Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe COM Surrogate TrojanClick...


  • This topic is locked This topic is locked
32 replies to this topic

#1 adam67

adam67

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 07 November 2014 - 06:50 PM

I run Microsoft Security Essentials, it says something was found and I can review when scan is done. The scan ends and nothing indicates a problem or lists a problem in history tab

In Windows Task Manager there are about 10 "dllhost.exe COM Surrogate" running that I cant close.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.17116  BrowserJavaVersion: 10.67.2
Run by Adam at 15:37:51 on 2014-11-07
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3548.1548 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Windows\system32\atashost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\explorer.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://search.yahoo.com/?type=282369&fr=spigot-yhp-ie
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Speckie: {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - c:\users\adam\appdata\roaming\speckie\bin32\Speckie32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [HP Officejet Pro 8600 (NET)] "c:\program files\hp\hp officejet pro 8600\bin\ScanToPCActivationApp.exe" -deviceID "CN281BWH8705KD:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ScrewDrivers RDP Plugin] c:\program files\tricerat\simplify printing\screwdrivers client v4\install_rdp.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PIconStartup.exe" -startup
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EncMove] c:\program files\encompassinsurance\encompass optimization install\EncompassMove.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [mobilegeni daemon] c:\program files\mobogenie\DaemonProcess.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {E6846530-6088-4AA3-932F-C6245CE59A4C} - {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} - c:\users\adam\appdata\roaming\speckie\bin32\Speckie32.dll
Trusted Zone: billerweb.com
Trusted Zone: farmersinsurance.com
Trusted Zone: foremostproducers.com
Trusted Zone: foremoststar.com
Trusted Zone: msbexpress.net
Trusted Zone: travelers.com
Trusted Zone: travelers.com
Trusted Zone: travelerspc.com
Trusted Zone: travelerspc.com
DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - hxxp://updates.mercuryinsurance.com/PP14.1.7_HO14.0.16_CO3.2.16/setup.exe
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://appliedsystems.webex.com/client/T29L/support/ieatgpc1.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://64.79.115.206:166/JpegInst.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{750EF64B-E1D2-436F-9E36-70B71949EA01} : DHCPNameServer = 75.75.75.75 75.75.76.76
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\917\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
LSA: Authentication Packages =  msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-7-17 231800]
R1 MpKsleaf377f8;MpKsleaf377f8;c:\programdata\microsoft\microsoft antimalware\definition updates\{4a2435e5-495f-4697-824e-fdcb6d28655a}\MpKsleaf377f8.sys [2014-11-7 39464]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2014-1-6 117544]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2012-6-27 13336]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2012-5-11 375144]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2012-4-2 13624]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2012-6-28 47640]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 95920]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2012-6-27 2071064]
R3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2013-3-4 23608]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2009-11-6 214696]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-8-22 288120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 GSService;GSService;c:\windows\system32\GSService.exe [2013-3-4 403832]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-2-26 14848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-3-20 49152]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-6-27 1343400]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2013-3-1 25704]
S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2013-3-1 25704]
S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2013-3-1 25704]
S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2013-3-1 25704]
S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2013-3-1 25704]
S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]
.
=============== Created Last 30 ================
.
2014-11-07 23:34:30 62576 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4a2435e5-495f-4697-824e-fdcb6d28655a}\offreg.dll
2014-11-07 23:31:11 39464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4a2435e5-495f-4697-824e-fdcb6d28655a}\MpKsleaf377f8.sys
2014-11-07 23:29:09 908840 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{e0fc8d8b-bb4c-4b3c-a260-983e12644f08}\gapaengine.dll
2014-11-07 23:28:35 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4a2435e5-495f-4697-824e-fdcb6d28655a}\mpengine.dll
2014-11-06 22:36:02 8901368 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-11-05 21:31:39 0 ----a-w- c:\windows\system32\qyeagf.dll
2014-11-05 21:31:33 41472 ----a-w- c:\windows\system32\fqrcznz.dll
2014-11-04 22:36:57 908840 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{81172bfd-7231-4d21-9516-6cdd6634717e}\gapaengine.dll
2014-11-04 19:50:46 -------- d-----w- c:\programdata\Microsoft Toolkit
2014-10-31 15:18:21 -------- d-----w- c:\program files\VideoLAN
2014-10-28 14:52:04 -------- d-----w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-10-16 04:09:16 2379264 ----a-w- c:\windows\system32\win32k.sys
2014-10-16 04:09:12 372736 ----a-w- c:\windows\system32\rastls.dll
2014-10-16 04:09:11 81560 ----a-w- c:\windows\system32\mscories.dll
2014-10-16 04:09:11 156824 ----a-w- c:\windows\system32\mscorier.dll
2014-10-16 04:09:11 1131664 ----a-w- c:\windows\system32\dfshim.dll
2014-10-16 04:09:02 2744320 ----a-w- c:\windows\system32\rdpcorets.dll
.
==================== Find3M  ====================
.
2014-10-30 11:24:45 229000 ------w- c:\windows\system32\MpSigStub.exe
2014-10-22 15:20:03 86912 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2014-10-22 15:20:02 53096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2014-10-22 15:20:01 85864 ----a-w- c:\windows\system32\LMIinit.dll
2014-10-22 15:20:01 31592 ----a-w- c:\windows\system32\LMIport.dll
2014-10-06 15:20:47 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-06 15:20:47 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-09-25 01:40:50 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-20 03:57:57 1762816 ----a-w- c:\windows\system32\wininet.dll
2014-09-20 03:57:04 2861568 ----a-w- c:\windows\system32\jscript9.dll
2014-09-20 03:57:01 61440 ----a-w- c:\windows\system32\iesetup.dll
2014-09-20 03:57:01 109056 ----a-w- c:\windows\system32\iesysprep.dll
2014-09-20 03:56:33 1440768 ----a-w- c:\windows\system32\inetcpl.cpl
2014-09-20 03:33:44 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2014-09-20 02:35:33 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-09-18 01:32:52 2363904 ----a-w- c:\windows\system32\msi.dll
2014-09-13 01:40:05 67072 ----a-w- c:\windows\system32\packager.dll
2014-09-09 21:47:10 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-05 01:52:41 5703168 ----a-w- c:\windows\system32\mstscax.dll
2014-08-23 01:46:55 305152 ----a-w- c:\windows\system32\gdi32.dll
.
============= FINISH: 15:38:42.76 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 PM

