.txt  2014-09-24 15:20
ComboFix4.txt  2014-09-23 13:38
ComboFix5.txt  2014-09-28 22:37
.
Pre-Run: 466,815,004,672 bytes free
Post-Run: 466,392,219,648 bytes free
.
- - End Of File - - 88D70C39DBB08A33EAC6319F65FCD5D8
A36C5E4F47E84449FF07ED3517B43A31

========= End of CMD: =========


========================= Folder: C:\Users\User\AppData\Roaming\.oit ========================

2014-09-25 09:16 - 2014-09-26 08:18 - 0012560 _____ () C:\Users\User\AppData\Roaming\.oit\TAUT4d9GkTu.opt

====== End of Folder: ======


=========  type C:\Users\User\Desktop\Rkill.txt =========

The system cannot find the file specified.

========= End of CMD: =========


========================= Folder: C:\Users\Public\Documents\ShopperPro ========================

2014-09-18 13:39 - 2014-09-18 13:39 - 0000000 ____D () C:\Users\Public\Documents\ShopperPro\JsDriver
2014-08-25 04:32 - 2014-08-25 04:32 - 0001915 _____ () C:\Users\Public\Documents\ShopperPro\JsDriver\Config.xml

====== End of Folder: ======


========================= Folder: C:\Users\User\AppData\Roaming\MEERRVDB ========================

The path is not a directory.
EmptyTemp: => Removed 61 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====

 

Wow I cannot believe I missed Shopper Pro in the Public Folder. Never even thought to check those directories. Halted any further work to see if what you are telling em to do fixes it. Thanks so far!


Edited by kingsrookie, 28 September 2014 - 07:28 PM.


#9 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:33 PM

Posted 28 September 2014 - 07:46 PM

Step 1

frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.

  • Copy the entire content of the codebox below and paste into the notepad document:
    start
    C:\Users\User\AppData\Roaming\MEERRVDB
    C:\Users\User\AppData\Roaming\.oit
    C:\Users\Public\Documents\ShopperPro
    C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage
    C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal
    cmd: ipconfig /flushdns
    end
  • Click FileSave As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply. Let me know if the problem still persists.


Edited by thisisu, 28 September 2014 - 07:48 PM.


#10 kingsrookie

kingsrookie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 28 September 2014 - 07:54 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-09-2014 02
Ran by User at 2014-09-28 20:50:46 Run:2
Running from C:\Users\User\Downloads
Loaded Profile: User (Available profiles: User)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
C:\Users\User\AppData\Roaming\MEERRVDB
C:\Users\User\AppData\Roaming\.oit
C:\Users\Public\Documents\ShopperPro
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal
cmd: ipconfig /flushdns
end
*****************

C:\Users\User\AppData\Roaming\MEERRVDB => Moved successfully.
C:\Users\User\AppData\Roaming\.oit => Moved successfully.
"C:\Users\Public\Documents\ShopperPro" => File/Directory not found.
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage => Moved successfully.
C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal => Moved successfully.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


==== End of Fixlog ====

 

Problem still persisting. I am using the same site to test with. Takes a few seconds and then it loads. AppData for Google shows SuperFish Entries are back.



#11 kingsrookie

kingsrookie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 28 September 2014 - 08:03 PM

Oddly enough, after that last FixList, its lessened the adds a bit. It is still coming back just not in both places the ads used to show. Still there but maybe we are making headway

 

As a side note, I checked my Chrome Extensions folder and have 6 total. Youtube, Drive, Wallet, Search, Gmail, and then 1 last one.

 

Doing a bit of research, I wonder if this is the culprit. It does not load in the Extensions Manager window.

bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5023_0

 

It is the only extension that shouldn't be listed to my knowledge

 

Edit*

 

Nope, appears to be Voice Search


Edited by kingsrookie, 28 September 2014 - 08:13 PM.


#12 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:33 PM

Posted 28 September 2014 - 08:14 PM


 

Problem still persisting. I am using the same site to test with. Takes a few seconds and then it loads. AppData for Google shows SuperFish Entries are back.

