Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess rootkit has me completely stumped. Help!!


  • This topic is locked This topic is locked
21 replies to this topic

#1 Egobrane

Egobrane

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 07 December 2014 - 04:59 PM

Hey all, long time browser and downloader to this site but first time poster. I work as a systems support technician for a decent sized company and play a big role in the running operations of our IT infrastructure. I also repair computers on the side when I'm not at work. This laptop I just received however has me completely stumped.

 

The virus has placed severe restrictions on the only active user account. The restrictions I've located at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\GPExtensions and of course I'm unable to change them. I'm unable to run any antivirus or malware fighting applications that I normally use, with the exception of Farbar Recovery scan tool. I can't change any administrative functions such as adding the guest account or changing the accounts that can log in. The only other active user account is $HOMEGROUP_USER and I do not know how to access it. I am however able to modify the registry group in HKCU.

 

Trying to perform administrative tasks alerts me that they are all blocked by group policy. Trying to launch security tools tell me that my system administrator has blocked the application.

 

The applications I've tried to run (and failed) are;

 

MalwareBytes

AVG

RogueKiller

rkill

combokill

malwarebytes anti-rootkit

tdsskiller

JRT

adwcleaner

HitmanPro

 

I've tried all of these in safe mode and have tried to change the names and remove the properties of them. I've also tried to boot into a windows NT account recovery disk to change the password and enable the other accounts but it hangs at "booting kernel..." tells me this is a rootkit.

 

I discussed reformatting with the client but he has lots of old family pictures he does not want to lose (comes from a big puerto rican family) and various documents needed in unspecified locations.

 

To be honest I also have a chip on my shoulder because I've never encountered malware that I was unable to remove until now, so I'm asking for some much needed help from people more trained and professional than I.

 

As far as I can tell the primary restriction that won't let me go any further are these brutal group policy settings. In Safe mode there are no listed bad processes and they all appear legitimate. Below are the results of FRST64 - this was the only application I could run... I ran it in safe mode if that matters.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-12-2014 01
Ran by Jose (ATTENTION: The logged in user is not administrator) on PABON on 07-12-2014 16:06:42
Running from D:\
Loaded Profile: Jose (Available profiles: Jose)
Platform: Windows 8 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\regedit.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McUICnt.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13538376 2013-05-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1307720 2013-04-24] (Realtek Semiconductor)
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [fst_us_239] => [X]
HKLM-x32\...\Run: [AnyProtect Scanner] => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe [17071616 2014-09-02] (AnyProtect.com)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132224 2013-02-28] ( (Qualcomm Atheros Commnucations))
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Run: [AcerCloud] => C:\Program Files (x86)\Acer\Acer Portal\acpanel_win.exe [2524416 2014-06-30] ()
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Run: [GoogleChromeAutoLaunch_8689F7E34788311E37318B02CC8C518C] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [860488 2014-08-06] (Google Inc.)
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Run: [perkda] => C:\Program Files (x86)\Perk Prize Panel\pdr.exe [221184 2014-04-14] ()
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1
IFEO\DatamngrCoordinator.exe: [Debugger] tasklist.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:55211;https=127.0.0.1:55211
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfod&q={searchTerms}
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfod&q={searchTerms}
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://t.msn.com/
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer13.msn.com/
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL =
SearchScopes: HKLM-x32 -> DefaultScope 006ee092-9658-4fd6-bd8e-a21a348e59f5 URL =
SearchScopes: HKLM-x32 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfoa&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
SearchScopes: HKU\.DEFAULT -> {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
SearchScopes: HKU\S-1-5-21-1568040461-2792508260-1395258070-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1568040461-2792508260-1395258070-1001 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfod&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1568040461-2792508260-1395258070-1001 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKU\S-1-5-21-1568040461-2792508260-1395258070-1001 -> {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
BHO: IMinent WebBooster (BHO) -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} -> C:\Program Files (x86)\Iminent\Minibar.InternetExplorer.BHOx64.dll No File
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: No Name -> {84FF7BD6-B47F-46F8-9130-01B2696B36CB} ->  No File
BHO-x32: No Name -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} ->  No File
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKU\S-1-5-21-1568040461-2792508260-1395258070-1001 -> No Name - {504C5453-4F43-2D53-5000-7A786E7484D7} -  No File
DPF: HKLM-x32 {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} https://www36.verizon.com/FiOSVoice/UnProtected/FiosVoiceVMUtil.CAB
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.)
Hosts: 127.0.0.1            d3oxij66pru1i3.cloudfront.net
Tcpip\Parameters: [DhcpNameServer] 65.32.5.111 65.32.5.112 192.168.1.1
Tcpip\Parameters: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{220025FD-E1A0-4F21-9736-150BCF17A071}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{4B5CA3CB-995A-40DC-ADE9-DF369AF8D0F2}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{633A3964-B654-423E-AE3A-1E7BD95024C6}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{97e1de57-d6fa-11e1-be62-806e6f6e6963}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{A64C2227-EEEF-4667-8335-8125D9EFD984}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{C02CAB3E-C922-4371-A1DD-E72CF76EF979}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{DBB9C189-F540-420B-949E-091A47B3341B}: [NameServer] 184.172.114.130,208.43.110.90

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_239.dll ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.5.20 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll No File
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2013-05-13]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2013-05-13]
FF HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Firefox\Extensions: [pp@perk.com] - C:\Program Files (x86)\Perk Prize Panel\FF