Posted 08 November 2014 - 05:00 PM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 adam67

adam67
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 08 November 2014 - 07:27 PM


Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08-11-2014 01
Ran by Adam (administrator) on ADAM-PC on 08-11-2014 16:23:36
Running from C:\Users\Adam\Desktop
Loaded Profile: Adam (Available profiles: Adam & Ricoh)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Wave Systems Corp.) C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
(Cisco WebEx LLC) C:\Windows\System32\atashost.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\ramaint.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeIn.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Dell Computer Corporation) C:\dell\DBRM\Reminder\DbrmTrayicon.exe
(Wave Systems Corp.) C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
(Broadcom Corporation) C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(LogMeIn, Inc.) C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPoint\SetPoint.exe
(Wave Systems Corp.) C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
(Logitech, Inc.) C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files\Intel\AMT\lms.exe
(Intel Corporation) C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [DBRMTray] => C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\Run: [WavXMgr] => C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe [147840 2010-07-21] (Wave Systems Corp.)
HKLM\...\Run: [USCService] => C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-06-22] (Broadcom Corporation)
HKLM\...\Run: [SoundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-06-22] (Analog Devices, Inc.)
HKLM\...\Run: [ScrewDrivers RDP Plugin] => C:\Program Files\triCerat\Simplify Printing\ScrewDrivers Client v4\install_rdp.exe [46448 2013-01-09] ()
HKLM\...\Run: [picon] => C:\Program Files\Common Files\Intel\Privacy Icon\PIconStartup.exe [104960 2010-05-21] ()
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [63048 2012-04-02] (LogMeIn, Inc.)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] => C:\Windows\KHALMNPR.EXE [55824 2009-06-17] (Logitech, Inc.)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-03] (Intel Corporation)
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [EncMove] => C:\Program Files\EncompassInsurance\Encompass Optimization Install\EncompassMove.exe [36864 2009-09-03] (Microsoft)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [932288 2010-10-25] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2010-10-25] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM\...\RunOnce: [DBRMTray] => C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\917\G2AWinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-2661758368-1490956049-3939381498-1000\...\Run: [HP Officejet Pro 8600 (NET)] => C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe [1804648 2011-09-09] (Hewlett-Packard Co.)
HKU\S-1-5-21-2661758368-1490956049-3939381498-1000\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe [1216416 2010-10-25] (Adobe Systems Incorporated)
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
ShortcutTarget: Logitech SetPoint.lnk -> C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TdmNotify.lnk
ShortcutTarget: TdmNotify.lnk -> C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe (Wave Systems Corp.)
ShellIconOverlayIdentifiers: [EnabledUnlockedFDEIconOverlay] -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.)
ShellIconOverlayIdentifiers: [UninitializedFdeIconOverlay] -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2661758368-1490956049-3939381498-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKCU - DefaultScope {5F63710C-8177-464E-AA0C-86AFAA27C711} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKCU - {5F63710C-8177-464E-AA0C-86AFAA27C711} URL = http://search.yahoo.com/search?p={searchTerms}&b={startPage?}&fr=ie8
SearchScopes: HKCU - {BA965BDF-E6C4-4900-9DD7-75244B84D1F2} URL = https://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=282369&p={searchTerms}
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Speckie -> {8CE7F568-67FA-4432-BA39-F5AFD68E7B8B} -> C:\Users\Adam\AppData\Roaming\Speckie\bin32\Speckie32.dll (Versoworks Pty Ltd)
BHO: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} http://updates.mercuryinsurance.com/PP14.1.7_HO14.0.16_CO3.2.16/setup.exe
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://appliedsystems.webex.com/client/T29L/support/ieatgpc1.cab
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} http://64.79.115.206:166/JpegInst.cab
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [231424] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-06-29]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [pacgpkgadgmibnhpdidcnfafllnmeomc] - C:\Users\Adam\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx []
CHR HKCU\...\Chrome\Extension: [pacgpkgadgmibnhpdidcnfafllnmeomc] - C:\Users\Adam\AppData\Local\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx []

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 atashost; C:\Windows\system32\atashost.exe [117544 2014-01-06] (Cisco WebEx LLC)
S3 GSService; C:\Windows\system32\GSService.exe [403832 2012-12-30] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
S4 RemoteAccess; C:\Windows\System32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [1032192 2010-02-03] (Wave Systems Corp.) [File not signed]
S4 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1273856 2008-11-12] () [File not signed]
R2 TdmService; C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [1164648 2010-03-29] (Wave Systems Corp.)
R2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2071064 2010-05-21] (Intel Corporation)
S2 WinDefend; %ProgramFiles%\Windows Defender\mpsvc.dll [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 DrmRAudio; C:\Windows\System32\drivers\DrmRAudio.sys [23608 2012-12-30] (Windows ® Win 7 DDK provider)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
R1 MpKslf73a1be7; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4A2435E5-495F-4697-824E-FDCB6D28655A}\MpKslf73a1be7.sys [39464 2014-11-07] (Microsoft Corporation)
S3 NAL; C:\Windows\system32\Drivers\iqvw32.sys [30880 2010-02-02] (Intel Corporation )
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2012-12-13] (Apple, Inc.) [File not signed]
R2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [229888 2010-01-19] (Wave Systems Corp.) [File not signed]
S3 WsAudio_DeviceS(1); C:\Windows\System32\drivers\WsAudio_DeviceS(1).sys [25704 2010-09-14] (Wondershare)
S3 WsAudio_DeviceS(2); C:\Windows\System32\drivers\WsAudio_DeviceS(2).sys [25704 2010-09-14] (Wondershare)
S3 WsAudio_DeviceS(3); C:\Windows\System32\drivers\WsAudio_DeviceS(3).sys [25704 2010-09-14] (Wondershare)
S3 WsAudio_DeviceS(4); C:\Windows\System32\drivers\WsAudio_DeviceS(4).sys [25704 2010-09-14] (Wondershare)
S3 WsAudio_DeviceS(5); C:\Windows\System32\drivers\WsAudio_DeviceS(5).sys [25704 2010-09-14] (Wondershare)
S3 catchme; \??\C:\Users\Adam\AppData\Local\Temp\catchme.sys [X]
S4 LMIRfsClientNP; No ImagePath

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-08 16:23 - 2014-11-08 16:24 - 00015312 _____ () C:\Users\Adam\Desktop\FRST.txt
2014-11-08 16:23 - 2014-11-08 16:23 - 00000000 ____D () C:\Users\Adam\Desktop\FRST-OlderVersion
2014-11-07 15:51 - 2014-11-07 15:53 - 00000000 ____D () C:\AdwCleaner
2014-11-07 15:46 - 2014-11-08 16:23 - 01107968 _____ (Farbar) C:\Users\Adam\Desktop\FRST.exe
2014-11-07 15:27 - 2014-11-07 15:27 - 01706939 _____ (Thisisu) C:\Users\Adam\Desktop\JRT.exe
2014-11-07 15:26 - 2014-11-07 15:26 - 01944824 _____ (Bleeping Computer, LLC) C:\Users\Adam\Desktop\rkill.exe
2014-11-07 15:25 - 2014-11-07 15:25 - 04184008 _____ (Kaspersky Lab ZAO) C:\Users\Adam\Desktop\tdsskiller.exe
2014-11-07 15:24 - 2014-11-07 15:25 - 01375089 _____ () C:\Users\Adam\Desktop\AdwCleaner.exe
2014-11-07 15:24 - 2014-11-07 15:24 - 00688992 ____R (Swearware) C:\Users\Adam\Desktop\dds.com
2014-11-05 13:32 - 2014-11-05 13:32 - 00000028 _____ () C:\Windows\system32\u
2014-11-05 13:31 - 2014-11-05 13:31 - 00041472 _____ () C:\Windows\system32\fqrcznz.dll
2014-11-05 13:31 - 2014-11-05 13:31 - 00000000 _____ () C:\Windows\system32\qyeagf.dll
2014-11-04 11:50 - 2014-11-04 11:50 - 00000000 ____D () C:\ProgramData\Microsoft Toolkit
2014-11-03 08:03 - 2014-11-03 08:18 - 00932964 _____ () C:\Users\Adam\Desktop\californiainternationalsoccerleague6brpg55719cp397.zip
2014-10-31 07:18 - 2014-11-07 14:21 - 00000000 ____D () C:\Program Files\VideoLAN
2014-10-28 06:52 - 2014-11-04 14:20 - 00000000 ____D () C:\ProgramData\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-10-15 20:09 - 2014-09-28 16:41 - 02379264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-15 20:09 - 2014-09-03 21:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2014-10-15 20:09 - 2014-08-28 17:44 - 02744320 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-10-15 20:09 - 2014-06-18 14:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-10-15 20:09 - 2014-06-18 14:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-10-15 20:09 - 2014-06-18 14:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-10-15 20:08 - 2014-09-19 19:58 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-10-15 20:08 - 2014-09-19 19:57 - 14368768 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 13757952 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 02861568 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 02055168 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 01762816 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 01180672 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 00493056 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 00391168 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 00226816 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 00163840 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 00109056 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 00080384 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-10-15 20:08 - 2014-09-19 19:57 - 00033280 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-10-15 20:08 - 2014-09-19 19:56 - 01440768 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-10-15 20:08 - 2014-09-19 19:56 - 00357888 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-10-15 20:08 - 2014-09-19 19:56 - 00226816 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-10-15 20:08 - 2014-09-19 19:33 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-10-15 20:08 - 2014-09-19 18:35 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-10-15 20:08 - 2014-09-17 17:32 - 02363904 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-10-15 20:08 - 2014-09-12 17:40 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-10-15 20:08 - 2014-09-04 17:52 - 05703168 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-10-15 20:08 - 2014-07-16 17:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2014-10-15 20:08 - 2014-07-16 17:39 - 00523264 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-10-15 20:08 - 2014-07-16 17:39 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-10-15 20:08 - 2014-07-16 17:39 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2014-10-15 20:08 - 2014-07-16 17:39 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-10-15 20:08 - 2014-07-16 17:39 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-10-15 20:08 - 2014-07-16 17:03 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2014-10-15 20:08 - 2014-07-16 17:02 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2014-10-15 20:08 - 2014-07-08 17:29 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDYAK.DLL
2014-10-15 20:08 - 2014-07-08 17:29 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDTAT.DLL
2014-10-15 20:08 - 2014-07-08 17:29 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU1.DLL
2014-10-15 20:08 - 2014-07-08 17:29 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDBASH.DLL
2014-10-15 20:08 - 2014-07-08 17:29 - 00005632 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU.DLL
2014-10-15 20:08 - 2014-07-08 14:30 - 00419992 _____ () C:\Windows\system32\locale.nls

