Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Memory Monster" Virus (scvHost) impossible to find/eradicate


  • This topic is locked This topic is locked
4 replies to this topic

#1 MILESCFA

MILESCFA

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 26 November 2014 - 08:19 AM

I have been fighting a virus for weeks that I simply can not "find" or fix. I have tried tons of anit-virus programs and recommendations, including AVG (free, both in Windows and booted from DVD), a "special" AVG file sent to me by them (AVG_remover_all, probably part of paid pckge?)), Avast(free), Malwarebytes, FarBar, aswMBR, RogueKiller, RKill, HitmanPro, UnHackMe, Greatis, TDSSKiller, and Kaspersky...
 
This is an MBR virus that uses scvhost for hooks(?)... I'm 95% sure I got this right (or close enough).
 
First, Kaspersky logs show,most importantly,
==================================================
11/25/14 8:18 PM OK sdc3/MININT/SYSTEM32/PCA_OPT.DLL
11/25/14 8:18 PM OK sdc3/MININT/SYSTEM32/MBR.DLL/#
11/25/14 8:18 PM OK sdc3/MININT/SYSTEM32/MBR.DLL/#/HDDImage
11/25/14 8:18 PM Packed: HDDImage sdc3/MININT/SYSTEM32/MBR.DLL/#
11/25/14 8:18 PM OK sdc3/MININT/SYSTEM32/PCA_MSG.DLL
==================================================
 
Attached File  HDDImage.jpg   44.12KB   0 downloads
 
 
Attached File  svchost-services.jpg   84.11KB   0 downloads
 
 
From my novice (virus) knowledge base, but with a "programming history" - a bank programmer for 1+yr in early 80s until I decided I didn't like - and STILL BEEN DOING IT FOR MYSELF+ FOR the 30+yrs since, but on a lmited scale (VBA, MacroExpress)....
 
and with lots of "virus surfing", my understanding is that an MBR virus has "packed" or "zipped" files hiding it's code that is substituted for the real code (and clever ones can go undetecked by passing a "clean" MBR to "anyone" asking, ie fooling anti-virus searches). And I'm fairly confident the above says exactly what I just said. Regrettably Kaspersky still gave me a clean bill of health (as did TDSSKiller). I also tried restoring/recreating my MBR using ("FixMBR") but it too failed. I'd try BOOTREC.exe if I thought it would help, but if a Kaspersky boot DVD can't find and kill it, I don't have a hope!?!?!?
 
If I'm wrong on what all the apparent "hooks" mean, aswMBR log showed my O/S drive partitions and the MBR is named "Compaq diag RECOVERY", which is valid FOR MY WIFE'S COMPUTER (mine's a custom build)! (thank you dear) As smart asthis virus is, I'm amazed it "made this simplenaming"mistake,unless it had no choice!
========================================================================
 
Attached File  aswMBR_log_141125_1425.txt   2.15KB   5 downloads
 
========================================================================
 
 
Attached File  RKreport_SCN_141126_0045_1262014_003850.log   5.31KB   3 downloads
 
 
==========================================================================
 
The various logs I have may have been chg'd (fixed) so it might be better to guide me though because I have made changes. For example,one of the logs said something about a "rover.ebay...." issue and I later discovered this add-on in FireFox (and deleted it).
 
 
And fwiw, I followed the BleepingComputer forum piece about removing the scvhost virus, which sounds exactly like me, but it did't work so presumably I need "unique" handling.
 
 
...and, blush, you'll see in the logs I ran Combofix without being told, because I found it on a forum and did not see the instructions otherwise (fwiw, it's 7am here and I haven't gone to bed... and it's been like this for a week+, so that's my excuse and I'm sticking to it). ComboFix may have found some of my issues, but I'm far from cured. ComboFix deleted 3 files and I'm fairly sure I don't need them and they may well have been part of the problem:
--------------------------------
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk
MILES: "don't care, can always recreate"
 
c:\programdata\ntuser.pol
MILES "This one is, shall we say, very interesting. The virus set up NT policies to tunnel through?? (I've disabled scvhost-> services temporarily)"
 
c:\users\Miles\g2mdlhlpx.exe
MILES "No clue what it is but the name is obviously suspect... big time!"
------------------------------
================================================
 
 
Attached File  Combo_log_141126_0100.txt   10.26KB   1 downloads
 
 
================================================
 
Wouldn't you agree, combofix "did good" and I don''t have to worry about it's remedies (ie,deletetions)?
HOWEVER, please look for "MILES" comments in the combofix log, there're some entries I don't understand and worry about, such as it looks like "the virus" gave itself ("GUEST") permission to uninstall LastPass as a way of forcing me to manually enter passwords (but I'm probably just being paranoid because, certainly, all my anti-virus scanning would have pick up a key-logger, right?)
 
I'll have other comments in logs written as "MILES..." probably. In the meanwhile,
 
BACKGROUND AS TO SYMTOMS, OTHER INFO:
First, I literally have had a bleeping computer for a very long time- and I still hear it. I have tons of "hooked" files(?), but the procedures in scvhost included "Windows Audio Endpoint Builder" and I would guess the beeping I've heard is actually an "audible file" being executed, for the virus's purpose(s)?
 
The main system currently, however, is the virus "consumes" memory very fast. About 2 minutes after boot-up, when windows is "still being populated", 2GB have disappeared WITH NO "PGMS" RUNNING yet (I do open WinExplorer in my Start, and more dealing with the virus, butthis happens on both computers and I only use start on one). Thru the first 7 minutes or so, and still almost nothing running, and I'm down to 1/3 of my installed memory is "Free" (inTask Mgr Performance" window. And it can and often consumes all memory, which made me chase non-existant hardware issues when my programs were gettting corrupted by, presumably, the impossibility of making "saves on closing" with no memory to use.
 
 
Attached File  Tmgr_STAGES-declining-mem.jpg   165.38KB   0 downloads
 
.
I appreciate anything that can be done.
 
=============================================
 
 
 
Attached File  Malware_log_141125_1400.txt   1.26KB   0 downloads
 
 
============================================='
 
 
 
TOO TIRED FOR INTERNAL COMMENTS.....
 