Chrome:
=======
CHR Profile: C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (aapbdbdomjkkjkaonfhkkikfgjllcleb) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2014-09-07]
CHR Extension: (Speedial) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\bakijjialdiiboeaknfpmflphhmljfkd [2014-06-25]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-30]
CHR Extension: (Groovorio New Tab) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmchfpimpbbdmgpcieclabeafkljbhm [2014-09-02]
CHR Extension: (videos MediaPlayer+) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\bonfagbdfepfbhjgolfalmgldfbgjodi [2014-09-02]
CHR Extension: (Iminent Lite) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbljechdpodpbchbmjcoamidppmpnmlc [2014-09-02]
CHR Extension: (Hangouts) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\nckgahadagoaajjgafhacjanaoiihapd [2014-08-12]
CHR Extension: (Google Wallet) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-04]
CHR HKLM\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - No Path
CHR HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - No Path
CHR HKLM-x32\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - No Path
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [eihhgekonheiliaidomffpplfhecmkag] - No Path
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - No Path
CHR HKLM-x32\...\Chrome\Extension: [nbljechdpodpbchbmjcoamidppmpnmlc] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [227968 2013-02-28] (Qualcomm Atheros Commnucations)
S3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [660040 2013-01-18] (Acer Incorporated)
S2 f1f78e38; c:\ProgramData\WinSpeed\WinSpeedSvc.dll [186192 2014-08-21] () [File not signed]
S2 GlobalUpdater; C:\Program Files (x86)\Common Files\IMGUpdater\IMGUpdater.exe [378152 2014-08-13] (SIEN S.A.)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [731648 2013-02-13] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-03-20] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-03-20] (Intel Corporation)
S2 LeapFrog Connect Device Service; C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe [7393280 2013-11-27] (LeapFrog Enterprises, Inc.) [File not signed]
S2 lmhosts; C:\Windows\system32\svchost.exe [29696 2013-04-21] (Microsoft Corporation)
S2 lmhosts; C:\Windows\SysWOW64\svchost.exe [23040 2013-04-21] (Microsoft Corporation)
S2 LMSvc; C:\Program Files\Acer\Acer Launch Manager\LMSvc.exe [431656 2013-04-25] (Acer Incorporate)
S2 McAfee SiteAdvisor Service; c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [155856 2014-06-03] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178048 2013-11-28] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\mcafee\actwiz\McAWFwk.exe [334760 2012-12-21] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 MfeASUM; C:\Program Files\McAfee\AppStats\MfeASUM.exe [335216 2013-10-31] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1025232 2013-12-11] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219272 2013-12-05] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [184800 2013-12-05] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 NlaSvc; C:\Windows\System32\svchost.exe [29696 2013-04-21] (Microsoft Corporation)
S2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [23040 2013-04-21] (Microsoft Corporation)
S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3943104 2012-08-15] (Symantec Corporation)
S2 nsi; C:\Windows\system32\svchost.exe [29696 2013-04-21] (Microsoft Corporation)
S2 nsi; C:\Windows\SysWOW64\svchost.exe [23040 2013-04-21] (Microsoft Corporation)
S2 pcregservice; C:\Program Files\pcreg\pcreg.exe [249024 2014-04-25] ()
S2 SupraSavingsService64; C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\SupraSavingsService64.exe [172544 2014-06-25] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16032 2014-09-22] (Microsoft Corporation)
S2 wpennybeed; C:\ProgramData\pennybee\wpennybeed.exe [240128 2014-06-24] (Penny Bee Agent) [File not signed]
S2 pennybee; "C:\PROGRA~3\pennybee\pennybee.exe" /task=4 /InstallOn=0 /closebr=0 /active=24 /update=24 /interval=2880 /pubId=1004 /affId=10040004 /appId=116 /uId=1555C9A6-6BCC-46F4-B510-A4F19D62A1A4 /version= /Override=0 /regAppName=pennybee /curSID= /logf=\10040004_loger_06_12_00_32_11_-1987315651.txt /mac=BC8556E6740B /tst=none /ts2=1 [X]
S2 Update fassurun; "C:\Program Files (x86)\fassurun\updatefassurun.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [5139968 2012-06-02] (Broadcom Corporation)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-02-28] (Qualcomm Atheros)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-25] (Microsoft Corporation)
S1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-12-05] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-01-09] (Acer Incorporated)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-03-20] (Intel Corporation)
S2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179792 2013-12-05] (McAfee, Inc.)
S1 MfeASKM; C:\Program Files\McAfee\AppStats\MfeASKM.sys [31408 2013-10-31] (McAfee, Inc.)
S2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311120 2013-12-05] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [69344 2013-12-05] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [519576 2013-12-05] (McAfee, Inc.)
S2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782616 2013-12-05] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [411944 2013-11-26] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [96112 2013-11-26] (McAfee, Inc.)
S2 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [343696 2013-12-05] (McAfee, Inc.)
S1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [46376 2014-06-12] (NetFilterSDK.com)
S3 QRDCIO; C:\Windows\System32\drivers\QRDCIO.sys [9728 2009-10-20] (QUANTA)
R3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [15704 2013-01-09] (Acer Incorporated)
S3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [455240 2013-03-05] (RTS Corporation)
S1 {55dce8ba-9dec-4013-937e-adbf9317d990}w64; C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys [61072 2014-07-30] (StdLib)
S1 {9d5747ee-0448-4681-8337-1555de75a3b6}Gw64; C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys [61120 2014-05-06] (StdLib)
S1 {fef7f75c-f985-4250-96f9-8183cd04238b}w64; C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys [61080 2014-09-02] (StdLib)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-07 16:05 - 2014-12-07 16:06 - 00000000 ____D () C:\FRST
2014-12-07 15:27 - 2014-12-07 15:27 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-12-05 21:59 - 2014-12-05 21:59 - 00002215 _____ () C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tech Live Connect Technical Support.lnk
2014-12-05 21:59 - 2014-12-05 21:59 - 00000000 ____D () C:\Users\Jose\AppData\Local\LogMeIn Rescue Applet
2014-12-01 15:10 - 2014-12-05 22:44 - 00000376 _____ () C:\Windows\Tasks\APSnotifierPP3.job
2014-12-01 06:06 - 2014-12-01 06:06 - 00578144 _____ () C:\Users\Jose\Downloads\Installation.exe
2014-12-01 05:23 - 2014-12-01 05:23 - 00328568 _____ (Swift Installer ) C:\Users\Jose\Downloads\fl_setup.exe
2014-11-30 23:59 - 2014-11-19 02:29 - 00582552 _____ (Microsoft Corporation) C:\Windows\system32\AutoUpdate.exe
2014-11-30 23:59 - 2014-11-19 02:29 - 00462760 _____ (Microsoft Corporation) C:\Windows\system32\NotificationUI.exe
2014-11-26 23:07 - 2014-11-26 23:07 - 00910104 _____ () C:\Users\Jose\Downloads\Setup v2 1.exe
2014-11-25 23:52 - 2014-12-07 15:19 - 00000764 _____ () C:\Windows\Tasks\pennybee Runner.job
2014-11-22 03:20 - 2014-11-05 01:40 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-22 03:20 - 2014-11-05 01:38 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-22 03:20 - 2014-11-04 22:16 - 00556544 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 02237952 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 01409536 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 00915968 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\UXInit.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-22 03:20 - 2014-10-25 20:55 - 19284480 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-22 03:20 - 2014-10-25 20:55 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-22 03:20 - 2014-10-25 20:55 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-22 03:20 - 2014-10-25 20:55 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 15399424 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 02655232 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-22 03:20 - 2014-10-25 20:53 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-22 03:20 - 2014-10-25 19:36 - 01762816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 14368768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00044032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UXInit.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 13758464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 02055168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-22 03:20 - 2014-10-25 19:34 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-22 03:20 - 2014-10-25 19:19 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-22 03:20 - 2014-10-25 19:13 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-22 03:20 - 2014-10-25 16:48 - 00534528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll
2014-11-22 03:20 - 2014-10-02 20:21 - 00522728 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-22 03:20 - 2014-10-02 17:29 - 00783872 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-22 03:20 - 2014-10-02 17:29 - 00267264 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-22 03:20 - 2014-10-02 17:29 - 00169472 _____ (Microsoft Corporation) C:\Windows\system32\AudioEndpointBuilder.dll
2014-11-22 03:20 - 2014-10-01 18:05 - 04068864 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-22 03:20 - 2014-09-22 00:53 - 00035320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdBoot.sys
2014-11-22 03:20 - 2014-08-26 17:08 - 00270024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdFilter.sys
2014-11-22 03:19 - 2014-09-13 01:24 - 02233152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-11-22 03:19 - 2014-09-05 19:46 - 00389176 _____ () C:\Windows\system32\ApnDatabase.xml
2014-11-22 03:19 - 2014-09-02 21:48 - 00457728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2014-11-22 03:19 - 2014-09-02 21:48 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2014-11-22 03:19 - 2014-09-02 21:22 - 00188928 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2014-11-22 03:19 - 2014-09-02 21:21 - 00623104 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2014-11-22 03:19 - 2014-09-02 21:21 - 00212992 _____ (Microsoft Corporation) C:\Windows\system32\dnsrslvr.dll
2014-11-22 03:19 - 2014-08-28 23:17 - 02043392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-11-22 03:19 - 2014-08-28 23:17 - 00227328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-11-22 03:19 - 2014-08-28 23:04 - 02837504 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-11-22 03:19 - 2014-08-28 23:04 - 00309248 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-11-22 03:19 - 2014-08-28 01:04 - 00499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FXSCOMEX.dll
2014-11-22 03:19 - 2014-08-28 01:04 - 00227840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FXSAPI.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00616448 _____ (Microsoft Corporation) C:\Windows\system32\FXSAPI.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00609280 _____ (Microsoft Corporation) C:\Windows\system32\FXSCOMEX.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00432640 _____ (Microsoft Corporation) C:\Windows\system32\FXSTIFF.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00254976 _____ (Microsoft Corporation) C:\Windows\system32\FXST30.dll
2014-11-22 03:19 - 2014-07-24 08:12 - 00328512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Classpnp.sys
2014-11-22 03:14 - 2014-10-18 03:44 - 00778240 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-22 03:14 - 2014-10-18 02:05 - 00567808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-22 03:04 - 2014-11-08 06:22 - 00238080 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-22 03:04 - 2014-11-08 06:21 - 00827904 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-22 03:04 - 2014-11-08 01:57 - 00187904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2014-11-22 03:04 - 2014-11-08 01:56 - 00666624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-22 03:04 - 2014-10-23 07:47 - 00079872 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-22 03:04 - 2014-10-23 06:04 - 00068096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-22 03:04 - 2014-10-11 03:35 - 00171840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-22 03:04 - 2014-10-11 02:45 - 10115072 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 03248640 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 00588288 _____ (Microsoft Corporation) C:\Windows\system32\SHCore.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 00393216 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2014-11-22 03:04 - 2014-10-11 02:43 - 02307072 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2014-11-22 03:04 - 2014-10-11 02:43 - 01281536 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-22 03:04 - 2014-10-11 00:58 - 08858624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2014-11-22 03:04 - 2014-10-11 00:57 - 02416640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-22 03:04 - 2014-10-11 00:57 - 00452608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SHCore.dll
2014-11-22 03:04 - 2014-10-11 00:57 - 00295424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2014-11-22 03:04 - 2014-10-11 00:56 - 02037760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2014-11-22 03:04 - 2014-10-11 00:41 - 00713728 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-22 03:04 - 2014-10-11 00:41 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-22 03:04 - 2014-10-11 00:05 - 00146944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-22 03:04 - 2014-10-11 00:04 - 00713728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-22 03:04 - 2014-09-24 18:29 - 00318976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-22 03:04 - 2014-09-24 18:29 - 00072192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncryptsslp.dll
2014-11-22 03:04 - 2014-09-24 18:01 - 00414208 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-22 03:04 - 2014-09-24 18:01 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\ncryptsslp.dll
2014-11-22 03:04 - 2014-08-21 18:56 - 01418752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-22 03:04 - 2014-08-21 18:27 - 01845760 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-07 16:06 - 2014-07-03 18:01 - 00000000 ____D () C:\Users\Jose\AppData\Local\CrashDumps
2014-12-07 15:19 - 2012-07-26 02:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-06 00:22 - 2012-07-26 02:21 - 00436964 _____ () C:\Windows\setupact.log
2014-12-06 00:12 - 2014-07-31 07:12 - 00000300 _____ () C:\Windows\Tasks\Astromenda.job
2014-12-06 00:11 - 2013-11-04 13:34 - 00000906 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-05 22:44 - 2014-09-03 04:50 - 00000378 _____ () C:\Windows\Tasks\APSnotifierPP1.job
2014-12-05 22:44 - 2014-09-03 04:50 - 00000376 _____ () C:\Windows\Tasks\APSnotifierPP2.job
2014-12-05 22:10 - 2013-12-25 16:24 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-05 22:00 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\system32\sru
2014-12-05 21:20 - 2013-06-12 00:57 - 01455506 _____ () C:\Windows\WindowsUpdate.log
2014-12-05 20:59 - 2014-09-02 16:44 - 00002662 _____ () C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job
2014-12-05 20:59 - 2014-09-02 16:44 - 00001342 _____ () C:\Windows\Tasks\GNNZ.job
2014-12-05 20:59 - 2014-09-02 16:44 - 00001338 _____ () C:\Windows\Tasks\CW.job
2014-12-05 20:59 - 2014-04-03 20:56 - 00000914 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job
2014-12-02 02:32 - 2013-11-16 10:11 - 00000000 ____D () C:\Users\Jose\Documents\Financials
2014-12-02 02:10 - 2014-06-26 18:56 - 00000000 ____D () C:\Program Files\SupraSavings
2014-12-02 01:22 - 2013-11-22 01:07 - 00000000 ____D () C:\Users\Jose\Documents\Bluetooth Folder
2014-12-01 00:05 - 2012-07-26 02:59 - 00000000 ____D () C:\Windows\CbsTemp
2014-11-25 20:10 - 2012-07-26 02:28 - 00848230 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-25 01:47 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\rescache
2014-11-25 01:20 - 2013-05-13 01:40 - 00062640 _____ () C:\Windows\PFRO.log
2014-11-23 23:41 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-11-23 14:59 - 2014-10-23 09:48 - 00429976 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-23 14:24 - 2014-07-10 20:59 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ____D () C:\Program Files\Windows Defender
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2014-11-23 14:23 - 2012-07-26 03:12 - 00000000 ___RD () C:\Windows\ToastData
2014-11-22 03:22 - 2013-11-11 19:03 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-22 03:18 - 2013-11-11 19:03 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-21 01:43 - 2013-10-31 22:46 - 00000000 ____D () C:\Users\Jose
2014-11-20 15:56 - 2014-10-21 13:45 - 00713672 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-20 15:56 - 2014-10-21 13:45 - 00106440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