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-08 16:23 - 2013-10-29 08:21 - 00000000 ____D () C:\FRST
2014-11-08 16:21 - 2009-07-13 20:55 - 01688605 _____ () C:\Windows\WindowsUpdate.log
2014-11-08 16:19 - 2014-10-06 07:20 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-08 00:01 - 2012-06-28 06:37 - 00000000 ____D () C:\ProgramData\LogMeIn
2014-11-07 16:03 - 2009-07-13 20:34 - 00014256 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-07 16:03 - 2009-07-13 20:34 - 00014256 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-07 16:00 - 2012-06-27 07:52 - 00785604 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-07 15:56 - 2014-01-23 16:09 - 00000976 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2014-11-07 15:56 - 2014-01-23 16:09 - 00000960 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2014-11-07 15:56 - 2012-06-27 07:59 - 00000000 _____ () C:\Users\Adam\AppData\Local\WavXMapDrive.bat
2014-11-07 15:55 - 2013-06-05 09:55 - 00015427 _____ () C:\Windows\setupact.log
2014-11-07 15:55 - 2012-06-27 09:28 - 00107144 _____ () C:\Windows\PFRO.log
2014-11-07 15:55 - 2009-07-13 20:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-07 15:53 - 2012-06-27 07:58 - 00000000 ____D () C:\Users\Adam
2014-11-07 13:20 - 2014-02-06 08:26 - 00000000 ____D () C:\Program Files\Trillian
2014-11-07 11:31 - 2012-06-28 08:35 - 00000000 ____D () C:\images
2014-11-07 11:09 - 2012-06-28 10:28 - 00000000 ____D () C:\Users\Adam\AppData\Roaming\uTorrent
2014-11-07 07:17 - 2012-07-20 12:12 - 00000000 ____D () C:\Users\Adam\AppData\Local\Deployment
2014-11-06 08:26 - 2014-01-07 13:36 - 00000000 ____D () C:\Program Files\PeerBlock
2014-11-05 16:17 - 2012-06-28 11:31 - 00002356 ____H () C:\Users\Adam\Documents\Default.rdp
2014-11-04 16:15 - 2013-02-04 10:01 - 00000000 ____D () C:\Program Files\Google
2014-11-04 15:21 - 2012-06-27 07:45 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-11-04 15:14 - 2013-12-31 08:35 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-11-04 15:14 - 2013-12-31 08:35 - 00000000 ____D () C:\Program Files\iTunes
2014-11-04 15:14 - 2013-12-31 08:35 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-11-04 15:13 - 2013-12-31 08:35 - 00000000 ____D () C:\Program Files\iPod
2014-11-04 14:38 - 2012-06-28 11:02 - 00000000 ____D () C:\Program Files\Quicksilver
2014-11-04 14:20 - 2013-10-25 07:11 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-11-04 14:20 - 2013-01-03 15:57 - 00000000 ____D () C:\Users\Ricoh
2014-11-04 14:20 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\system32\wfp
2014-11-04 14:20 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\AppCompat
2014-11-04 14:19 - 2009-07-13 23:49 - 00000000 ___RD () C:\Users\Public\Recorded TV
2014-11-04 14:19 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\registration
2014-11-04 14:18 - 2013-10-25 07:10 - 00000000 ____D () C:\ProgramData\Apple
2014-11-04 14:15 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\system32\LogFiles
2014-11-04 13:26 - 2014-02-03 09:06 - 00031280 _____ () C:\Users\Adam\AppData\Roaming\MultiScreen_log.log
2014-11-04 07:35 - 2012-06-28 06:16 - 00000000 ____D () C:\Users\Adam\Desktop\Contact list
2014-10-30 12:23 - 2014-09-25 08:19 - 00010160 _____ () C:\Users\Adam\Desktop\Sharks Tickets.xlsx
2014-10-30 03:24 - 2012-06-27 08:21 - 00229000 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-22 07:20 - 2012-06-28 06:37 - 00086912 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIRfsClientNP.dll
2014-10-22 07:20 - 2012-06-28 06:37 - 00085864 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIinit.dll
2014-10-22 07:20 - 2012-06-28 06:37 - 00031592 _____ (LogMeIn, Inc.) C:\Windows\system32\LMIport.dll
2014-10-22 07:20 - 2012-06-28 06:37 - 00000000 ____D () C:\Program Files\LogMeIn
2014-10-16 02:36 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-10-16 02:25 - 2009-07-13 20:33 - 00409464 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-16 02:07 - 2013-08-14 07:54 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-16 02:02 - 2012-06-27 09:13 - 100290944 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
ZeroAccess:
C:\Users\Adam\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

Some content of TEMP:
====================
C:\Users\Adam\AppData\Local\temp\DownloadManager.exe
C:\Users\Adam\AppData\Local\temp\dwk.dll
C:\Users\Adam\AppData\Local\temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Adam\AppData\Local\temp\lag.dll
C:\Users\Adam\AppData\Local\temp\Quarantine.exe
C:\Users\Adam\AppData\Local\temp\Run-Setup.exe
C:\Users\Adam\AppData\Local\temp\SearchProtectionSetup.exe
C:\Users\Adam\AppData\Local\temp\utt54D2.tmp.exe
C:\Users\Adam\AppData\Local\temp\wcn.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-11-05 00:35