Attached File  FRST_141125_1400.txt   30.96KB   2 downloads
 
 
Attached File  Addition_141125_1400.txt   30.07KB   1 downloads

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-11-2014 01
Ran by Miles (administrator) on TRDPC on 25-11-2014 13:50:35
Running from E:\FarBarRecoveryScanTool
Loaded Profile: Miles (Available profiles: Miles & Guest)
Platform: Windows Vista ™ Ultimate Service Pack 2 (X64) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Greatis Software) E:\UnHackMe\hackmon.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
(AOMEI Tech Co., Ltd.) C:\Program Files (x86)\AOMEI Backupper Standard Edition 2.0.3\ABService.exe
() E:\Allway Sync\Bin\SyncService.exe
(Microsoft Corporation) C:\Windows\System32\CISVC.EXE
( ) C:\Windows\System32\lxdkcoms.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
(Seagate) C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedul2.exe
(Microsoft) C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe
(Microsoft) C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Seagate) C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedhlp.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
() C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe
(BonSoft) C:\Program Files (x86)\ClocX\ClocX.exe
(Seagate) C:\Program Files (x86)\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe
(Seagate) C:\Program Files (x86)\Seagate\BlackArmorBackup\TimounterMonitor.exe
() C:\Program Files (x86) (x86)\Lexmark 5300 Series\lxdkmon.exe
() C:\Program Files (x86) (x86)\Lexmark 5300 Series\lxdkamon.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2013\avgui.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\perfmon.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1584184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [NvMediaCenter] => RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [182808 2008-09-12] (Intel Corporation)
HKLM\...\Run: [Seagate Scheduler2 Service] => C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedhlp.exe [376272 2009-07-23] (Seagate)
HKLM\...\Run: [lxdkmon.exe] => C:\Program Files (x86)\Lexmark 5300 Series\lxdkmon.exe [455336 2010-02-15] ()
HKLM\...\Run: [lxdkamon] => C:\Program Files (x86)\Lexmark 5300 Series\lxdkamon.exe [25256 2010-02-15] ()
HKLM-x32\...\Run: [BlackArmorBackupMonitor.exe] => C:\Program Files (x86)\Seagate\BlackArmorBackup\BlackArmorBackupMonitor.exe [4352960 2009-07-23] (Seagate)
HKLM-x32\...\Run: [AcronisTimounterMonitor] => C:\Program Files (x86)\Seagate\BlackArmorBackup\TimounterMonitor.exe [963784 2009-07-23] (Seagate)
HKLM-x32\...\Run: [lxdkmon.exe] => C:\Program Files (x86) (x86)\Lexmark 5300 Series\lxdkmon.exe [455336 2010-02-15] ()
HKLM-x32\...\Run: [lxdkamon] => C:\Program Files (x86) (x86)\Lexmark 5300 Series\lxdkamon.exe [25256 2010-02-15] ()
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4411952 2014-11-04] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\system: [SetVisualStyle]
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [NoDrives] 32
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [ForceClassicControlPanel] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [DisableThumbnails] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [DisableThumbsDBOnNetworkFolders] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [DisableThumbnailsOnNetworkFolders] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [RestrictWelcomeCenter] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [ClassicShell] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [NoThumbnailCache] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [NoChangeAnimation] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [NoSharedDocuments] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [PromptRunasInstallNetPath] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\Policies\Explorer: [AlwaysShowClassicMenu] 1
HKU\S-1-5-21-568135541-910108368-1868962389-1000\...\MountPoints2: {15d74953-37d3-11e2-8218-0019d131504e} - F:\Setup.exe
Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uninstall LastPass RunOnce.lnk
ShortcutTarget: Uninstall LastPass RunOnce.lnk -> C:\Users\Guest\AppData\Roaming\lpuninstall.exe (LastPass)
Startup: C:\Users\Miles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ClocX.lnk
ShortcutTarget: ClocX.lnk -> C:\Program Files (x86)\ClocX\ClocX.exe (BonSoft)
Startup: C:\Users\Miles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Computer Management.lnk
ShortcutTarget: Computer Management.lnk -> C:\Windows\System32\compmgmt.msc ()
Startup: C:\Users\Miles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Programs and Features - Shortcut.lnk
ShortcutTarget: Programs and Features - Shortcut.lnk -> (No File)
Startup: C:\Users\Miles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.lnk
ShortcutTarget: Windows Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} => No File
BootExecute: autocheck autochk * Partizan

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-568135541-910108368-1868962389-1000] => Internet Explorer proxy is enabled.
HKU\S-1-5-21-568135541-910108368-1868962389-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\S-1-5-21-568135541-910108368-1868962389-1000 -> {BD6323E6-7E15-41E7-8295-03203563AD71} URL = http://rover.ebay.com/rover/1/711-43047-14818-1/4?satitle={searchTerms}
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6_x64\bin\jp2ssv.dll No File
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> E:\Java\jre7u71\bin\ssv.dll (Oracle Corporation)
BHO-x32: WOT Helper -> {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} -> C:\Program Files (x86)\WOT\WOT.dll ()
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> E:\Java\jre7u71\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll ()
Toolbar: HKU\S-1-5-21-568135541-910108368-1868962389-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKU\S-1-5-21-568135541-910108368-1868962389-1000 -> WOT - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
DPF: HKLM-x32 {95B5D20C-BD31-4489-8ABF-F8C8BE748463} http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: HKLM-x32 {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: HKLM-x32 {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
Handler-x32: http - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF ProfilePath: C:\Users\Miles\AppData\Roaming\Mozilla\Firefox\Profiles\oaum5pr0.default
FF Homepage: hxxp://my.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_223.dll ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1214154.dll (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> E:\Java\jre7u71\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> E:\Java\jre7u71\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: WOT - C:\Users\Miles\AppData\Roaming\Mozilla\Firefox\Profiles\oaum5pr0.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2014-11-24]
FF HKLM-x32\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-06-18]