Some content of TEMP:
====================
C:\Users\Jose\AppData\Local\Temp\1tz-urlx.dll
C:\Users\Jose\AppData\Local\Temp\6_Offer_15.exe
C:\Users\Jose\AppData\Local\Temp\airB9D2.exe
C:\Users\Jose\AppData\Local\Temp\airBD20.exe
C:\Users\Jose\AppData\Local\Temp\BackupSetup.exe
C:\Users\Jose\AppData\Local\Temp\c3ef7dbj.dll
C:\Users\Jose\AppData\Local\Temp\Cloud_Backup_Setup.exe
C:\Users\Jose\AppData\Local\Temp\comscore_010414070912.exe
C:\Users\Jose\AppData\Local\Temp\dlLogic.exe
C:\Users\Jose\AppData\Local\Temp\dltr.exe
C:\Users\Jose\AppData\Local\Temp\DM1393816422.exe
C:\Users\Jose\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpctdmuh.dll
C:\Users\Jose\AppData\Local\Temp\embededstub.exe
C:\Users\Jose\AppData\Local\Temp\EnableExtDll.dll
C:\Users\Jose\AppData\Local\Temp\fassurun_di.exe
C:\Users\Jose\AppData\Local\Temp\file_139077.exe
C:\Users\Jose\AppData\Local\Temp\file_3846315839.exe
C:\Users\Jose\AppData\Local\Temp\file_to_run55304.exe
C:\Users\Jose\AppData\Local\Temp\file_to_run5596.exe
C:\Users\Jose\AppData\Local\Temp\GCVerifier.dll
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_1.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_2.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_3.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_4.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_5.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_6.exe
C:\Users\Jose\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\Jose\AppData\Local\Temp\Launcher.exe
C:\Users\Jose\AppData\Local\Temp\mMamStub.exe
C:\Users\Jose\AppData\Local\Temp\npihmf-d.dll
C:\Users\Jose\AppData\Local\Temp\nsa3122.tmp.exe
C:\Users\Jose\AppData\Local\Temp\nsaA3CA.exe
C:\Users\Jose\AppData\Local\Temp\nseF18E.exe
C:\Users\Jose\AppData\Local\Temp\nsfF44E.exe
C:\Users\Jose\AppData\Local\Temp\nsg18D4.exe
C:\Users\Jose\AppData\Local\Temp\nsi578F.exe
C:\Users\Jose\AppData\Local\Temp\nsiC1AC.exe
C:\Users\Jose\AppData\Local\Temp\nsiFB30.exe
C:\Users\Jose\AppData\Local\Temp\nsk753C.exe
C:\Users\Jose\AppData\Local\Temp\nsk9597.exe
C:\Users\Jose\AppData\Local\Temp\nsnAF8F.exe
C:\Users\Jose\AppData\Local\Temp\nsoC5C3.exe
C:\Users\Jose\AppData\Local\Temp\nspF91.exe
C:\Users\Jose\AppData\Local\Temp\nsq777F.exe
C:\Users\Jose\AppData\Local\Temp\nsqAE7B.exe
C:\Users\Jose\AppData\Local\Temp\nsr555B.exe
C:\Users\Jose\AppData\Local\Temp\nst1BA0.exe
C:\Users\Jose\AppData\Local\Temp\nst91DD.exe
C:\Users\Jose\AppData\Local\Temp\nstA90B.exe
C:\Users\Jose\AppData\Local\Temp\nsx1863.exe
C:\Users\Jose\AppData\Local\Temp\nszB1F2.exe
C:\Users\Jose\AppData\Local\Temp\ose00000.exe
C:\Users\Jose\AppData\Local\Temp\post1.exe
C:\Users\Jose\AppData\Local\Temp\post2.dll
C:\Users\Jose\AppData\Local\Temp\post2.exe
C:\Users\Jose\AppData\Local\Temp\ryj8vl55.dll
C:\Users\Jose\AppData\Local\Temp\SearchProtectINT.exe
C:\Users\Jose\AppData\Local\Temp\SPSetup.exe
C:\Users\Jose\AppData\Local\Temp\tmut13817.dll
C:\Users\Jose\AppData\Local\Temp\verifier.exe
C:\Users\Jose\AppData\Local\Temp\vlc-2.1.2-win32.exe
C:\Users\Jose\AppData\Local\Temp\WindowShopper.exe
C:\Users\Jose\AppData\Local\Temp\_ufkmsix.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD, see Addition.txt for additional information.