 

Which site if you don't mind me asking? Just out of curiosity, does superfish ad/hyperlink box appear whenever you attempt to access google.com?

 

Open FRST again

In the Search: text-field, type in : Superfish;{74F475FA-6C75-43BD-AAB9-ECDA6184F600}

Then press the Search Registry button

Post the contents of Search.txt when the search is complete



#13 kingsrookie

kingsrookie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 28 September 2014 - 08:18 PM

The site is www.crossfitfrequency.com  I can stay there for a few seconds and move to the schedule page for it to come up. Also happens when viewing ABC.com TV shows. For the purpose of this, I am testing with CrossFit.

 

When on Google, it does not appear to load. Also, with another test computer, I can view both sites safely with no issue. Wanted to rule out if it was the site itself.

 

Edit*

 

Farbar Recovery Scan Tool (x64) Version: 28-09-2014 02

Ran by User at 2014-09-28 21:18:25

Running from C:\Users\User\Downloads

Boot Mode: Normal

 

================== Search Registry: "Superfish;{74F475FA-6C75-43BD-AAB9-ECDA6184F600} Superfish;{74F475FA-6C75-43BD-AAB9-ECDA6184F600}" ===========

 

 

===================== Search result for "Superfish" ==========

 

[HKEY_USERS\S-1-5-21-412470663-2694479649-113588399-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com]

 

 

===================== Search result for "{74F475FA-6C75-43BD-AAB9-ECDA6184F600}" ==========

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}]

 

====== End Of Search ======

 

Edit*

 

FYI, these are the two registry points I've noticed. I've tried deleting the Superfish point but not the extension compatibility.


Edited by kingsrookie, 28 September 2014 - 08:27 PM.


#14 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:33 PM

Posted 28 September 2014 - 10:28 PM

Let's remove it just incase

 

Step 1


frst.pngfrstfix.png

Press thew7.png + R on your keyboard at the same time. Type notepad and click OK.

  • Copy the entire content of the codebox below and paste into the notepad document:
    start
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
    DeleteKey: HKEY_USERS\S-1-5-21-412470663-2694479649-113588399-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\superfish.com
    File: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage
    File: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal
    C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage
    C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig
    reg: reg query HKEY_CURRENT_USER\Software\Google\Chrome /s
    reg: reg query HKEY_LOCAL_MACHINE\Software\Google\Chrome /s
    reg: reg query HKEY_LOCAL_MACHINE\Software\Wow6432Node\Google\Chrome /s
    File: C:\Users\User\AppData\Roaming\LWMA
    C:\Users\User\AppData\Roaming\LWMA
    cmd: type C:\Windows\system32\Drivers\etc\hosts.old
    C:\Windows\system32\Drivers\etc\hosts.old
    hosts:
    C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage
    C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal
    reg: reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f
    reg: reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer
    reg: reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable
    emptytemp:
    end
  • Click FileSave As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply. Let me know if the problem still persists.

 

------------- Also please run a new scan with FRST and post its latest FRST.txt here -----------


Edited by thisisu, 29 September 2014 - 05:59 AM.


#15 kingsrookie

kingsrookie
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 29 September 2014 - 08:02 AM

It appeared that the problem was resolved but rebooting the system brought it back. This forum has been invaluable and you have been a great help! Since I work in this industry, I want to ask, how did you conclude that it was that registry key?(The extension compatibility key) I'd rather learn something from this experience than just take the answer and run.