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4942384 2014-10-17] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-20] (AVG Technologies CZ, s.r.o.)
R2 Backupper Service; C:\Program Files (x86)\AOMEI Backupper Standard Edition 2.0.3\ABService.exe [29912 2014-10-31] (AOMEI Tech Co., Ltd.)
R2 BotkindSyncService; e:\Allway Sync\Bin\SyncService.exe [262144 2013-07-02] () [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S2 lxdkCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxdkserv.exe [33712 2007-06-14] (Lexmark International, Inc.)
R2 lxdk_device; C:\Windows\system32\lxdkcoms.exe [1053104 2007-06-14] ( )
R2 lxdk_device; C:\Windows\SysWOW64\lxdkcoms.exe [598960 2007-06-14] ( )
S2 MouseWithoutBordersSvc; C:\Program Files (x86)\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe [27872 2012-10-24] (Microsoft)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [69632 2006-11-08] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [88064 2006-11-08] (Hewlett-Packard) [File not signed]
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 ambakdrv; C:\Windows\System32\ambakdrv.sys [30648 2014-08-19] () [File not signed]
R2 ammntdrv; C:\Windows\system32\ammntdrv.sys [151480 2014-08-19] () [File not signed]
R2 amwrtdrv; C:\Windows\system32\amwrtdrv.sys [17848 2014-08-19] () [File not signed]
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-07-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [209720 2014-11-04] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311608 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-07-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2014-10-17] (AVG Technologies CZ, s.r.o.)
R2 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
U0 Partizan; C:\Windows\SysWOW64\drivers\Partizan.sys [35816 2014-11-25] (Greatis Software)
R0 snapman380; C:\Windows\System32\DRIVERS\snman380.sys [237600 2009-12-06] (Acronis)
R0 tdrpman174; C:\Windows\System32\DRIVERS\tdrpm174.sys [1581088 2009-12-06] (Acronis)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-25 13:50 - 2014-11-25 13:50 - 00000000 ____D () C:\FRST
2014-11-25 10:04 - 2014-11-25 13:31 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-25 07:07 - 2014-11-25 13:25 - 00000252 _____ () C:\Windows\SysWOW64\PARTIZAN.TXT
2014-11-25 04:47 - 2014-11-25 04:47 - 14646304 _____ (LastPass) C:\Users\Guest\AppData\Roaming\lpuninstall.exe
2014-11-25 03:29 - 2014-11-25 03:29 - 00040720 _____ (Greatis Software) C:\Windows\system32\Partizan.exe
2014-11-25 03:21 - 2014-11-25 03:31 - 00000000 ____D () C:\Users\Public\Documents\regruninfo
2014-11-25 03:21 - 2014-11-25 03:31 - 00000000 ____D () C:\ProgramData\Documents\regruninfo
2014-11-25 03:21 - 2014-11-25 03:29 - 00000000 ____D () C:\Users\Miles\Documents\RegRun2
2014-11-25 03:21 - 2014-11-25 03:21 - 00035816 _____ (Greatis Software) C:\Windows\SysWOW64\Drivers\Partizan.sys
2014-11-25 03:21 - 2014-11-25 03:21 - 00003278 _____ () C:\Windows\System32\Tasks\UnHackMe Task Scheduler
2014-11-25 03:21 - 2014-11-25 03:21 - 00000537 _____ () C:\Users\Miles\Desktop\UnHackMe.lnk
2014-11-25 03:21 - 2014-11-25 03:21 - 00000002 RSHOT () C:\Windows\winstart.bat
2014-11-25 03:21 - 2014-11-25 03:21 - 00000002 RSHOT () C:\Windows\SysWOW64\CONFIG.NT
2014-11-25 03:21 - 2014-11-25 03:21 - 00000002 RSHOT () C:\Windows\SysWOW64\AUTOEXEC.NT
2014-11-25 03:21 - 2014-11-25 03:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UnHackMe
2014-11-25 03:21 - 2014-11-20 12:56 - 00012800 _____ (Greatis Software, LLC.) C:\Windows\SysWOW64\Drivers\UnHackMeDrv.sys
2014-11-25 00:07 - 2014-11-25 00:07 - 00000599 _____ () C:\Users\Miles\Desktop\FRST64.exe - Shortcut.lnk
2014-11-25 00:07 - 2014-11-25 00:07 - 00000517 _____ () C:\Users\Miles\Desktop\aswMBR.exe - Shortcut.lnk
2014-11-25 00:05 - 2014-11-25 00:05 - 00000630 _____ () C:\Users\Public\Desktop\Allway Sync.lnk
2014-11-25 00:05 - 2014-11-25 00:05 - 00000630 _____ () C:\ProgramData\Desktop\Allway Sync.lnk
2014-11-25 00:05 - 2014-11-25 00:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Allway Sync
2014-11-25 00:04 - 2014-11-25 00:04 - 00000606 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-25 00:04 - 2014-11-25 00:04 - 00000606 _____ () C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-25 00:04 - 2014-11-25 00:04 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-25 00:04 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-25 00:04 - 2014-10-01 11:11 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-25 00:04 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-25 00:02 - 2014-11-25 02:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FolderMatch v3.4.8
2014-11-25 00:02 - 2014-11-25 00:02 - 00000614 _____ () C:\Users\Miles\Desktop\FolderMatch v3.4.8.LNK
2014-11-25 00:00 - 2014-11-25 00:00 - 00249856 ____N (Microsoft Corporation) C:\Windows\Setup1.exe
2014-11-25 00:00 - 2014-11-25 00:00 - 00073216 _____ (Microsoft Corporation) C:\Windows\ST6UNST.EXE
2014-11-25 00:00 - 2014-11-25 00:00 - 00000000 ____D () C:\Users\Miles\AppData\Roaming\Oracle
2014-11-24 23:59 - 2014-11-24 23:59 - 00000000 ____D () C:\ProgramData\Oracle
2014-11-24 23:59 - 2014-11-24 23:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-11-24 23:59 - 2014-11-24 23:58 - 00272808 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-11-24 23:59 - 2014-11-24 23:58 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-11-24 23:59 - 2014-11-24 23:58 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-11-24 23:59 - 2014-11-24 23:58 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-11-24 23:53 - 2014-11-24 23:53 - 00000000 ____D () C:\Windows\SysWOW64\Adobe
2014-11-24 23:52 - 2014-11-25 03:22 - 00000000 ____D () C:\Users\Miles\AppData\Roaming\Adobe
2014-11-24 23:52 - 2014-11-24 23:52 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-24 23:52 - 2014-11-24 23:52 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-11-24 23:49 - 2014-11-25 03:23 - 00000000 ____D () C:\ProgramData\Adobe
2014-11-24 23:49 - 2014-11-24 23:49 - 00001804 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2014-11-24 23:49 - 2014-11-24 23:49 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-11-24 23:48 - 2014-11-25 03:22 - 00000000 ____D () C:\Users\Miles\AppData\Local\Adobe
2014-11-24 23:22 - 2014-11-24 23:37 - 00000000 ____D () C:\ProgramData\boost_interprocess
2014-11-24 23:22 - 2014-11-24 23:22 - 00000000 ____D () C:\Program Files (x86)\TradeStation Archives
2014-11-24 23:21 - 2014-11-24 23:21 - 00001597 _____ () C:\Users\Public\Desktop\TradeStation 9.5.lnk
2014-11-24 23:21 - 2014-11-24 23:21 - 00001597 _____ () C:\ProgramData\Desktop\TradeStation 9.5.lnk
2014-11-24 23:21 - 2014-11-24 23:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TradeStation 9.5
2014-11-24 23:17 - 2014-11-24 23:17 - 00000000 ____D () C:\Users\Miles\AppData\Roaming\TradeStation Technologies
2014-11-24 23:16 - 2014-11-24 23:17 - 00000000 ____D () C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2014-11-24 23:16 - 2014-11-24 23:16 - 00000000 ____D () C:\Program Files\Microsoft SQL Server Compact Edition
2014-11-24 23:14 - 2014-11-24 23:14 - 00000623 _____ () C:\Users\Public\Desktop\thinkorswim.lnk
2014-11-24 23:14 - 2014-11-24 23:14 - 00000623 _____ () C:\ProgramData\Desktop\thinkorswim.lnk