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-12-2014 01
Ran by Jose at 2014-12-07 16:07:43
Running from D:\
Boot Mode: Safe Mode (minimal)
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: McAfee Anti-Virus and Anti-Spyware (Disabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee Anti-Virus and Anti-Spyware (Disabled - Out of date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall (Disabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acer Docs Office AddIn (HKLM-x32\...\{DCBF3379-246B-47E1-8173-639B63940838}) (Version: 3.01.2001 - Acer)
Acer Launch Manager (HKLM\...\{C18D55BD-1EC6-466D-B763-8EEDDDA9100E}) (Version: 8.00.3004 - Acer Incorporated)
Acer Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.3012 - Acer Incorporated)
Acer Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.3016 - Acer Incorporated)
Acer USB Charge Manager (HKLM\...\{07E867C5-0C48-40FF-A013-DDAF4565AD47}) (Version: 2.00.3004 - Acer Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.239 - Adobe Systems Incorporated)
Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Canon MP250 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series) (Version:  - )
Cradle Of Egypt Collector's Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
CyberLink MediaEspresso 6.5 (HKLM-x32\...\InstallShield_{E3739848-5329-48E3-8D28-5BBD6E8BE384}) (Version: 6.5.3729_45993 - CyberLink Corp.)
Delicious: Emily's Childhood Memories Premium Edition (x32 Version: 3.0.2.32 - WildTangent) Hidden
Dolby Home Theater v4 (HKLM-x32\...\{B26438B4-BF51-49C3-9567-7F14A5E40CB9}) (Version: 7.2.8000.17 - Dolby Laboratories Inc)
Dora's World Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 36.0.1985.143 - Google Inc.)
Identity Card (HKLM-x32\...\{3D9CB654-99AD-4301-89C6-0D12A790767C}) (Version: 2.00.3006 - Acer Incorporated)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.0.1428 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.18.10.3165 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.5.0.1066 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 3.0.0.63463 - Intel Corporation)
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
LeapFrog Connect (HKLM-x32\...\UPCShell) (Version: 5.2.4.18506 - LeapFrog)
LeapFrog Connect (x32 Version: 5.2.4.18506 - LeapFrog) Hidden
LeapFrog My Pals Plugin (x32 Version: 5.1.26.18340 - LeapFrog) Hidden
Live Updater (HKLM-x32\...\{EE26E302-876A-48D9-9058-3129E5B99999}) (Version: 2.00.3010 - Acer Incorporated)
McAfee Internet Security Suite (HKLM-x32\...\MSC) (Version: 12.8.908 - McAfee, Inc.)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mystery P.I. - Curious Case of Counterfeit Cove (x32 Version: 2.2.0.98 - WildTangent) Hidden
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.2.3.51r2 - Symantec Corporation)
Norton Online Backup ARA (x32 Version: 4.1.0.14 - Symantec Corporation) Hidden
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.222 - Qualcomm Atheros Communications)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 11.43 - Qualcomm Atheros)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.14.327.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6909 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C9661090-C134-46E8-90B2-76D72355C2A6}) (Version: 6.2.9200.21222 - Realtek Semiconductor Corp.)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Spotify (HKLM-x32\...\Spotify) (Version: 0.8.4.99.ga249b5f1 - Spotify AB)
Tales of Lagoona (x32 Version: 2.2.0.110 - WildTangent) Hidden
The Chronicles of Emerland Solitaire (x32 Version: 3.0.2.32 - WildTangent) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin) (HKLM-x32\...\MyPalsPlugin) (Version:  - LeapFrog)
Visual Studio 2005 Tools for Office Second Edition Runtime (HKLM-x32\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version:  - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version:  - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App (x32 Version: 4.0.10.5 - WildTangent) Hidden
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net  (09/10/2009 02.03.05.012) (HKLM\...\8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D) (Version: 09/10/2009 02.03.05.012 - Leapfrog)
WinSpeed (HKLM-x32\...\{5F189DF5-2D05-472B-9091-84D9848AE48B}{f1f78e38}) (Version:  - 24soft) <==== ATTENTION