==================== End Of Log ============================


Addition

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 08-11-2014 01
Ran by Adam at 2014-11-08 16:25:07
Running from C:\Users\Adam\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKCU\...\uTorrent) (Version: 3.4.2.32239 - BitTorrent Inc.)
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.0.0 - Adobe Systems)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
AppliedOnline Install (HKLM\...\AppliedOnline Install_is1) (Version: - Applied Systems, Inc.)
AppliedOnline Upload Center Launcher - 32 bit (HKLM\...\{AD7802A1-E925-4F56-9C2E-35FECC53AE5D}) (Version: 1.0.2 - Applied Systems, Inc.)
BioAPI Framework (Version: 1.0.1 - Dell Inc.) Hidden
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
CDDRV_Installer (Version: 4.60 - Logitech) Hidden
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
Dell Backup and Recovery Manager (HKLM\...\{B7FB9195-E9FC-4316-930E-D799D5D712F7}) (Version: 1.3.1 - Dell Inc.)
Dell Control Point (Version: 1.6.468.86 - Broadcom Corporation) Hidden
Dell ControlPoint Security Manager (HKLM\...\{F4487649-7368-4217-AEA3-1E04DB3E2C5C}) (Version: 1.6.468.86 - Dell Inc.)
Dell Edoc Viewer (HKLM\...\{3138EAD3-700B-4A10-B617-B3F8096EE30D}) (Version: 1.0.0 - Dell Inc)
Dell Embassy Trust Suite by Wave Systems (Version: 03.05.04.002 - Wave Systems Corp) Hidden
Dell Security Device Driver Pack (HKLM\...\{FF1DDCF4-3A28-4F7F-96D8-E3F4BD1C1702}) (Version: 1.4.055 - Dell Inc.)
DivX Setup (HKLM\...\DivX Setup) (Version: 2.6.1.28 - DivX, LLC)
Document Manager Lite (Version: 06.09.00.159 - Wave Systems Corp.) Hidden
DrmRemoval 4.4.0 (HKLM\...\DrmRemoval_is1) (Version: 4.4.0 - cyan soft ltd)
EMBASSY Security Center (Version: 04.00.00.101 - Wave Systems Corp) Hidden
EMBASSY Security Setup (Version: 04.00.00.090 - Wave Systems Corp) Hidden
Encompass Insurance - 1 (HKCU\...\f2e99d9a857b362b) (Version: 3.0.4.27 - Encompass Insurance)
Encompass Optimization Install (HKLM\...\{1448F57C-23C6-4E84-9A5C-DAE7CE09A740}) (Version: 2.0.0 - EncompassInsurance)
erLT (Version: 1.20.0137 - Logitech, Inc.) Hidden
ESC Home Page Plugin (Version: 04.00.00.018 - Wave Systems Corp) Hidden
Gemalto (Version: 01.01.00.0000 - Wave Systems Corp) Hidden
GoToAssist Corporate (HKLM\...\GoToAssist) (Version: 10.4.0.917 - Citrix Online, a division of Citrix Systems, Inc.)
GoToMeeting 5.9.0.1216 (HKCU\...\GoToMeeting) (Version: 5.9.0.1216 - CitrixOnline)
HP FWUpdateEDO2 (HKLM\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Officejet Pro 8600 Basic Device Software (HKLM\...\{9C55C629-6C4F-48A9-8840-C897DF6187ED}) (Version: 25.0.619.0 - Hewlett-Packard Co.)
HP Officejet Pro 8600 Help (HKLM\...\{B6F5C6D8-C443-4B55-932F-AE11B5743FC4}) (Version: 140.0.2.2 - Hewlett Packard)
HP Officejet Pro 8600 Product Improvement Study (HKLM\...\{669B49D6-BCA8-4F7C-9248-CE5677750285}) (Version: 25.0.619.0 - Hewlett-Packard Co.)
HP Update (HKLM\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)
HPDiagnosticAlert (Version: 1.00.0000 - Microsoft) Hidden
Intel® Control Center (HKLM\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Graphics Media Accelerator Driver (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2281 - Intel Corporation)
Intel® Network Connections 15.2.89.0 (HKLM\...\PROSetDX) (Version: 15.2.89.0 - Dell)
Intel® Rapid Storage Technology (HKLM\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.0.1014 - Intel Corporation)
Intel® Active Management Technology (HKLM\...\MESOL) (Version: - Intel Corporation)
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217021FF}) (Version: 7.0.670 - Oracle)
KhalInstallWrapper (Version: 2.00.0000 - Logitech) Hidden
Logitech SetPoint (HKLM\...\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}) (Version: 4.80 - Logitech)
LogMeIn (HKLM\...\{EE4CA5AF-4A55-418C-8CB8-74435814207B}) (Version: 4.1.2450 - LogMeIn, Inc.)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.4734.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
MP C305SP/C305SPF Manuals (HKLM\...\{B50ED2C8-5947-4354-8487-980C58349404}) (Version: 1.00.00 - Generic)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NTRU TCG Software Stack (Version: 2.1.29 - NTRU Cryptosystems) Hidden
OverDrive Media Console (HKLM\...\{D07205E7-F6D3-4333-AFCC-782A07685B72}) (Version: 3.2.20 - OverDrive, Inc.)
PeerBlock 1.1 (r518) (HKLM\...\{015C5B35-B678-451C-9AEE-821E8D69621C}_is1) (Version: 1.1.0.518 - PeerBlock, LLC)
Preboot Manager (Version: 03.00.00.154 - Wave Systems Corp.) Hidden
Private Information Manager (Version: 06.04.00.065 - Wave Systems Corp.) Hidden
Quicksilver (HKLM\...\{6E6B8160-B2C8-4F87-B4ED-0851C2001E09}) (Version: 1.2.24 - )
Samsung_MonSetup (HKLM\...\{8EA79DBF-D637-448A-89D6-410A087A4493}) (Version: 1.00.0000 - Samsung)
ScrewDrivers Client v4 (HKLM\...\{8B3547AD-9F70-4D27-829B-D4EA4FFF38EF}) (Version: 4.7.00.10 - triCerat, Inc.)
Security Wizards (Version: 01.07.00.026 - Your Company Name) Hidden
Speckie (HKLM\...\{D6364759-959B-463B-BFE1-2B506434431F}) (Version: 5.8.0 - Versoworks)
Trillian (HKLM\...\Trillian) (Version: - Cerulean Studios, LLC)
Trusted Drive Manager (Version: 3.3.3.104 - Wave Systems Corp.) Hidden
TypeC305 TWAIN Driver Ver.4 (HKLM\...\{88C48BE6-84A3-4772-B073-9333543E4596}) (Version: 4.42.01 - )
TypeC3501 TWAIN Driver Ver.4 (HKLM\...\{E9EA01AF-9225-4AA3-B5C8-17C7847466C9}) (Version: 4.36.00 - )
UPEK TouchChip Fingerprint Reader (Version: 1.2.0 - Dell Inc.) Hidden
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0 - DivX, Inc) Hidden
VChannelClient (HKLM\...\{245B4BB9-D643-4A87-968D-6C856FF1706A}) (Version: 5.04 - Applied Systems)
Wave Infrastructure Installer (Version: 07.01.31.0000 - Wave Systems Corp) Hidden
Wave Support Software (Version: 05.10.00.073 - Wave Systems Corp) Hidden
Windows Driver Package - Dell Inc. PBADRV System (09/11/2009 1.0.1.6) (HKLM\...\9512AA21B791B05A54E27065C45BBC417AB282DF) (Version: 09/11/2009 1.0.1.6 - Dell Inc.)
WinRAR 4.20 (32-bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2661758368-1490956049-3939381498-1000_Classes\CLSID\{49BBAA3C-C574-419E-8378-783C362E9C15}\InprocServer32 -> C:\Program Files\HP\Common\FWUpdateEDO2.dll (Hewlett-Packard Co.)
CustomCLSID: HKU\S-1-5-21-2661758368-1490956049-3939381498-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\1216\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Restore Points =========================