2014-11-24 23:14 - 2014-11-24 23:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\thinkorswim
2014-11-24 22:33 - 2014-11-25 01:23 - 00001024 ____H () C:\SYSTAG.BIN
2014-11-24 19:51 - 2014-11-24 19:51 - 00000000 ____D () C:\Users\Miles\Documents\My Notes
2014-11-24 19:49 - 2014-11-24 19:49 - 00000541 _____ () C:\Users\Miles\Desktop\My Notes Keeper.lnk
2014-11-24 19:49 - 2014-11-24 19:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\My Notes Keeper
2014-11-24 19:19 - 2014-11-24 19:19 - 00000000 ____D () C:\Program Files (x86)\WOT
2014-11-24 17:54 - 2014-11-24 18:14 - 00000000 ____D () C:\Users\Miles\Documents\MyNotesKeeper Files
2014-11-22 17:04 - 2014-11-22 17:04 - 00000251 _____ () C:\Users\Miles\Desktop\Security Center - Shortcut.lnk
2014-11-22 17:04 - 2014-11-22 17:04 - 00000134 _____ () C:\Users\Miles\Desktop\Windows Update - Shortcut.lnk
2014-11-22 17:03 - 2014-11-22 17:03 - 00000134 _____ () C:\Users\Miles\Desktop\Windows Firewall - Shortcut.lnk
2014-11-22 17:02 - 2014-11-25 02:49 - 00001385 _____ () C:\Users\Miles\Desktop\cmd.exe - Shortcut.lnk
2014-11-22 17:01 - 2014-11-22 17:01 - 00001614 _____ () C:\Users\Miles\Desktop\Calculator.lnk
2014-11-22 17:01 - 2014-11-22 17:01 - 00000704 _____ () C:\Users\Miles\Desktop\taskmgr.exe - Shortcut.lnk
2014-11-22 16:48 - 2014-11-24 22:21 - 00002698 __RSH () C:\Users\Miles\ntuser.pol
2014-11-22 15:04 - 2014-11-25 01:23 - 00000082 _____ () C:\Windows\SysWOW64\winsevr.dat
2014-11-22 15:04 - 2014-11-25 01:23 - 00000000 ____D () C:\Program Files (x86)\AOMEI Backupper Standard Edition 2.0.3
2014-11-22 15:04 - 2014-11-22 17:06 - 00000000 ____D () C:\ProgramData\AomeiBR
2014-11-22 15:04 - 2014-11-22 15:04 - 00001102 _____ () C:\Users\Public\Desktop\AOMEI Backupper Standard Edition 2.0.3.lnk
2014-11-22 15:04 - 2014-11-22 15:04 - 00001102 _____ () C:\ProgramData\Desktop\AOMEI Backupper Standard Edition 2.0.3.lnk
2014-11-22 15:04 - 2014-11-22 15:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AOMEI Backupper Standard Edition 2.0.3
2014-11-22 15:04 - 2014-08-19 15:47 - 00151480 _____ () C:\Windows\system32\ammntdrv.sys
2014-11-22 15:04 - 2014-08-19 15:47 - 00030648 _____ () C:\Windows\system32\ambakdrv.sys
2014-11-22 15:04 - 2014-08-19 15:47 - 00017848 _____ () C:\Windows\system32\amwrtdrv.sys
2014-11-22 14:50 - 2014-11-22 14:50 - 00001694 _____ () C:\Users\Miles\Desktop\Computer Management.lnk
2014-11-22 13:20 - 2014-11-22 13:20 - 00001637 _____ () C:\Users\Miles\Desktop\Paint.lnk
2014-11-22 12:35 - 2014-11-22 12:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-11-22 12:27 - 2014-11-25 07:07 - 00006374 _____ () C:\Windows\PFRO.log
2014-11-04 00:30 - 2014-11-04 00:30 - 00209720 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgldx64.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-25 13:35 - 2011-01-25 13:52 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-25 13:30 - 2008-01-20 20:53 - 01290085 _____ () C:\Windows\WindowsUpdate.log
2014-11-25 13:26 - 2011-01-25 13:52 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-25 13:26 - 2006-11-02 10:40 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-25 13:26 - 2006-11-02 10:21 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-25 13:26 - 2006-11-02 10:21 - 00003616 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-25 13:11 - 2006-11-02 10:40 - 00032642 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-11-25 12:59 - 2011-10-10 11:08 - 00000510 _____ () C:\Windows\Tasks\SyncBack CriticalBackups-TOS-quote-lists-111010.job
2014-11-25 08:05 - 2012-02-18 00:04 - 00000000 ____D () C:\ProgramData\MFAData
2014-11-25 03:51 - 2006-11-02 07:46 - 00764452 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-25 02:59 - 2006-11-02 08:33 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-11-24 23:33 - 2010-12-12 16:20 - 00000320 _____ () C:\Users\Miles\AppData\Roaming\SEC394003.trad
2014-11-24 23:21 - 2006-11-02 08:33 - 00000000 ____D () C:\Windows\Cursors
2014-11-24 22:21 - 2008-12-20 00:31 - 00000000 ____D () C:\Users\Miles
2014-11-24 22:10 - 2011-12-28 17:36 - 00000454 _____ () C:\Windows\Tasks\SyncBack 2215-STMTS.job
2014-11-24 22:05 - 2011-12-28 17:33 - 00000488 _____ () C:\Windows\Tasks\SyncBack 2205-MYNOTEBOOK-BlackArmour.job
2014-11-24 21:59 - 2011-12-28 17:32 - 00000496 _____ () C:\Windows\Tasks\SyncBack 2200-Bckup-Critical-BlackArmour.job
2014-11-24 20:25 - 2008-12-20 16:13 - 00000000 ____D () C:\Users\Miles\AppData\Roaming\MyNotesKeeper
2014-11-24 20:22 - 2011-01-10 00:56 - 00001543 _____ () C:\Users\Miles\Desktop\Windows Explorer.lnk
2014-11-24 20:10 - 2013-02-07 11:26 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-11-24 19:54 - 2009-09-23 20:10 - 00000000 ____D () C:\Users\Miles\AppData\Roaming\EurekaLog
2014-11-24 18:40 - 2012-03-08 10:37 - 00003674 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{01D81B69-4D5A-49AD-8528-6F683E378503}
2014-11-24 18:10 - 2012-07-26 20:31 - 00000464 _____ () C:\Windows\Tasks\SyncBack 1805-Stock-Univ.job
2014-11-24 18:00 - 2012-07-26 20:28 - 00000460 _____ () C:\Windows\Tasks\SyncBack 1800-WKLY-OPT.job
2014-11-24 17:50 - 2011-12-28 17:32 - 00000456 _____ () C:\Windows\Tasks\SyncBack 1750-TrdStn.job
2014-11-24 17:45 - 2011-12-28 17:31 - 00000454 _____ () C:\Windows\Tasks\SyncBack 1745-STMTS.job
2014-11-22 18:48 - 2011-01-25 13:53 - 00000000 ____D () C:\Program Files\Google
2014-11-22 18:48 - 2011-01-25 13:52 - 00000000 ____D () C:\Program Files (x86)\Google
2014-11-22 17:37 - 2009-11-18 01:10 - 00002633 _____ () C:\Users\Miles\Desktop\Microsoft Office Word 2003.lnk
2014-11-22 17:36 - 2009-04-18 10:57 - 00002631 _____ () C:\Users\Miles\Desktop\Microsoft Office Excel 2003.lnk
2014-11-22 17:35 - 2011-12-28 17:30 - 00000464 _____ () C:\Windows\Tasks\SyncBack 1735-MYNOTEBOOK.job
2014-11-22 17:30 - 2011-12-28 17:28 - 00000472 _____ () C:\Windows\Tasks\SyncBack 1730-Bckup-Critical.job
2014-11-22 17:25 - 2011-12-28 17:26 - 00000460 _____ () C:\Windows\Tasks\SyncBack 1725-TOScript.job
2014-11-22 16:49 - 2011-12-28 17:26 - 00000468 _____ () C:\Windows\Tasks\SyncBack 1650-TrdStn-TrdPC.job
2014-11-22 16:40 - 2011-12-28 17:25 - 00000466 _____ () C:\Windows\Tasks\SyncBack 1645-STMTS-TrdPC.job
2014-11-22 16:35 - 2011-12-28 17:21 - 00000476 _____ () C:\Windows\Tasks\SyncBack 1635-MYNOTEBOOK-TrdPC.job
2014-11-22 16:30 - 2011-12-28 17:12 - 00000484 _____ () C:\Windows\Tasks\SyncBack 1630-Bckup-Critical-TrdPC.job
2014-11-22 16:22 - 2009-08-19 10:40 - 00000000 ____D () C:\Windows\Minidump
2014-11-22 16:10 - 2012-11-13 17:02 - 00000000 ____D () C:\Program Files (x86)\NetGear
2014-11-22 16:10 - 2008-12-20 06:10 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2014-11-22 16:08 - 2011-01-15 02:04 - 00000000 ____D () C:\Program Files (x86)\Photobie
2014-11-22 16:05 - 2010-05-27 10:53 - 00000000 ____D () C:\Program Files (x86)\Citrix
2014-11-22 16:00 - 2008-12-20 04:21 - 00000000 ____D () C:\temp
2014-11-22 12:35 - 2012-11-03 10:12 - 00000911 _____ () C:\Users\Public\Desktop\AVG 2013.lnk
2014-11-22 12:35 - 2012-11-03 10:12 - 00000911 _____ () C:\ProgramData\Desktop\AVG 2013.lnk
2014-11-22 12:30 - 2011-01-25 13:52 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-11-22 12:30 - 2011-01-25 13:52 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