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 00:26 - 2014-07-03 17:59 - 00000867 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1            d3oxij66pru1i3.cloudfront.net

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job => ? <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => ?
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\Astromenda.job => ?
Task: C:\Windows\Tasks\CW.job => ?
Task: C:\Windows\Tasks\GNNZ.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => ?
Task: C:\Windows\Tasks\pennybee Runner.job => ?
Task: C:\Windows\Tasks\Tempo Runner.job => ?

==================== Loaded Modules (whitelisted) =============

2010-01-30 05:40 - 2010-01-30 05:40 - 04254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-03-25 00:38 - 2010-03-25 00:38 - 08794976 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-1568040461-2792508260-1395258070-500 - Administrator - Disabled)
Guest (S-1-5-21-1568040461-2792508260-1395258070-501 - Administrator - Disabled)
HomeGroupUser$ (S-1-5-21-1568040461-2792508260-1395258070-1003 - Administrator - Enabled)
Jose (S-1-5-21-1568040461-2792508260-1395258070-1001 - Limited - Enabled) => C:\Users\Jose

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/07/2014 04:06:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: FRST64.exe, version: 7.12.2014.1, time stamp: 0x5483afb5
Faulting module name: FRST64.exe, version: 7.12.2014.1, time stamp: 0x5483afb5
Exception code: 0xc0000005
Fault offset: 0x00000000000247c9
Faulting process id: 0x638
Faulting application start time: 0xFRST64.exe0
Faulting application path: FRST64.exe1
Faulting module path: FRST64.exe2
Report Id: FRST64.exe3
Faulting package full name: FRST64.exe4
Faulting package-relative application ID: FRST64.exe5

Error: (12/07/2014 04:06:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: FRST64.exe, version: 7.12.2014.1, time stamp: 0x5483afb5
Faulting module name: FRST64.exe, version: 7.12.2014.1, time stamp: 0x5483afb5
Exception code: 0xc0000005
Fault offset: 0x00000000000247c9
Faulting process id: 0x520
Faulting application start time: 0xFRST64.exe0
Faulting application path: FRST64.exe1
Faulting module path: FRST64.exe2
Report Id: FRST64.exe3
Faulting package full name: FRST64.exe4
Faulting package-relative application ID: FRST64.exe5

Error: (12/06/2014 00:33:26 AM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "select * from __InstanceModificationEvent where targetinstance isa '__ArbitratorConfiguration'" could not be reactivated in namespace "//./root" because of error 0x80041033. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root/subscription namespace does not exist. The query will be ignored.

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root/CIMV2 namespace does not exist. The query will be ignored.

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root namespace does not exist. The query will be ignored.

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root/CIMV2 namespace does not exist. The query will be ignored.

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __NamespaceOperationEvent" whose target class "__NamespaceOperationEvent" in //./root/subscription namespace does not exist. The query will be ignored.

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __NamespaceOperationEvent" whose target class "__NamespaceOperationEvent" in //./root namespace does not exist. The query will be ignored.

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __NamespaceOperationEvent" whose target class "__NamespaceOperationEvent" in //./root/CIMV2 namespace does not exist. The query will be ignored.


System errors:
=============
Error: (12/07/2014 04:07:43 PM) (Source: DCOM) (EventID: 10005) (User: PABON)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/07/2014 04:06:40 PM) (Source: DCOM) (EventID: 10005) (User: PABON)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/07/2014 04:06:31 PM) (Source: DCOM) (EventID: 10005) (User: PABON)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/07/2014 04:06:25 PM) (Source: DCOM) (EventID: 10005) (User: PABON)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/07/2014 04:06:20 PM) (Source: DCOM) (EventID: 10005) (User: PABON)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/07/2014 04:05:47 PM) (Source: DCOM) (EventID: 10005) (User: PABON)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/07/2014 04:05:42 PM) (Source: DCOM) (EventID: 10005) (User: PABON)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/07/2014 04:05:36 PM) (Source: DCOM) (EventID: 10005) (User: PABON)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/07/2014 04:05:29 PM) (Source: DCOM) (EventID: 10005) (User: PABON)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (12/07/2014 04:04:05 PM) (Source: DCOM) (EventID: 10005) (User: PABON)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}


Microsoft Office Sessions:
=========================
Error: (12/07/2014 04:06:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: FRST64.exe7.12.2014.15483afb5FRST64.exe7.12.2014.15483afb5c000000500000000000247c963801d01261aa0e665eD:\FRST64.exeD:\FRST64.exeea2dfe70-7e54-11e4-bf15-9a09af7c2ce9