07-11-2014 23:27:58 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:04 - 2013-10-29 08:54 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {6802B87F-8129-49BA-907C-B0D19542B00C} - System32\Tasks\HPCustParticipation HP Officejet Pro 8600 => C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2011-09-09] (Hewlett-Packard Co.)
Task: {DCEA4EB0-2C7B-4A4A-9256-4C631804C934} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-10-06] (Adobe Systems Incorporated)
Task: {EA78A7D7-F4C7-4D91-925F-037A0F38CBEF} - System32\Tasks\{FF30F494-1FF2-BF8B-FC52-AED0A2AF3D4E} => C:\Windows\system32\fqrcznz.dll [2014-11-05] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2010-01-09 20:18 - 2010-01-09 20:18 - 04254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-01-21 01:34 - 2010-01-21 01:34 - 08793952 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2010-01-19 09:44 - 2010-01-19 09:44 - 00249856 _____ () C:\Windows\system32\wxvault.dll
2010-03-02 09:46 - 2010-03-02 09:46 - 00010752 _____ () C:\Windows\system32\Wavx_ESC_Logging.dll
2008-11-12 10:24 - 2008-11-12 10:24 - 00004608 _____ () C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\TspPopup_ENU.dll
2013-06-24 09:20 - 2009-07-20 11:27 - 00017936 _____ () C:\Program Files\Logitech\SetPoint\khalwrapper.dll
2014-10-16 02:32 - 2014-10-16 02:32 - 00170496 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\3d576cbc4ffc5ad06fd61510c5d8f326\IsdiInterop.ni.dll
2012-06-27 07:47 - 2010-03-03 17:08 - 00058880 _____ () C:\Program Files\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2012-06-27 07:48 - 2010-05-21 14:14 - 00077824 _____ () C:\Program Files\Common Files\Intel\Privacy Icon\UNS\DTMessageLib.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\atashost => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: LBTServ => 3
MSCONFIG\Services: LMIGuardianSvc => 2
MSCONFIG\Services: LMIMaint => 2
MSCONFIG\Services: LogMeIn => 2
MSCONFIG\Services: tcsd_win32.exe => 2
MSCONFIG\Services: ‮etadpug => 2
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: DivXUpdate => "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

========================= Accounts: ==========================

Adam (S-1-5-21-2661758368-1490956049-3939381498-1000 - Administrator - Enabled) => C:\Users\Adam
Administrator (S-1-5-21-2661758368-1490956049-3939381498-500 - Administrator - Disabled)
Guest (S-1-5-21-2661758368-1490956049-3939381498-501 - Limited - Enabled)
LogMeInRemoteUser (S-1-5-21-2661758368-1490956049-3939381498-1001 - Administrator - Enabled)
Ricoh (S-1-5-21-2661758368-1490956049-3939381498-1002 - Administrator - Enabled) => C:\Users\Ricoh

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/08/2014 00:55:14 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Dependent Assembly Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8" could not be found.
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (11/07/2014 03:55:56 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The WinDefend service terminated with the following error:
%%126

Error: (11/07/2014 03:55:04 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {3EB3C877-1F16-487C-9050-104DBCD66683}


Microsoft Office Sessions:
=========================
Error: (11/08/2014 00:55:14 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"c:\program files\Trillian\plugins\ingame\ingame_64.exe