Some content of TEMP:
====================
C:\Users\Miles\AppData\Local\Temp\clean20.dll
C:\Users\Miles\AppData\Local\Temp\GACInstaller.dll
C:\Users\Miles\AppData\Local\Temp\instutil.dll
C:\Users\Miles\AppData\Local\Temp\lastpass_3.1.50.exe
C:\Users\Miles\AppData\Local\Temp\RegistASM.exe
C:\Users\Miles\AppData\Local\Temp\TSInst10.exe
C:\Users\Miles\AppData\Local\Temp\TSInstallCAUtils.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-11-25 13:33

==================== End Of Log ============================

Edited by nasdaq, 30 November 2014 - 10:38 AM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:55 AM

Posted 01 December 2014 - 08:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/557694 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 MILESCFA

MILESCFA
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 02 December 2014 - 11:38 PM

I have been dealing with this issue since later Oct. I have restored from backups, even so far as going back 2.5 yrs, and then I have just wiped the disks (secure erased as well as writing 0's and 1's) and reinstalled the original software (ie, I do have original disks). I am unsure if I am having problems now...

 

however, this time I was going to have the free "full suite" McAfee that ATT Uverse customers get for free. I went back and forth between my ISP (ATT Unverse) and McAfee trying to get one of my "subscriptions" deactivate-reactivated (4 are free and we have 4 PCs). Long story short, McAfee "elevated me" to people at Itfinite LLL out of Virgina+(least tha's what they said) and I gave them remote control of my PC, where upon they found "tons" of issues, which they would fix for $390. After running around and turning on all 4 PCs in my home, as well as installing hard drives I have disconnected (was gonna get my money's worth), I was passed to the actual technician, who eventually told me it was going to cost $390 TIMES MY FOUR COMPUTERS!.  I hung up and disconnected.

 

I have experienced numerous symtoms, but the most glaring seems to be as in the title, memory "gone wild", causing corruption on my drives. It looks like svchost.exe is being hijacked to run virus programs. The "icing on the cake" was when the ability to backup/restore was corrupted on "Tcp" (aka my older PC). On "Cpc" (my new CyberpowerPC as of 3/12), well it was "crappy" from the start. I have read Asus has "memory overflow" problems in some of their coding, so ultimately on "Cpc" I've been running around "chasing" MemTestr, ChkDisk, etc until I finally decided it had to be virus related.

 

After the "clean install", the only issue I have is a "touchy" wireless mouse. I am going to try to use this single computer, which seems sort of well-behaved for now, and will post if other problems crop up, but....

 

The ultimate indication I also mentioned above, which is where a boot partition on my computer had the name from my wife's PC hidden "out-of-the-box" restoration backup (~Compaq diag Recovery"?)

 

I would appreciate opinions as to if I am clear now (remember, I did a clean install). I'm stating with the "limited" info the "bot" requested, but I have tried most anti-virus hunters and killers with no sucess. Perhaps I've been blessed and am clean now, but I think you can appreacite that I am paranoid (and exhausted with just 4hr sleep/day for almost 1 mn).

 

notes:

 

TeamViewer is the remote service the Infinite people used to remotely control my PC; I do not believe they are "dangerous" since McAfee sent me to them, but I'm trying to be sure the service is stopped.

Also, they said I should NOT use CCleaner.exe and I've never heard of a back-door there, have you???

They also said JAVA is a big risk. I know Java has had their vulnerabilities, but have you heard anything on this?

I'm looking for alternatives to ALL Adobe products, given HUGE security holes, so I'd appreciate substitutions!

a lot of the "remote" stuff appears dated 11/20/12. This ".sys" dates should be dates of MSFT creation/save, right, or Vista x64 update dates?

 

SORRY, I just cleared EventViewer to see future errors and the save log is too big to attach. I don't truly know what I'm looking at in Event Viewer, but I see NO errors nor anything off-hand, except what is this:

 

 

Log Name:      System
Source:        Microsoft-Windows-FilterManager
Date:          12/2/2014 6:21:19 PM
Event ID:      6
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      Cpc
Description:
File System Filter 'luafv' (6.1, ‎2009‎-‎07‎-‎13T18:26:13.000000000Z) has successfully loaded and registered with Filter Manager.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-FilterManager" Guid="{F3C5E28E-63F6-49C7-A204-E48A1BC4B09D}" />
    <EventID>6</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-12-02T23:21:19.974011400Z" />
    <EventRecordID>6470</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="68" />
    <Channel>System</Channel>
    <Computer>Cpc</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="FinalStatus">0x0</Data>
    <Data Name="DeviceVersionMajor">6</Data>
    <Data Name="DeviceVersionMinor">1</Data>
    <Data Name="DeviceNameLength">5</Data>
    <Data Name="DeviceName">luafv</Data>
    <Data Name="DeviceTime">2009-07-13T18:26:13.000000000Z</Data>
  </EventData>
</Event>

 

 

=================================================================================================

=================================================================================================

 

DDS log.....   (instructions were ambigous about attaching zipped "Attach.txt" file (bot said yes, attach.txt said "if requested", but it's attached.)

 

=================================================================================================

=================================================================================================