Error: (12/07/2014 04:06:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: FRST64.exe7.12.2014.15483afb5FRST64.exe7.12.2014.15483afb5c000000500000000000247c952001d012619512c596D:\FRST64.exeD:\FRST64.exee36fd333-7e54-11e4-bf15-9a09af7c2ce9

Error: (12/06/2014 00:33:26 AM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: //./rootselect * from __InstanceModificationEvent where targetinstance isa '__ArbitratorConfiguration'0x80041033

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __SystemEvent__SystemEvent//./root/subscription

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __TimerEvent__TimerEvent//./root/CIMV2

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __SystemEvent__SystemEvent//./root

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __SystemEvent__SystemEvent//./root/CIMV2

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __NamespaceOperationEvent__NamespaceOperationEvent//./root/subscription

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __NamespaceOperationEvent__NamespaceOperationEvent//./root

Error: (12/06/2014 00:22:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __NamespaceOperationEvent__NamespaceOperationEvent//./root/CIMV2


==================== Memory info ===========================

Processor: Intel® Core™ i5-4200U CPU @ 1.60GHz
Percentage of memory in use: 11%
Total physical RAM: 7848.27 MB
Available physical RAM: 6951.4 MB
Total Pagefile: 9000.27 MB
Available Pagefile: 8093.51 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:681.39 GB) (Free:613.26 GB) NTFS
Drive d: () (Removable) (Total:3.63 GB) (Free:3.59 GB) FAT32

==================== MBR & Partition Table ==================

==================== End Of Log ============================


Edited by Egobrane, 07 December 2014 - 05:02 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:55 AM

Posted 07 December 2014 - 07:44 PM

Hello 

Egobrane
,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your logs. I will get back to you with instructions.

I can see why your having so much trouble with this machine as it is horribly infected. We will remove all the malware and see if you will have the premissions back. If not we may need to remove Mcafee.  Sometimes with these infections Mcafee will block permissions.
 
1.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

WinSpeed

Additional instructions can be found here if needed.

2.
We need to remove the following extensions for Google Chrome when we get the chance.
CHR Extension: (aapbdbdomjkkjkaonfhkkikfgjllcleb) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2014-09-07]
CHR Extension: (videos MediaPlayer+) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\bonfagbdfepfbhjgolfalmgldfbgjodi [2014-09-02]
CHR Extension: (Iminent Lite) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbljechdpodpbchbmjcoamidppmpnmlc [2014-09-02]
CHR HKLM\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - No Path
CHR HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - No Path
CHR HKLM-x32\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - No Path
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [eihhgekonheiliaidomffpplfhecmkag] - No Path
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - No Path
CHR HKLM-x32\...\Chrome\Extension: [nbljechdpodpbchbmjcoamidppmpnmlc] - No Path[/b]

3.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Attached File  fixlist.txt   19.24KB   3 downloads

 

This may not work in Safemode if not we will have to run it from the Reovery Options.

 

Let me know how the machine is running after all of this.

 

 

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Egobrane

Egobrane
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 07 December 2014 - 08:32 PM

Hello fireman4it, I appreciate your fast response. I was able to remove some of the requested files; but not all of them. I can't modify anything at all in HKLM; and furthermore I have no privileges to uninstall anything from add/remove programs. I was able to delete everything else though, the HKU registry key and the chrome extensions. The FRST fix ran fine as well, below is the log generated;

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-12-2014 01
Ran by Jose at 2014-12-07 20:21:17 Run:1
Running from D:\
Loaded Profile: Jose (Available profiles: Jose)
Boot Mode: Safe Mode (minimal)
==============================================