 

Again, your help has been much appreciated and because of you, I did not have to wipe a computer clean and reload the data. I believe that most problems can be fixed with doing that yet most in my industry would rather take the easy road out.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-09-2014 02

Ran by User (administrator) on USER-PC on 29-09-2014 08:57:39

Running from C:\Users\User\Downloads

Loaded Profile: User (Available profiles: User)

Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)

Internet Explorer Version 11

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

(Visioneer Inc.) C:\Program Files\Visioneer\DM3220\DM3220HV_0001_0.EXE

(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe

(Visioneer Inc.) C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe

(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe

(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe

(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

(Advanced Micro Devices, Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

(Intuit, Inc.) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe

(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe

(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXSTM.exe

(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\FAX Utility\FUFAXRCV.exe

(SEIKO EPSON CORPORATION) C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 11.0\Reader\reader_sl.exe

(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe

(Microsoft Corporation) C:\Windows\System32\dllhost.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)

HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [630912 2012-05-04] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [12288 2012-04-19] ()

HKLM-x32\...\Run: [PaperPort PTD] => C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [36168 2013-04-19] (Nuance Communications, Inc.)

HKLM-x32\...\Run: [IndexSearch] => C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [18248 2013-04-19] (Nuance Communications, Inc.)

HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)

HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863360 2012-02-29] (SEIKO EPSON CORPORATION)

HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [502912 2012-02-29] (SEIKO EPSON CORPORATION)

HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1058400 2012-01-26] (SEIKO EPSON CORPORATION)

HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)

HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-09-12] (Adobe Systems Incorporated)

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]

HKU\S-1-5-21-412470663-2694479649-113588399-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7763736 2014-09-19] (SUPERAntiSpyware)

HKU\S-1-5-21-412470663-2694479649-113588399-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6482200 2014-09-26] (Piriform Ltd)

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk

ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit, Inc.)

BootExecute: autocheck autochk * sdnclean64.exe

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe

BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)

BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

DPF: HKLM-x32 {04B6290C-97B8-49A1-B0A3-1312254F7C54} https://portal.carealliance.com/portal/applets/SharedSession.dll

DPF: HKLM-x32 {1663ed6a-23eb-11d2-b92f-008048fdd814} https://www6.ecastcorp.com/emr/system/smsx.cab

DPF: HKLM-x32 {A08D2318-19E6-4332-A741-87FBBD3984CD} https://portal.carealliance.com/portal/applets/mckapprun.cab

DPF: HKLM-x32 {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758} https://www6.ecastcorp.com/emr/system/DynamicWebTWAIN.cab

DPF: HKLM-x32 {EB29B81A-7351-4890-8BCE-58127C3545F9} https://portal.carealliance.com/portal/applets/mckntauth.ocx

Tcpip\Parameters: [DhcpNameServer] 10.1.10.1

Tcpip\..\Interfaces\{7B44D57C-A043-4E17-8D95-9A6CBDE91089}: [NameServer] 81.218.119.15,199.203.35.75

 

FireFox:

========

FF ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\si5wdbh0.default

FF SelectedSearchEngine: StartWeb

FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @microsoft.com/GENUINE -> disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1209149.dll (Adobe Systems, Inc.)

FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\User\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)

FF Extension: {{EXT_NAME}} - C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\si5wdbh0.default\Extensions\jid1-eMhaOaq3SPBFDg@jetpack [2014-09-22]

 

Chrome:

=======

CHR Plugin: (Widevine Content Decryption Module) - C:\Users\User\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.5.671\_platform_specific\win_x86\widevinecdmadapter.dll ()

CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\PepperFlash\pepflashplayer.dll ()

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\ppGoogleNaClPluginChrome.dll ()

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\37.0.2062.124\pdf.dll ()

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)

CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)

CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

CHR Plugin: (Java Deployment Toolkit 7.0.670.1) - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

CHR Plugin: (Java™ Platform SE 7 U67) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)

CHR Plugin: (Citrix Online Web Deployment Plugin 1.0.0.104) - C:\Users\User\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)

CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1209149.dll (Adobe Systems, Inc.)

CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)

CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-09-28]

CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-28]

CHR Extension: (Google Search) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-09-28]

CHR Extension: (Google Wallet) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-28]

CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-09-28]

 

==================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-09-19] (SUPERAntiSpyware.com)

S4 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-05-04] (Advanced Micro Devices, Inc.) [File not signed]

R2 DM3220HV_0001_0; C:\Program Files\Visioneer\DM3220\DM3220HV_0001_0.EXE [417280 2013-05-28] (Visioneer Inc.)