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17420  BrowserJavaVersion: 10.71.2
Run by Miles at 22:14:03 on 2014-12-02
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.16351.13970 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Bluetooth Suite\adminservice.exe
e:\AOMEI Backupper Standard Edition 2.1.0\ABService.exe
C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe
c:\users\miles\appdata\local\temp\teamviewer\TeamViewer_Service.exe
C:\Program Files\McAfee\MSC\McAPExe.exe
C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe
C:\Program Files (x86)\BUFFALO\NASNAVI\nassche.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
E:\CCleaner\CCleaner64.exe
C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
E:\FireFox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWinlogon: Userinit = userinit.exe
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Java\jre7_71\bin\ssv.dll
BHO: CIESpeechBHO Class: {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Java\jre7_71\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
uRun: [CCleaner Monitoring] "E:\CCleaner\CCleaner64.exe" /MONITOR
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [mcpltui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Miles\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\BUFFAL~1.LNK - C:\Program Files (x86)\BUFFALO\NASNAVI\NasNavi.exe
StartupFolder: C:\Users\Miles\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\NASSCH~1.LNK - C:\Program Files (x86)\BUFFALO\NASNAVI\nassche.exe
StartupFolder: C:\Users\Miles\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\TASKMG~1.LNK -
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\COMPUT~1.LNK - C:\Windows\System32\compmgmt.msc
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\WINDOW~1.LNK - C:\Windows\explorer.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {7815BE26-237D-41A8-A98F-F7BD75F71086} - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{0EEE8029-70C4-4B93-B4DA-EEB295310C05} : DHCPNameServer = 192.168.1.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
SSODL: WebCheck - <orphaned>
x64-BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe"
x64-Run: [AthBtTray] "C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe"
x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Miles\AppData\Roaming\Mozilla\Firefox\Profiles\ez2pxvtk.default-1417516354860\
FF - plugin: c:\PROGRA~2\mcafee\msc\npMcSnFFPl.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll
FF - plugin: C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: E:\Java\jre7_71\bin\dtplugin\npdeployJava1.dll
FF - plugin: E:\Java\jre7_71\bin\plugin2\npjp2.dll
FF - plugin: E:\thinkorswim\npthinkorswim.dll
FF - plugin: E:\thinkorswim\nptossc.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ambakdrv;ambakdrv;C:\Windows\System32\ambakdrv.sys [2014-12-1 30648]
R0 iaStorA;iaStorA;C:\Windows\System32\drivers\iaStorA.sys [2014-12-1 645952]
R0 iaStorF;iaStorF;C:\Windows\System32\drivers\iaStorF.sys [2014-12-1 27456]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2014-6-20 786296]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2014-6-20 348552]
R0 mv91xx;mv91xx;C:\Windows\System32\drivers\mv91xx.sys [2010-8-27 297000]
R2 ammntdrv;ammntdrv;C:\Windows\System32\ammntdrv.sys [2014-12-1 151480]
R2 amwrtdrv;amwrtdrv;C:\Windows\System32\amwrtdrv.sys [2014-12-1 17848]
R2 AtherosSvc;AtherosSvc;C:\Program Files (x86)\Bluetooth Suite\AdminService.exe [2011-3-13 74912]
R2 Backupper Service;AOMEI Backupper Scheduler Service;E:\AOMEI Backupper Standard Edition 2.1.0\ABService.exe [2014-12-1 29912]
R2 GfExperienceService;NVIDIA GeForce Experience Service;C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [2014-12-1 1149760]
R2 HomeNetSvc;McAfee Home Network;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2014-12-1 328928]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2014-12-1 7168]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-20 635104]
R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;C:\Windows\System32\IPROSetMonitor.exe [2014-12-1 171688]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2014-12-1 165144]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2014-12-1 328928]
R2 McAPExe;McAfee AP Service;C:\Program Files\McAfee\MSC\McAPExe.exe [2014-12-1 178528]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2014-12-1 328928]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2014-12-1 328928]
R2 mcpltsvc;McAfee Platform Services;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2014-12-1 328928]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [2014-12-1 328928]
R2 mfecore;McAfee Anti-Malware Core;C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [2014-12-1 1041192]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2014-12-1 219752]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Windows\System32\mfevtps.exe [2014-12-1 189912]
R2 NasPmService;NAS PM Service;C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=297 -dto=3 -dluc=0 -dmin=1 -dmax=2 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=292 -pmin=1 -pmax=2 -pflc=0 --> C:\Program Files (x86)\BUFFALO\NASNAVI\nassvc.exe -Service_Execute -dcyc=297 -dto=3 -dluc=0 -dmin=1 -dmax=2 -dflc=0 -apc=0 -log=0 -pm=1 -pall=1 -phttp=0 -pbc=0 -ppro=0 -pcyc=292 -pmin=1 -pmax=2 -pflc=0 [?]
R2 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2014-12-1 1796928]
R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [2014-12-1 19821376]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2014-12-1 409800]
R2 TeamViewer;TeamViewer 10;C:\Users\Miles\AppData\Local\Temp\TeamViewer\TeamViewer_Service.exe [2014-12-2 4425488]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2014-12-1 363800]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\System32\drivers\asmthub3.sys [2011-9-14 129000]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\System32\drivers\asmtxhci.sys [2011-9-14 394216]
R3 AthBTPort;Atheros Virtual Bluetooth Class;C:\Windows\System32\drivers\btath_flt.sys [2011-3-13 36000]
R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;C:\Windows\System32\drivers\btath_a2dp.sys [2011-3-13 298656]
R3 BTATH_BUS;Atheros Bluetooth Bus;C:\Windows\System32\drivers\btath_bus.sys [2011-3-13 28832]
R3 BTATH_HCRP;Bluetooth HCRP Server driver;C:\Windows\System32\drivers\btath_hcrp.sys [2011-3-13 201376]
R3 BTATH_LWFLT;Bluetooth LWFLT Device;C:\Windows\System32\drivers\btath_lwflt.sys [2011-3-13 55456]
R3 BTATH_RCP;Bluetooth AVRCP Device;C:\Windows\System32\drivers\btath_rcp.sys [2011-3-13 154272]
R3 BtFilter;BtFilter;C:\Windows\System32\drivers\btfilter.sys [2011-3-13 280224]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2014-6-20 72128]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2014-6-20 313544]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2014-6-20 523792]
R3 mfencbdc;McAfee Inc. mfencbdc;C:\Windows\System32\drivers\mfencbdc.sys [2014-8-20 445512]
R3 NvStreamKms;NvStreamKms;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [2014-12-1 20800]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2014-12-1 38216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2012-7-8 123856]
S3 ATHDFU;Atheros Valkyrie USB BootROM;C:\Windows\System32\drivers\AthDfu.sys [2011-3-13 51872]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\System32\drivers\HipShieldK.sys [2014-12-1 197704]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-12-2 114688]
S3 mfencrk;McAfee Inc. mfencrk;C:\Windows\System32\drivers\mfencrk.sys [2014-8-20 96592]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2010-11-20 20992]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\System32\drivers\Synth3dVsc.sys [2011-4-12 88960]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\System32\drivers\terminpt.sys [2011-4-12 34816]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 tsusbhub;tsusbhub;C:\Windows\System32\drivers\tsusbhub.sys [2011-4-12 117248]
.
=============== Created Last 30 ================
.
2014-12-03 00:09:43    --------    d-----w-    C:\Program Files (x86)\Seagate
2014-12-03 00:02:29    --------    d-----w-    C:\Users\Miles\AppData\Roaming\TeamViewer
2014-12-02 22:40:59    --------    d-sh--w-    C:\Users\Miles\AppData\Local\EmieUserList
2014-12-02 22:40:59    --------    d-sh--w-    C:\Users\Miles\AppData\Local\EmieSiteList
2014-12-02 22:40:59    --------    d-sh--w-    C:\Users\Miles\AppData\Local\EmieBrowserModeList
2014-12-02 10:57:54    26624    ----a-w-    C:\Windows\GetIe.dll
2014-12-02 10:57:52    348160    ----a-w-    C:\Windows\SysWow64\msvcr71.dll
2014-12-02 10:50:22    --------    d-----w-    C:\Jts
2014-12-02 09:13:10    --------    d-----w-    C:\Program Files (x86)\TradeStation Archives
2014-12-02 09:13:09    --------    d-----w-    C:\ProgramData\boost_interprocess
2014-12-02 09:12:48    --------    d-----w-    C:\Program Files (x86)\Common Files\TradeStation Technologies