==================== Memory info ===========================

Processor: Intel® Core™2 Duo CPU E8400 @ 3.00GHz
Percentage of memory in use: 65%
Total physical RAM: 3547.59 MB
Available physical RAM: 1223.19 MB
Total Pagefile: 7093.48 MB
Available Pagefile: 4294.2 MB
Total Virtual: 2047.88 MB
Available Virtual: 1909.29 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:287.75 GB) (Free:253.27 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298.1 GB) (Disk ID: 409EF107)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=10.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=287.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 PM

Posted 08 November 2014 - 11:09 PM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2661758368-1490956049-3939381498-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
2014-11-05 13:32 - 2014-11-05 13:32 - 00000028 _____ () C:\Windows\system32\u
2014-11-05 13:31 - 2014-11-05 13:31 - 00041472 _____ () C:\Windows\system32\fqrcznz.dll
2014-11-05 13:31 - 2014-11-05 13:31 - 00000000 _____ () C:\Windows\system32\qyeagf.dll
C:\Users\Adam\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
EmptyTemp:
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 adam67

adam67
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 09 November 2014 - 12:17 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-11-2014
Ran by Adam at 2014-11-09 09:10:44 Run:1
Running from C:\Users\Adam\Desktop
Loaded Profile: Adam (Available profiles: Adam & Ricoh)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2661758368-1490956049-3939381498-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
2014-11-05 13:32 - 2014-11-05 13:32 - 00000028 _____ () C:\Windows\system32\u
2014-11-05 13:31 - 2014-11-05 13:31 - 00041472 _____ () C:\Windows\system32\fqrcznz.dll
2014-11-05 13:31 - 2014-11-05 13:31 - 00000000 _____ () C:\Windows\system32\qyeagf.dll
C:\Users\Adam\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
EmptyTemp:
*****************

"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-2661758368-1490956049-3939381498-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
C:\Windows\system32\u => Moved successfully.
C:\Windows\system32\fqrcznz.dll => Moved successfully.
Could not move "C:\Windows\system32\qyeagf.dll" => Scheduled to move on reboot.
C:\Users\Adam\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Program Files\Google\Desktop\Install => Moved successfully.
EmptyTemp: => Removed 1.5 GB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-11-09 09:13:43)<=

C:\Windows\system32\qyeagf.dll => Is moved successfully.

==== End of Fixlog ====



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 PM

Posted 09 November 2014 - 12:38 PM

Please do this next:

icon11.gif  Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected.  Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.3.x.x.x_xx.01.2012_17.24.26_log.txt
  • Post that log, please.

 


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 adam67

adam67
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 10 November 2014 - 11:08 AM

TDSSKiller came back with no threats found. would you like me to click report or just close?



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 PM

Posted 10 November 2014 - 01:28 PM

I don't need the log if no threats were found.  Please do this next:

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 adam67

adam67
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 10 November 2014 - 01:53 PM