R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-10-23] (Microsoft Corporation)

R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [348376 2013-10-23] (Microsoft Corporation)

R2 OneTouch 4.0 Monitor; C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe [229376 2013-01-31] (Visioneer Inc.) [File not signed]

R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [77640 2013-04-19] (Nuance Communications, Inc.)

R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)

R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)

R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [55936 2011-11-13] (Advanced Micro Devices)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [248240 2013-09-27] (Microsoft Corporation)

R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [134944 2013-09-27] (Microsoft Corporation)

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)

 

==================== NetSvcs (Whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-09-29 08:54 - 2014-09-29 08:54 - 00003288 ____N () C:\bootsqm.dat

2014-09-28 21:38 - 2014-09-28 21:38 - 00013725 _____ () C:\ComboFix.txt

2014-09-28 21:18 - 2014-09-28 21:18 - 00000768 _____ () C:\Users\User\Downloads\Search.txt

2014-09-28 19:41 - 2014-09-28 19:41 - 09690792 _____ () C:\Users\User\Downloads\tweaking.com_windows_repair_aio_setup.exe

2014-09-28 19:41 - 2014-09-28 19:41 - 00002159 _____ () C:\Users\User\Desktop\Tweaking.com - Windows Repair (All in One).lnk

2014-09-28 19:41 - 2014-09-28 19:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com

2014-09-28 19:41 - 2014-09-28 19:41 - 00000000 ____D () C:\Program Files (x86)\Tweaking.com

2014-09-28 19:23 - 2014-09-28 19:23 - 00031248 _____ () C:\Users\User\Downloads\Addition.txt

2014-09-28 19:21 - 2014-09-29 08:57 - 00015142 _____ () C:\Users\User\Downloads\FRST.txt

2014-09-28 19:21 - 2014-09-29 08:57 - 00000000 ____D () C:\FRST

2014-09-28 19:21 - 2014-09-28 19:21 - 02108928 _____ (Farbar) C:\Users\User\Downloads\FRST64.exe

2014-09-28 19:10 - 2014-09-29 08:55 - 00000392 _____ () C:\Windows\setupact.log

2014-09-28 19:10 - 2014-09-28 19:10 - 00000000 _____ () C:\Windows\setuperr.log

2014-09-28 19:09 - 2014-09-29 08:55 - 00011220 _____ () C:\Windows\PFRO.log

2014-09-28 19:08 - 2014-09-28 19:08 - 00991232 _____ () C:\Users\User\Downloads\MicrosoftFixit50267.msi

2014-09-28 18:53 - 2014-09-28 18:53 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk

2014-09-28 18:53 - 2014-09-28 18:53 - 00002019 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk

2014-09-28 18:51 - 2014-09-28 18:51 - 00272808 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe

2014-09-28 18:51 - 2014-09-28 18:51 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe

2014-09-28 18:51 - 2014-09-28 18:51 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe

2014-09-28 18:51 - 2014-09-28 18:51 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll

2014-09-28 18:51 - 2014-09-28 18:51 - 00000000 ____D () C:\Program Files (x86)\Java

2014-09-28 18:50 - 2014-09-29 08:56 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-09-28 18:50 - 2014-09-29 08:43 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-09-28 18:50 - 2014-09-28 18:50 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2014-09-28 18:50 - 2014-09-28 18:50 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2014-09-28 18:50 - 2014-09-28 18:50 - 00002218 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

2014-09-28 18:50 - 2014-09-28 18:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome

2014-09-28 17:54 - 2014-09-28 17:54 - 00002770 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC

2014-09-28 17:54 - 2014-09-28 17:54 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk

2014-09-28 17:54 - 2014-09-28 17:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner

2014-09-28 17:54 - 2014-09-28 17:54 - 00000000 ____D () C:\Program Files\CCleaner

2014-09-28 17:53 - 2014-09-28 17:53 - 04965896 _____ (Piriform Ltd) C:\Users\User\Downloads\ccsetup418.exe