2014-12-02 09:11:43    --------    d-----w-    C:\Users\Miles\AppData\Roaming\TradeStation Technologies
2014-12-02 09:11:43    --------    d-----w-    C:\Program Files\Microsoft SQL Server Compact Edition
2014-12-02 09:11:38    --------    d-----w-    C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2014-12-02 08:46:14    --------    d-----w-    C:\Users\Miles\.thinkorswim
2014-12-02 05:29:56    497152    ----a-w-    C:\Windows\System32\drivers\afd.sys
2014-12-02 05:28:50    1887232    ----a-w-    C:\Windows\System32\d3d11.dll
2014-12-02 05:28:50    1505280    ----a-w-    C:\Windows\SysWow64\d3d11.dll
2014-12-02 04:39:03    1024    ---ha-w-    C:\SYSTAG.BIN
2014-12-02 04:36:02    --------    d-----w-    C:\ProgramData\AomeiBR
2014-12-02 04:35:57    30648    ----a-w-    C:\Windows\System32\ambakdrv.sys
2014-12-02 04:35:57    17848    ----a-w-    C:\Windows\System32\amwrtdrv.sys
2014-12-02 04:35:57    151480    ----a-w-    C:\Windows\System32\ammntdrv.sys
2014-12-02 04:27:17    --------    d-----w-    C:\Users\Miles\AppData\Roaming\NASNaviator2
2014-12-02 04:25:41    --------    d-----w-    C:\Program Files (x86)\BUFFALO
2014-12-02 03:47:43    98216    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-12-02 03:44:25    --------    d-----w-    C:\Windows\System32\appmgmt
2014-12-02 03:38:58    --------    d-----w-    C:\ProgramData\Oracle
2014-12-02 03:09:38    --------    d-----w-    C:\Windows\PCHEALTH
2014-12-02 03:08:30    --------    d-----w-    C:\Program Files (x86)\Microsoft Analysis Services
2014-12-02 03:08:24    --------    d-----w-    C:\Users\Miles\AppData\Local\Microsoft Help
2014-12-02 02:45:37    --------    d-----w-    C:\Users\Miles\AppData\Local\CrashDumps
2014-12-02 02:24:43    197704    ----a-w-    C:\Windows\System32\drivers\HipShieldK.sys
2014-12-02 02:24:40    --------    d-----w-    C:\Program Files (x86)\McAfee.com
2014-12-02 02:24:40    --------    d-----w-    C:\Program Files (x86)\Common Files\McAfee
2014-12-02 02:24:37    --------    d-----w-    C:\Program Files\McAfee.com
2014-12-02 02:24:37    --------    d-----w-    C:\Program Files\McAfee
2014-12-02 02:24:36    --------    d-----w-    C:\Program Files (x86)\McAfee
2014-12-02 02:16:39    189912    ----a-w-    C:\Windows\System32\mfevtps.exe
2014-12-02 02:16:38    --------    d-----w-    C:\Program Files\Common Files\McAfee
2014-12-02 02:06:40    --------    d-----w-    C:\Program Files (x86)\MonitorDriver
2014-12-02 01:48:44    --------    d-----w-    C:\Samsung
2014-12-02 01:37:24    --------    d-----w-    C:\Users\Miles\AppData\Local\NVIDIA Corporation
2014-12-02 01:37:24    --------    d-----w-    C:\Users\Miles\AppData\Local\NVIDIA
2014-12-02 01:35:59    74056    ----a-w-    C:\Windows\System32\OpenCL.dll
2014-12-02 01:30:36    --------    d-----w-    C:\Users\Miles\AppData\Local\Mozilla
2014-12-02 01:30:31    --------    d-----w-    C:\Program Files (x86)\Mozilla Maintenance Service
2014-12-02 00:56:55    --------    d-----w-    C:\ProgramData\IntelDLM
2014-12-02 00:55:46    --------    d-----w-    C:\Users\Miles\AppData\Local\Intel
2014-12-02 00:49:14    --------    d-----w-    C:\Program Files (x86)\Intel Driver Update Utility
2014-12-02 00:47:32    --------    d-----w-    C:\ProgramData\Package Cache
2014-12-02 00:26:58    171688    ----a-w-    C:\Windows\System32\IPROSetMonitor.exe
2014-12-02 00:26:56    355016    ----a-w-    C:\Windows\System32\PROUnstl.exe
2014-12-02 00:11:56    316064    ----a-w-    C:\Windows\System32\PRONtObj.dll
2014-12-02 00:11:56    162024    ----a-w-    C:\Windows\System32\drivers\iANSW60e.sys
2014-12-02 00:04:58    315904    ----a-w-    C:\Windows\SysWow64\Difxa62d.rra
2014-12-02 00:02:27    15128    ----a-w-    C:\Windows\System32\drivers\IntelMEFWVer.dll
2014-12-02 00:02:08    --------    d-----w-    C:\Program Files (x86)\Common Files\postureAgent
2014-12-02 00:02:01    60184    ----a-w-    C:\Windows\System32\drivers\HECIx64.sys
2014-12-02 00:00:19    --------    d-----w-    C:\Windows\Intel_Chipset_XPVistaWin7_V9301019
2014-12-01 23:56:06    645952    ----a-w-    C:\Windows\System32\drivers\iaStorA.sys
2014-12-01 23:56:06    27456    ----a-w-    C:\Windows\System32\drivers\iaStorF.sys
2014-12-01 22:57:31    --------    d-----w-    C:\temp
2014-12-01 21:24:23    --------    d-----w-    C:\Users\Miles\AppData\Local\BMExplorer
2014-12-01 21:24:19    --------    d-----w-    C:\ProgramData\Atheros
2014-12-01 18:39:59    --------    d-----w-    C:\Windows\Panther
2014-12-01 16:44:24    16896    ----a-w-    C:\Windows\AsTaskSched.dll
2014-12-01 16:43:35    --------    d-----w-    C:\Program Files (x86)\Common Files\Atheros
2014-12-01 16:43:35    --------    d-----w-    C:\Program Files (x86)\Bluetooth Suite
2014-12-01 16:42:06    --------    d-----w-    C:\Program Files (x86)\ASM104xUSB3
2014-12-01 16:41:36    --------    d-----w-    C:\Program Files (x86)\Marvell
2014-12-01 16:36:25    315904    ----a-w-    C:\Windows\SysWow64\Difxe1b6.rra
2014-12-01 16:36:25    --------    d-----w-    C:\RaidTool
2014-12-01 16:36:23    120920    ----a-w-    C:\Windows\System32\drivers\jraid.sys
2014-12-01 16:36:22    --------    d-----w-    C:\Windows\RaidTool
2014-12-01 16:36:10    753664    ----a-w-    C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iKernel.dll
2014-12-01 16:36:10    69714    ----a-w-    C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ctor.dll
2014-12-01 16:36:10    63488    ----a-w-    C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\ISBEW64.exe
2014-12-01 16:36:10    5632    ----a-w-    C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\DotNetInstaller.exe
2014-12-01 16:36:10    274432    ----a-w-    C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iscript.dll
2014-12-01 16:36:10    184320    ----a-w-    C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iuser.dll
2014-12-01 16:36:09    331908    ----a-w-    C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\setup.dll
2014-12-01 16:36:09    200836    ----a-w-    C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\00\Intel32\iGdi.dll
2014-12-01 16:32:59    331908    ----a-w-    C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2014-12-01 16:20:06    --------    d-----w-    C:\Program Files (x86)\Common Files\Intel Corporation
2014-12-01 16:17:01    --------    d-----w-    C:\Users\Miles\AppData\Roaming\Intel Corporation
2014-12-01 16:12:17    557848    ----a-w-    C:\Windows\System32\drivers\iaStor.sys
2014-12-01 15:54:55    53248    ----a-w-    C:\Windows\SysWow64\CSVer.dll
2014-12-01 15:54:38    --------    d-----w-    C:\Intel
2014-12-01 15:54:32    296320    ----a-w-    C:\Windows\System32\drivers\volsnap.sys
2014-12-01 15:52:01    --------    d-----w-    C:\Users\Miles\AppData\Local\Diagnostics
2014-12-01 15:50:21    --------    d-sh--w-    C:\Windows\Installer
.
==================== Find3M  ====================
.
2014-12-02 05:29:56    376688    ----a-w-    C:\Windows\System32\drivers\netio.sys
2014-12-02 00:12:07    98496    ----a-w-    C:\Windows\System32\NicInstC.dll
2014-12-02 00:12:07    68264    ----a-w-    C:\Windows\System32\e1cmsg.dll
2014-12-02 00:12:07    36472    ----a-w-    C:\Windows\System32\NicCo36.dll
2014-12-02 00:12:07    342704    ----a-w-    C:\Windows\System32\drivers\e1c62x64.sys
2014-12-01 15:11:04    173360    ----a-w-    C:\Windows\UN060501.EXE
2014-11-17 22:18:52    31520    ----a-w-    C:\Windows\System32\nvhdap64.dll
2014-11-17 22:18:52    197408    ----a-w-    C:\Windows\System32\drivers\nvhda64v.sys
2014-11-17 22:18:52    1538880    ----a-w-    C:\Windows\System32\nvhdagenco6420103.dll
2014-11-17 20:02:44    2197680    ----a-w-    C:\Windows\SysWow64\nvspcap.dll
2014-11-17 20:02:44    1291280    ----a-w-    C:\Windows\SysWow64\nvspbridge.dll
2014-11-17 20:02:31    2800296    ----a-w-    C:\Windows\System32\nvspcap64.dll
2014-11-17 20:02:31    1715224    ----a-w-    C:\Windows\System32\nvspbridge64.dll
2014-11-12 21:56:45    6897352    ----a-w-    C:\Windows\System32\nvcpl.dll
2014-11-12 21:56:45    3534152    ----a-w-    C:\Windows\System32\nvsvc64.dll
2014-11-12 21:56:42    934032    ----a-w-    C:\Windows\System32\nvvsvc.exe
2014-11-12 21:56:42    62608    ----a-w-    C:\Windows\System32\nvshext.dll
2014-11-12 21:56:42    386368    ----a-w-    C:\Windows\System32\nvmctray.dll
2014-11-12 21:56:42    2559808    ----a-w-    C:\Windows\System32\nvsvcr.dll
2014-11-12 20:46:11    615624    ----a-w-    C:\Windows\SysWow64\nvStreaming.exe
2014-11-11 10:29:54    4100776    ----a-w-    C:\Windows\System32\nvcoproc.bin
2014-10-03 19:23:02    38216    ----a-w-    C:\Windows\System32\drivers\nvvad64v.sys
2014-10-03 19:23:02    35144    ----a-w-    C:\Windows\System32\nvaudcap64v.dll
2014-10-03 19:23:00    32584    ----a-w-    C:\Windows\SysWow64\nvaudcap32v.dll
.
============= FINISH: 22:14:15.45 ===============
 