ComboFix 14-11-10.02 - Adam 11/10/2014  10:33:59.2.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3548.2508 [GMT -8:00]
Running from: c:\users\Adam\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Trillian.lnk
c:\users\Adam\g2mdlhlpx.exe
c:\users\Adam\GoToAssistDownloadHelper.exe
c:\windows\Downloaded Program Files\Install.inf
c:\windows\Downloaded Program Files\setup.dll
c:\windows\system32\AdobePDF.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-10-10 to 2014-11-10  )))))))))))))))))))))))))))))))
.
.
2014-11-10 18:40 . 2014-11-10 18:42 -------- d-----w- c:\users\Adam\AppData\Local\temp
2014-11-10 18:40 . 2014-11-10 18:40 -------- d-----w- c:\users\Ricoh\AppData\Local\temp
2014-11-10 18:40 . 2014-11-10 18:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2014-11-10 18:40 . 2014-11-10 18:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-11-10 16:05 . 2014-11-10 16:05 39464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{326A4E85-C192-427C-8692-40F3BFC33155}\MpKslfa1ef928.sys
2014-11-09 17:25 . 2014-10-14 20:13 8901368 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{326A4E85-C192-427C-8692-40F3BFC33155}\mpengine.dll
2014-11-07 23:51 . 2014-11-07 23:53 -------- d-----w- C:\AdwCleaner
2014-11-07 23:29 . 2014-09-17 10:40 908840 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0FC8D8B-BB4C-4B3C-A260-983E12644F08}\gapaengine.dll
2014-11-07 23:28 . 2014-10-14 20:13 8901368 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-11-04 19:50 . 2014-11-04 19:50 -------- d-----w- c:\programdata\Microsoft Toolkit
2014-10-31 15:18 . 2014-11-07 22:21 -------- d-----w- c:\program files\VideoLAN
2014-10-28 14:52 . 2014-11-04 22:20 -------- d-----w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-10-16 04:09 . 2014-09-29 00:41 2379264 ----a-w- c:\windows\system32\win32k.sys
2014-10-16 04:09 . 2014-09-04 05:04 372736 ----a-w- c:\windows\system32\rastls.dll
2014-10-16 04:09 . 2014-06-18 22:23 81560 ----a-w- c:\windows\system32\mscories.dll
2014-10-16 04:09 . 2014-06-18 22:23 156824 ----a-w- c:\windows\system32\mscorier.dll
2014-10-16 04:09 . 2014-06-18 22:23 1131664 ----a-w- c:\windows\system32\dfshim.dll
2014-10-16 04:09 . 2014-08-29 01:44 2744320 ----a-w- c:\windows\system32\rdpcorets.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-10 18:41 . 2012-06-27 15:59 0 ----a-w- c:\users\Adam\AppData\Local\WavXMapDrive.bat
2014-10-30 11:24 . 2012-06-27 16:21 229000 ------w- c:\windows\system32\MpSigStub.exe
2014-10-22 15:20 . 2012-06-28 14:37 86912 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2014-10-22 15:20 . 2012-06-28 14:37 53096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2014-10-22 15:20 . 2012-06-28 14:37 31592 ----a-w- c:\windows\system32\LMIport.dll
2014-10-22 15:20 . 2012-06-28 14:37 85864 ----a-w- c:\windows\system32\LMIinit.dll
2014-10-06 15:20 . 2013-12-09 15:39 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-10-06 15:20 . 2013-12-09 15:39 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-25 01:40 . 2014-10-01 01:51 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-17 10:40 . 2012-07-03 16:08 908840 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-09-09 21:47 . 2014-09-24 07:20 2048 ----a-w- c:\windows\system32\tzres.dll
2014-08-23 01:46 . 2014-08-28 11:34 305152 ----a-w- c:\windows\system32\gdi32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Officejet Pro 8600 (NET)"="c:\program files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" [2011-09-09 1804648]
"Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2010-10-25 1216416]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2011-03-08 227328]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-07-21 147840]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-06-22 34232]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1314816]
"ScrewDrivers RDP Plugin"="c:\program files\triCerat\Simplify Printing\ScrewDrivers Client v4\install_rdp.exe" [2013-01-10 46448]
"picon"="c:\program files\Common Files\Intel\Privacy Icon\PIconStartup.exe" [2010-05-21 104960]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-31 172568]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2012-04-02 63048]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-31 137752]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-31 171032]
"EncMove"="c:\program files\EncompassInsurance\Encompass Optimization Install\EncompassMove.exe" [2009-09-03 36864]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-10-25 932288]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2010-10-25 36760]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 974432]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-22 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-07-25 256896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2013-6-24 813584]
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-3-29 132456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2013-06-26 15:38 309080 ----a-w- c:\program files\Citrix\GoToAssist\917\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 19:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ    msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-10-25 20:13 821144 ----a-w- c:\program files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2013-02-13 02:37 1263952 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2014-07-25 19:29 256896 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
R3 GSService;GSService;c:\windows\system32\GSService.exe [2012-12-30 403832]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-07-18 95920]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-08-22 288120]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-06-27 1343400]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2010-09-14 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2010-09-14 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2010-09-14 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2010-09-14 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2010-09-14 25704]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys [2009-07-14 20480]
S1 MpKslfa1ef928;MpKslfa1ef928;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{326A4E85-C192-427C-8692-40F3BFC33155}\MpKslfa1ef928.sys [2014-11-10 39464]
S2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2014-01-06 117544]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2014-10-22 375144]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2013-05-29 13624]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2010-05-21 2071064]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [2012-12-30 23608]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-11-06 214696]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-09 15:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: billerweb.com
Trusted Zone: farmersinsurance.com
Trusted Zone: foremostproducers.com
Trusted Zone: foremoststar.com
Trusted Zone: msbexpress.net
Trusted Zone: travelers.com
Trusted Zone: travelerspc.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} - hxxp://updates.mercuryinsurance.com/PP14.1.7_HO14.0.16_CO3.2.16/setup.exe
DPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://64.79.115.206:166/JpegInst.cab
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(540)
c:\windows\system32\wvauth.DLL
.
- - - - - - - > 'Explorer.exe'(3280)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
c:\program files\Intel\AMT\LMS.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2014-11-10  10:48:25 - machine was rebooted
ComboFix-quarantined-files.txt  2014-11-10 18:48
.
Pre-Run: 272,064,372,736 bytes free
Post-Run: 271,746,310,144 bytes free
.
- - End Of File - - 74F85C99C2D1CB388C86B055AE934938
5C616939100B85E558DA92B899A0FC36
 



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 PM

Posted 10 November 2014 - 07:59 PM

Please do this next:

icon11.gif  Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup-2.x.x.xxxx.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

Please include the following in your next post:
  • MBAM log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 adam67

adam67
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 11 November 2014 - 10:39 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/11/2014
Scan Time: 7:27:46 AM
Logfile: MBAM log.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.11.04
Rootkit Database: v2014.11.10.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Adam

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 340775
Time Elapsed: 7 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 4
PUP.Optional.Conduit.A, HKLM\SOFTWARE\FreeOnlineRadioPlayerRecorder, Quarantined, [c6baf149196362d46d693c6642c2966a],
PUP.Optional.uTorrentTB.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pacgpkgadgmibnhpdidcnfafllnmeomc, Quarantined, [7a068bafc0bc1b1b96214911e02360a0],
PUP.Optional.PassShow.A, HKU\S-1-5-21-2661758368-1490956049-3939381498-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\PassShow, Quarantined, [245cb981b6c693a38ad590a3877c03fd],
PUP.Optional.uTorrentTB.A, HKU\S-1-5-21-2661758368-1490956049-3939381498-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pacgpkgadgmibnhpdidcnfafllnmeomc, Quarantined, [1f6184b61963be7814a2cc8e778c14ec],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)



#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 PM

Posted 11 November 2014 - 12:02 PM

How is your computer running now?  Please do this next:

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 adam67

adam67
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 11 November 2014 - 12:36 PM

It is running great. No more COM Surrogate in task window.

I opened EI in Admin but the scan will not start. Says add-on failed to fun.



#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:02 PM

Posted 11 November 2014 - 01:47 PM

In that case, please run a full scan with your installed anitivirus (Microsoft Security Essentials).  Let me know what, if anything, it turns up.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 adam67

adam67
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 11 November 2014 - 03:40 PM

MSE was all clear. I think I'm good. Thank you for the help!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users