2014-09-28 17:05 - 2014-09-28 17:05 - 00000000 ____D () C:\Users\User\Downloads\mbam-chameleon-3.1.4.0

2014-09-28 17:04 - 2014-09-28 17:05 - 04872677 _____ () C:\Users\User\Downloads\mbam-chameleon-3.1.4.0.zip

2014-09-28 16:52 - 2014-09-28 16:52 - 00319912 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe

2014-09-28 16:52 - 2014-09-28 16:52 - 00189352 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe

2014-09-28 16:52 - 2014-09-28 16:52 - 00189352 _____ (Oracle Corporation) C:\Windows\system32\java.exe

2014-09-28 16:52 - 2014-09-28 16:52 - 00111016 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll

2014-09-28 16:52 - 2014-09-28 16:52 - 00000000 ____D () C:\Program Files\Java

2014-09-28 16:51 - 2014-09-28 16:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2014-09-28 16:23 - 2014-09-28 16:23 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\User\Downloads\rkill (2).exe

2014-09-28 14:41 - 2014-09-28 14:41 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys

2014-09-28 14:40 - 2014-09-28 14:41 - 00000000 ____D () C:\ProgramData\RogueKiller

2014-09-28 14:40 - 2014-09-28 14:40 - 05472344 _____ () C:\Users\User\Downloads\RogueKillerX64.exe

2014-09-28 14:27 - 2014-09-28 14:27 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\User\Downloads\rkill (1).exe

2014-09-28 14:16 - 2014-09-28 14:16 - 01699276 _____ (Thisisu) C:\Users\User\Downloads\JRT (1).exe

2014-09-28 14:11 - 2014-09-28 14:11 - 00000000 ____D () C:\Windows\ERUNT

2014-09-28 14:08 - 2014-09-28 14:08 - 01699276 _____ (Thisisu) C:\Users\User\Downloads\JRT.exe

2014-09-24 12:56 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll

2014-09-24 12:28 - 2014-09-24 12:28 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\User\Downloads\rkill.exe

2014-09-24 12:22 - 2014-09-24 12:22 - 00001264 _____ () C:\Users\User\Desktop\Revo Uninstaller.lnk

2014-09-24 12:22 - 2014-09-24 12:22 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group

2014-09-24 12:21 - 2014-09-24 12:21 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\User\Downloads\revosetup.exe

2014-09-24 12:00 - 2014-09-24 12:34 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy

2014-09-24 12:00 - 2014-09-24 12:04 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2

2014-09-24 12:00 - 2014-09-24 12:00 - 00001391 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk

2014-09-24 12:00 - 2014-09-24 12:00 - 00001379 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk

2014-09-24 12:00 - 2014-09-24 12:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2

2014-09-24 12:00 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe

2014-09-24 11:57 - 2014-09-24 11:58 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\User\Downloads\spybot-2.4.exe

2014-09-24 11:39 - 2014-09-24 11:40 - 00271872 _____ (Secure By Design Inc.) C:\Users\User\Downloads\Ninite Java Installer.exe

2014-09-24 10:54 - 2014-09-24 13:42 - 00000000 ____D () C:\Users\User\AppData\Roaming\TeamViewer

2014-09-24 10:54 - 2014-09-24 10:54 - 00001174 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk

2014-09-24 10:54 - 2014-09-24 10:54 - 00001162 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk

2014-09-24 10:54 - 2014-09-24 10:54 - 00000000 ____D () C:\Program Files (x86)\TeamViewer

2014-09-24 10:53 - 2014-09-24 10:53 - 06588560 _____ (TeamViewer GmbH) C:\Users\User\Downloads\TeamViewer_Setup_en.exe

2014-09-23 11:04 - 2014-09-24 12:59 - 00000000 ____D () C:\AdwCleaner

2014-09-23 11:03 - 2014-09-23 11:04 - 01373475 _____ () C:\Users\User\Downloads\AdwCleaner.exe