 

 

 

 

 

 

 

Attached Files



#4 MILESCFA

MILESCFA
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 05 December 2014 - 01:15 PM

For What It's Worth, I consider my problem solved and this topic closed...

 

(I wiped all drives and reinstalled, save for a data drive I'm hoping was NOT infected)

 

however, there are a few things I learned:

 

 

1) Backups = I have them but perform them on an "ad hoc" basis. They are now going into Task Scheduler.

 

fwiw1: I've tried all backup programs and eventually bought Ease-To-Do... ONLY to discover it could NOT connect to my old

Seagate BlackArmor NAS110  (network attached storage from WinXP days). Even Ease-To-DO technical support could not

help me MANUALLY install the drivers needed to access this network drive. At least Ease-To-Do refunded my money... and

then I FIGURED out how to install the drives, SO I GOT A FREE PROFESSIONAL BACKUP PROGRAM...

 

I DO NOT USE this free professional version of Ease-To-Do !!!

 

AOMEI (free) finds my NAS drives fairly easily and does EVERYTHING. I'm probably going to buy the professional version just out of gratitude for saving my butt.

 

fwiw2: "giveaway of the day" gives away a lot of crap software, but several times a year it gives away the professional versions

of backup software. BE SURE to read the reviews.... like I said, it also gives away A LOT OF CRAP.

 

2) 855-205-0915 (8552050915) is a TOTAL SCAM IMHO. This phone number is all over the internet with tons of different website addresses. Regretably ATT Uverse (billing) support gave me this number after I had gone back and forth between ATT and McAfee technical support 3 times. I thought ATT (4th call) had given me a new McAfee Tech support number. They answer "Platnium Tech Support" and always mention they are "Microsoft certified support" and they are the "Client Services support" (?) department. if you try to pin then down, you may get them to say the company is "Platnium Technical Support". When I pressed them on exactly who they are, having explained that I had just been de-frauded "by them" the day before (under the "credit card charge name" of callroc - callroc.com, who are "into the wind" already - the ("personal") phone number on their website has been disconnected). I was "passed off to" a "supervisor" at Platnium tech Suport, who said the phone number was "not Platinium Tech's number" but rather was "a microsoft number" that would reach "any of hundreds of microsoft approved" tech support firms.... blah, blah, blah. Every time I call back, it is always "Platimum Tech support" and always Indians answering the phone in what sounds like a busy tech support center but I now believe is "a boiler room" operation of a scam company. DO NOT USE THEM. Mcafee or Microsoft or probably any of the anti-virus companies offer the same service (?) for ~$90... of course, that's if the experts here can't help you.

 

fwiw: as noted, I had been working on this a long time and had gone without a lot of sleep. I trade stocks online, so I was despirate to get back.

 

bleepingcomputer: I put the above in here in the hope that it will help prevent others from being ripped off.

 

3)  Infection: I am still convinced I was infected and the Kaspersky report below shows my "MBR was hijacked"(?)... for my piece of mind, if you can confirm that is what the report below says, please post or send me a message, I am still watching!

 

==================================================
11/25/14 8:18 PM OK sdc3/MININT/SYSTEM32/PCA_OPT.DLL
11/25/14 8:18 PM OK sdc3/MININT/SYSTEM32/MBR.DLL/#
11/25/14 8:18 PM OK sdc3/MININT/SYSTEM32/MBR.DLL/#/HDDImage
11/25/14 8:18 PM Packed: HDDImage sdc3/MININT/SYSTEM32/MBR.DLL/#
11/25/14 8:18 PM OK sdc3/MININT/SYSTEM32/PCA_MSG.DLL
==================================================

 

4) Hard Drive setup: "forever", I have always had a C drive for the O/S and a D drive for "Data". This significantly helps in backing up, since the "system image" backup is minimized and is, insome ways, more important than the data backup; however, in this rebuild, I've added an E drive ("Extra" pgms) for programs I download for free, like Java and Ccleaner. This further reduces the O/S backup. The O/S backup is, of course, what is critical because MSFT "is unforgiving" in that it locks your install with activation...

 

5) Microsoft / Windows: I'll hold my tongue here except to say their backups ARE HUGE, so I don't use them, with one exception: When "everything" is installed and confirmed working, I'll make 1 Windows backup simply because I have original instillation disks and I don't trust MSFT enough to NOT use 1 backup of theirs (I'm 99% confident in AOMEI, but I'll concede the 1% and have MSFT "as a backup to my backup"). This backup WILL RESIDE ON A 2nd INTERNAL HARD DRIVE because backup software "can be finicky" with network backups. A 1TB HDD costs ~$60, and this will hold (or should) even a couple of "bloated Windows" backups (if you don't seperate your O/S and data and "free software" as I do).

 

6) Micrsoft Windows and Office Activation: I spent a lot of time trying to figure this out because I didn't want to lose any data, and secondarily, having had computers since 1978, I've had a lot of issues with MSFT, especially trying to activate software that had already been activated. I simply did NOT want to have to reactivate again (see 7 below). My Excel 2003, which I like BETTER than my 2010, activates "automatically" because it is no longer supported. Out of spite, I my try to install it ON ALL my PCs, just to see what happens. Nonetheless, even my Office 2010 "is so old" that it activates again "without question". I'm shooting myself because re-activation wa a major concern to me (just hate dealing with MSFT)

 

7) Hardware: I had already activated Windows and Ofice 4 times on my newer PC, which had issues from day 1. I AM ANOT EVER BUYING a CyberPowerPC again - In 2012, right after buying the PC, I was running Memtest off the motherboard with the HDD disconnected and had told their tech support this info: when trying to figure out my problem(s), they said "it's the O/S". I repeated, NO HDD in PC, so can't be O/S... "then it's the HDDs"... you get the idea... they even tried to blame the graphics cards, which I had likewise told them were NOT installed). I'm also NOT buying a PC with an ASUS motherboard again. I understand they use to be very good, but part of my "virus" problem may have just been bad ASUS "drivers". Trying to solve this "virus" issue, I only just discovered they had serious memory leak issues in some drivers on my MB. Looking for updated drivers on their website, I saw they JUST released another BIOS "for stability", ALMOST 3 (to 4?) yrs after the motherboard was released and some 18 mns after their prior BIOS release! That doesn't reassure me as to their quality. I am now running this newer PC on drivers I downloaded from Intel (not ASUS, even though back in 2012 Intel tech support told me I should be using the manufacturer's drivers). From now on, it's Intel everything for me (my other PC is all Intel and it was SO much easier to "re-build". A lot of people might not be in the "same boat" as me, but a few hundred dollars difference is not a concern to me WHEN I use my PCs for business purposes and these problems have more or less kept me off my PCs for a month. I hope you apprecaite all my "wisdom" (hee, hee) here... because i wanted to help others when I should be getting immediately back to "my stocks"...

 

SO NOW I really do have to get back to my investments.... ( "What's Your Decade, Man?" )

 

I hope my dreadful experience can help you.

 

Miles

 

 

PS: ATT Uverse customers get a "full suite" McAfee anti-virus. Given prior issues with McAfee, I was using both AVG and Avast (free). It appears the virus "got by" the "As" (and even McAfee couldn't find anything "pre-wipe"), so now I'm using McAfee via ATT.


Edited by MILESCFA, 05 December 2014 - 01:18 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,537 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:55 AM

Posted 11 December 2014 - 09:01 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users