Content of fixlist:
*****************
HKLM-x32\...\Run: [fst_us_239] => [X]
HKLM-x32\...\Run: [AnyProtect Scanner] => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe [17071616 2014-09-02] (AnyProtect.com)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Run: [perkda] => C:\Program Files (x86)\Perk Prize Panel\pdr.exe [221184 2014-04-14] ()
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1
IFEO\DatamngrCoordinator.exe: [Debugger] tasklist.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfod&q={searchTerms}
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfod&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL =
SearchScopes: HKLM-x32 -> DefaultScope 006ee092-9658-4fd6-bd8e-a21a348e59f5 URL =
SearchScopes: HKLM-x32 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfoa&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
SearchScopes: HKU\.DEFAULT -> {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
SearchScopes: HKU\S-1-5-21-1568040461-2792508260-1395258070-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1568040461-2792508260-1395258070-1001 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfod&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1568040461-2792508260-1395258070-1001 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKU\S-1-5-21-1568040461-2792508260-1395258070-1001 -> {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
BHO: IMinent WebBooster (BHO) -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} -> C:\Program Files (x86)\Iminent\Minibar.InternetExplorer.BHOx64.dll No File
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO-x32: No Name -> {84FF7BD6-B47F-46F8-9130-01B2696B36CB} ->  No File
BHO-x32: No Name -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} ->  No File
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKU\S-1-5-21-1568040461-2792508260-1395258070-1001 -> No Name - {504C5453-4F43-2D53-5000-7A786E7484D7} -  No File
FF HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Firefox\Extensions: [pp@perk.com] - C:\Program Files (x86)\Perk Prize Panel\FF
S2 f1f78e38; c:\ProgramData\WinSpeed\WinSpeedSvc.dll [186192 2014-08-21] () [File not signed]
c:\ProgramData\WinSpeed
S2 SupraSavingsService64; C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\SupraSavingsService64.exe [172544 2014-06-25] () [File not signed]
S2 wpennybeed; C:\ProgramData\pennybee\wpennybeed.exe [240128 2014-06-24] (Penny Bee Agent) [File not signed]
S2 pennybee; "C:\PROGRA~3\pennybee\pennybee.exe" /task=4 /InstallOn=0 /closebr=0 /active=24 /update=24 /interval=2880 /pubId=1004 /affId=10040004 /appId=116 /uId=1555C9A6-6BCC-46F4-B510-A4F19D62A1A4 /version= /Override=0 /regAppName=pennybee /curSID= /logf=\10040004_loger_06_12_00_32_11_-1987315651.txt /mac=BC8556E6740B /tst=none /ts2=1 [X]
S2 Update fassurun; "C:\Program Files (x86)\fassurun\updatefassurun.exe" [X]
C:\ProgramData\pennybee
S2 pcregservice; C:\Program Files\pcreg\pcreg.exe [249024 2014-04-25] ()
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
C:\Program Files\pcreg
C:\Program Files (x86)\fassurun
C:\ProgramData\pennybee
C:\Program Files (x86)\AnyProtectEx
S1 {55dce8ba-9dec-4013-937e-adbf9317d990}w64; C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys [61072 2014-07-30] (StdLib)
S1 {9d5747ee-0448-4681-8337-1555de75a3b6}Gw64; C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys [61120 2014-05-06] (StdLib)
S1 {fef7f75c-f985-4250-96f9-8183cd04238b}w64; C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys [61080 2014-09-02] (StdLib)
2014-11-25 23:52 - 2014-12-07 15:19 - 00000764 _____ () C:\Windows\Tasks\pennybee Runner.job
2014-12-02 02:10 - 2014-06-26 18:56 - 00000000 ____D () C:\Program Files\SupraSavings
C:\Users\Jose\AppData\Local\Temp\1tz-urlx.dll
C:\Users\Jose\AppData\Local\Temp\6_Offer_15.exe
C:\Users\Jose\AppData\Local\Temp\airB9D2.exe
C:\Users\Jose\AppData\Local\Temp\airBD20.exe
C:\Users\Jose\AppData\Local\Temp\BackupSetup.exe
C:\Users\Jose\AppData\Local\Temp\c3ef7dbj.dll
C:\Users\Jose\AppData\Local\Temp\Cloud_Backup_Setup.exe
C:\Users\Jose\AppData\Local\Temp\comscore_010414070912.exe
C:\Users\Jose\AppData\Local\Temp\dlLogic.exe
C:\Users\Jose\AppData\Local\Temp\dltr.exe
C:\Users\Jose\AppData\Local\Temp\DM1393816422.exe
C:\Users\Jose\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpctdmuh.dll
C:\Users\Jose\AppData\Local\Temp\embededstub.exe
C:\Users\Jose\AppData\Local\Temp\EnableExtDll.dll
C:\Users\Jose\AppData\Local\Temp\fassurun_di.exe
C:\Users\Jose\AppData\Local\Temp\file_139077.exe
C:\Users\Jose\AppData\Local\Temp\file_3846315839.exe
C:\Users\Jose\AppData\Local\Temp\file_to_run55304.exe
C:\Users\Jose\AppData\Local\Temp\file_to_run5596.exe
C:\Users\Jose\AppData\Local\Temp\GCVerifier.dll
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_1.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_2.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_3.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_4.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_5.exe
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_6.exe
C:\Users\Jose\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\Jose\AppData\Local\Temp\Launcher.exe
C:\Users\Jose\AppData\Local\Temp\mMamStub.exe
C:\Users\Jose\AppData\Local\Temp\npihmf-d.dll
C:\Users\Jose\AppData\Local\Temp\nsa3122.tmp.exe
C:\Users\Jose\AppData\Local\Temp\nsaA3CA.exe
C:\Users\Jose\AppData\Local\Temp\nseF18E.exe
C:\Users\Jose\AppData\Local\Temp\nsfF44E.exe
C:\Users\Jose\AppData\Local\Temp\nsg18D4.exe
C:\Users\Jose\AppData\Local\Temp\nsi578F.exe
C:\Users\Jose\AppData\Local\Temp\nsiC1AC.exe
C:\Users\Jose\AppData\Local\Temp\nsiFB30.exe
C:\Users\Jose\AppData\Local\Temp\nsk753C.exe
C:\Users\Jose\AppData\Local\Temp\nsk9597.exe
C:\Users\Jose\AppData\Local\Temp\nsnAF8F.exe
C:\Users\Jose\AppData\Local\Temp\nsoC5C3.exe
C:\Users\Jose\AppData\Local\Temp\nspF91.exe
C:\Users\Jose\AppData\Local\Temp\nsq777F.exe
C:\Users\Jose\AppData\Local\Temp\nsqAE7B.exe
C:\Users\Jose\AppData\Local\Temp\nsr555B.exe
C:\Users\Jose\AppData\Local\Temp\nst1BA0.exe
C:\Users\Jose\AppData\Local\Temp\nst91DD.exe
C:\Users\Jose\AppData\Local\Temp\nstA90B.exe
C:\Users\Jose\AppData\Local\Temp\nsx1863.exe
C:\Users\Jose\AppData\Local\Temp\nszB1F2.exe
C:\Users\Jose\AppData\Local\Temp\ose00000.exe
C:\Users\Jose\AppData\Local\Temp\post1.exe
C:\Users\Jose\AppData\Local\Temp\post2.dll
C:\Users\Jose\AppData\Local\Temp\post2.exe
C:\Users\Jose\AppData\Local\Temp\ryj8vl55.dll
C:\Users\Jose\AppData\Local\Temp\SearchProtectINT.exe
C:\Users\Jose\AppData\Local\Temp\SPSetup.exe
C:\Users\Jose\AppData\Local\Temp\tmut13817.dll
C:\Users\Jose\AppData\Local\Temp\verifier.exe
C:\Users\Jose\AppData\Local\Temp\vlc-2.1.2-win32.exe
C:\Users\Jose\AppData\Local\Temp\WindowShopper.exe
C:\Users\Jose\AppData\Local\Temp\_ufkmsix.dll
Task: C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job => ? <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => ?
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\Astromenda.job => ?
Task: C:\Windows\Tasks\CW.job => ?
Task: C:\Windows\Tasks\GNNZ.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => ?
Task: C:\Windows\Tasks\pennybee Runner.job => ?
Task: C:\Windows\Tasks\Tempo Runner.job => ?



*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\fst_us_239 => Value could not be deleted.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AnyProtect Scanner => Value could not be deleted.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoControlPanel => Value could not be deleted.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => Value could not be deleted.
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Windows\CurrentVersion\Run\\perkda => value deleted successfully.
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value deleted successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => Value could not be deleted.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\DatamngrCoordinator.exe" => Error deleting key. The key could be protected.

"C:\Windows\system32\GroupPolicy\Machine" directory move:

Could not move "C:\Windows\system32\GroupPolicy\Machine\Registry.pol" => Scheduled to move on reboot.
Could not move "C:\Windows\system32\GroupPolicy\Machine" directory. => Scheduled to move on reboot.