2014-09-22 13:23 - 2014-09-22 13:52 - 00000000 ____D () C:\ProgramData\TEMP

2014-09-22 13:20 - 2014-09-22 13:20 - 00000000 ____D () C:\SUPERDelete

2014-09-22 13:04 - 2014-09-22 13:04 - 00895120 _____ (Google Inc.) C:\Users\User\Downloads\ChromeSetup.exe

2014-09-22 09:41 - 2014-09-22 09:41 - 00271872 _____ (Secure By Design Inc.) C:\Users\User\Downloads\Ninite Reader Installer.exe

2014-09-19 09:41 - 2014-09-29 02:00 - 00000508 _____ () C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 92cacbf4-efea-4c38-9260-457c50980981.job

2014-09-19 09:41 - 2014-09-29 01:59 - 00000508 _____ () C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task 02c0979b-466d-452b-9325-1b4a7963bdb2.job

2014-09-19 09:41 - 2014-09-19 09:41 - 00003578 _____ () C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task 92cacbf4-efea-4c38-9260-457c50980981

2014-09-19 09:41 - 2014-09-19 09:41 - 00003504 _____ () C:\Windows\System32\Tasks\SUPERAntiSpyware Scheduled Task 02c0979b-466d-452b-9325-1b4a7963bdb2

2014-09-19 09:29 - 2014-09-28 20:55 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-09-19 09:29 - 2014-09-19 09:29 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-09-19 09:29 - 2014-09-19 09:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-09-19 09:28 - 2014-09-28 17:06 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-09-19 09:28 - 2014-09-19 09:29 - 00000000 ____D () C:\Users\User\AppData\Roaming\Malwarebytes

2014-09-19 09:28 - 2014-09-19 09:29 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

2014-09-19 09:28 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2014-09-18 14:31 - 2014-09-18 14:31 - 00000000 ____D () C:\Windows\Sun

2014-09-18 14:21 - 2011-06-26 02:45 - 00256000 _____ () C:\Windows\PEV.exe

2014-09-18 14:21 - 2010-11-07 13:20 - 00208896 _____ () C:\Windows\MBR.exe

2014-09-18 14:21 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe

2014-09-18 14:21 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe

2014-09-18 14:21 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe

2014-09-18 14:21 - 2000-08-30 20:00 - 00098816 _____ () C:\Windows\sed.exe

2014-09-18 14:21 - 2000-08-30 20:00 - 00080412 _____ () C:\Windows\grep.exe

2014-09-18 14:21 - 2000-08-30 20:00 - 00068096 _____ () C:\Windows\zip.exe

2014-09-18 14:20 - 2014-09-28 21:38 - 00000000 ____D () C:\Qoobox

2014-09-18 14:20 - 2014-09-23 09:28 - 00000000 ____D () C:\Windows\erdnt

2014-09-18 13:39 - 2014-09-19 08:22 - 00000000 ___HD () C:\Users\Public\Temp

2014-09-18 13:37 - 2014-09-28 20:23 - 00000008 __RSH () C:\ProgramData\ntuser.pol

2014-09-15 10:52 - 2014-09-15 10:52 - 00000000 ____D () C:\Users\User\AppData\Roaming\OneTouch 4.0

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-09-29 08:56 - 2014-03-04 22:40 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware

2014-09-29 08:55 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-09-29 08:52 - 2014-03-11 13:55 - 00000000 ____D () C:\Users\User\Documents\Outlook Files

2014-09-29 08:52 - 2014-03-04 20:32 - 01637164 _____ () C:\Windows\WindowsUpdate.log

2014-09-28 21:36 - 2009-07-13 22:34 - 00000215 _____ () C:\Windows\system.ini

2014-09-28 21:04 - 2009-07-14 00:45 - 00022064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-09-28 21:04 - 2009-07-14 00:45 - 00022064 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-09-28 21:02 - 2009-07-14 01:13 - 00798586 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-09-28 20:22 - 2009-07-13 23:20 - 00000000 ___HD () C:\Windows\system32\GroupPolicy

2014-09-28 20:01 - 2014-03-06 11:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON

2014-09-28 19:17 - 2014-03-13 10:24 - 00000000 ____D () C:\Users\User\AppData\Local\Citrix

2014-09-28 18:53 - 2014-03-04 21:50 - 00000000 ____D () C:\ProgramData\Adobe

2014-09-28 18:53 - 2014-03-04 21:50 - 00000000 ____D () C:\Program Files (x86)\Adobe

2014-09-28 18:50 - 2014-03-04 21:48 - 00000000 ____D () C:\Program Files (x86)\Google

2014-09-28 18:24 - 2014-03-06 11:53 - 00000000 ____D () C:\Program Files (x86)\EPSON Software

2014-09-28 17:59 - 2014-03-20 14:53 - 00000000 ____D () C:\Users\User\AppData\Roaming\CoreFTP

2014-09-28 17:59 - 2014-03-05 12:25 - 00000000 ____D () C:\Windows\Panther

2014-09-28 17:40 - 2014-03-04 21:24 - 05582345 ____R (Swearware) C:\Users\User\Desktop\threedogs.exe

2014-09-28 17:03 - 2014-08-14 08:35 - 00000000 ____D () C:\Users\User\AppData\Local\Adobe

2014-09-28 16:53 - 2014-03-04 21:48 - 00000000 ____D () C:\Users\User\AppData\Local\Google

2014-09-28 16:47 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF

2014-09-28 16:45 - 2014-07-01 08:17 - 00000000 ____D () C:\Program Files\Google

2014-09-26 08:18 - 2014-03-11 16:15 - 00000000 ____D () C:\Users\User\Documents\OneTouch Docs

2014-09-25 14:38 - 2014-03-04 21:24 - 00000000 ____D () C:\Users\User\Desktop\Scanned Cards

2014-09-25 14:19 - 2014-03-04 21:24 - 00000000 ____D () C:\Users\User\Desktop\Carolina Prev Med Assoc

2014-09-25 13:34 - 2014-03-04 21:25 - 00000000 ____D () C:\Users\User\Documents\Quickbooks Backups

2014-09-24 13:04 - 2014-03-04 20:48 - 00093008 _____ () C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT

2014-09-24 13:01 - 2009-07-14 00:45 - 00363336 _____ () C:\Windows\system32\FNTCACHE.DAT

2014-09-23 09:28 - 2009-07-13 22:34 - 65257472 _____ () C:\Windows\system32\config\SOFTWARE.bak

2014-09-23 09:28 - 2009-07-13 22:34 - 15466496 _____ () C:\Windows\system32\config\SYSTEM.bak

2014-09-23 09:28 - 2009-07-13 22:34 - 00176128 _____ () C:\Windows\system32\config\DEFAULT.bak

2014-09-23 09:28 - 2009-07-13 22:34 - 00028672 _____ () C:\Windows\system32\config\SECURITY.bak

2014-09-23 09:28 - 2009-07-13 22:34 - 00028672 _____ () C:\Windows\system32\config\SAM.bak

2014-09-22 12:38 - 2009-07-14 01:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD

2014-09-22 02:42 - 2010-11-20 23:27 - 00278152 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

2014-09-19 09:41 - 2014-03-04 22:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware

2014-09-19 09:28 - 2014-03-04 22:39 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-09-19 09:28 - 2014-03-04 22:39 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware

2014-09-18 15:03 - 2009-07-13 22:34 - 00000580 _____ () C:\Windows\win.ini

2014-09-18 14:32 - 2014-03-04 20:45 - 00811332 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI

2014-09-18 14:31 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default

2014-09-18 13:47 - 2014-03-13 10:39 - 00001413 _____ () C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

2014-09-18 13:37 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\SysWOW64\GroupPolicy

2014-09-18 09:06 - 2014-03-04 21:24 - 00000000 ____D () C:\Users\User\Documents\CPMA Forms and Instructions

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2014-09-26 13:10

 

==================== End Of Log ============================

 

 

This is the latest FRST.txt listed above.


Edited by kingsrookie, 29 September 2014 - 08:05 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users