Could not move "C:\Windows\system32\GroupPolicy\GPT.ini" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Policies\Google" => Error deleting key. The key could be protected.
"HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Error deleting key. The key could be protected.
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main\\Search Bar => value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Secondary Start Pages => Value could not be deleted.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => Error deleting key. The key could be protected.
"HKCR\CLSID\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CC865B26-C31D-4D23-B17B-96548EEF03F6}" => Error deleting key. The key could be protected.
"HKCR\CLSID\{CC865B26-C31D-4D23-B17B-96548EEF03F6}" => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Error setting value.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}" => Error deleting key. The key could be protected.
"HKCR\Wow6432Node\CLSID\{006ee092-9658-4fd6-bd8e-a21a348e59f5}" => Key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value could not be deleted.
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9C234A3C-49C9-45C0-AE72-75DA67DA969C}" => Error deleting key. The key could be protected.
"HKCR\CLSID\{9C234A3C-49C9-45C0-AE72-75DA67DA969C}" => Key not found.
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}" => Key not found.
"HKCR\CLSID\{006ee092-9658-4fd6-bd8e-a21a348e59f5}" => Key not found.
"HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => Key not found.
"HKCR\CLSID\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => Key not found.
"HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9C234A3C-49C9-45C0-AE72-75DA67DA969C}" => Key not found.
"HKCR\CLSID\{9C234A3C-49C9-45C0-AE72-75DA67DA969C}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}" => Error deleting key. The key could be protected.
"HKCR\CLSID\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}" => Error deleting key. The key could be protected.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Error deleting key. The key could be protected.
"HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}" => Error deleting key. The key could be protected.
"HKCR\Wow6432Node\CLSID\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}" => Error deleting key. The key could be protected.
"HKCR\Wow6432Node\CLSID\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}" => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{ae07101b-46d4-4a98-af68-0333ea26e113} => Value could not be deleted.
"HKCR\CLSID\{ae07101b-46d4-4a98-af68-0333ea26e113}" => Error deleting key. The key could be protected.
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{504C5453-4F43-2D53-5000-7A786E7484D7} => value deleted successfully.
"HKCR\CLSID\{504C5453-4F43-2D53-5000-7A786E7484D7}" => Key not found.
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Mozilla\Firefox\Extensions\\pp@perk.com => value deleted successfully.
f1f78e38 => Error deleting Service

"c:\ProgramData\WinSpeed" directory move:

Could not move "c:\ProgramData\WinSpeed\WinSpeed.dll" => Scheduled to move on reboot.
Could not move "c:\ProgramData\WinSpeed\WinSpeedSvc.dll" => Scheduled to move on reboot.
Could not move "c:\ProgramData\WinSpeed\WinSpeed_x64.dll" => Scheduled to move on reboot.
Could not move "c:\ProgramData\WinSpeed" directory. => Scheduled to move on reboot.

SupraSavingsService64 => Error deleting Service
wpennybeed => Error deleting Service
pennybee => Error deleting Service
Update fassurun => Error deleting Service

"C:\ProgramData\pennybee" directory move:

C:\ProgramData\pennybee\wpennybeed.exe => Moved successfully.
Could not move "C:\ProgramData\pennybee" directory. => Scheduled to move on reboot.

pcregservice => Error deleting Service
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => Value could not be deleted.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\pcreg => Value could not be deleted.

"C:\Program Files\pcreg" directory move:

Could not move "C:\Program Files\pcreg\a.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg\msvcr100.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg\nodown.txt" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg\pcreg.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg\service.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg" directory. => Scheduled to move on reboot.

"C:\Program Files (x86)\fassurun" => File/Directory not found.

"C:\ProgramData\pennybee" directory move:

Could not move "C:\ProgramData\pennybee" directory. => Scheduled to move on reboot.


"C:\Program Files (x86)\AnyProtectEx" directory move:

Could not move "C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\AnyProtectEx\product.guid" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\AnyProtectEx" directory. => Scheduled to move on reboot.

{55dce8ba-9dec-4013-937e-adbf9317d990}w64 => Error deleting Service
{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64 => Error deleting Service
{fef7f75c-f985-4250-96f9-8183cd04238b}w64 => Error deleting Service
Could not move "C:\Windows\Tasks\pennybee Runner.job" => Scheduled to move on reboot.

"C:\Program Files\SupraSavings" directory move:

Could not move "C:\Program Files\SupraSavings\mfs6A20.tmp" => Scheduled to move on reboot.
Could not move "C:\Program Files\SupraSavings\mfsF01D.tmp" => Scheduled to move on reboot.
Could not move "C:\Program Files\SupraSavings\mfsFE0E.tmp" => Scheduled to move on reboot.
Could not move "C:\Program Files\SupraSavings" directory. => Scheduled to move on reboot.

C:\Users\Jose\AppData\Local\Temp\1tz-urlx.dll => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\6_Offer_15.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\airB9D2.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\airBD20.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\BackupSetup.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\c3ef7dbj.dll => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\Cloud_Backup_Setup.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\comscore_010414070912.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\dlLogic.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\dltr.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\DM1393816422.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpctdmuh.dll => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\embededstub.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\EnableExtDll.dll => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\fassurun_di.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\file_139077.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\file_3846315839.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\file_to_run55304.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\file_to_run5596.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\GCVerifier.dll => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_1.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_2.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_3.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_4.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_5.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\install_reader11_en_gtbp_chra_aih_6.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\Launcher.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\mMamStub.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\npihmf-d.dll => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsa3122.tmp.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsaA3CA.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nseF18E.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsfF44E.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsg18D4.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsi578F.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsiC1AC.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsiFB30.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsk753C.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsk9597.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsnAF8F.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsoC5C3.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nspF91.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsq777F.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsqAE7B.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsr555B.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nst1BA0.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nst91DD.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nstA90B.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nsx1863.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\nszB1F2.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\ose00000.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\post1.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\post2.dll => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\post2.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\ryj8vl55.dll => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\SearchProtectINT.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\SPSetup.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\tmut13817.dll => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\verifier.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\vlc-2.1.2-win32.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\WindowShopper.exe => Moved successfully.
C:\Users\Jose\AppData\Local\Temp\_ufkmsix.dll => Moved successfully.
Could not move "C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\Adobe Flash Player Updater.job" => Scheduled to move on reboot.
C:\Windows\Tasks\APSnotifierPP1.job => Moved successfully.
C:\Windows\Tasks\APSnotifierPP2.job => Moved successfully.
C:\Windows\Tasks\APSnotifierPP3.job => Moved successfully.
Could not move "C:\Windows\Tasks\Astromenda.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\CW.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\GNNZ.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\pennybee Runner.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\Tempo Runner.job" => Scheduled to move on reboot.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-12-07 20:31:21)<=

==> ATTENTION: System is not rebooted.
"C:\Windows\system32\GroupPolicy\Machine\Registry.pol" => File could not move.
"C:\Windows\system32\GroupPolicy\Machine" => Directory could not move.
"C:\Windows\system32\GroupPolicy\GPT.ini" => File could not move.
"c:\ProgramData\WinSpeed\WinSpeed.dll" => File could not move.
"c:\ProgramData\WinSpeed\WinSpeedSvc.dll" => File could not move.
"c:\ProgramData\WinSpeed\WinSpeed_x64.dll" => File could not move.
"c:\ProgramData\WinSpeed" => Directory could not move.
"C:\ProgramData\pennybee" => Directory could not move.
"C:\Program Files\pcreg\a.exe" => File could not move.
"C:\Program Files\pcreg\msvcr100.dll" => File could not move.
"C:\Program Files\pcreg\nodown.txt" => File could not move.
"C:\Program Files\pcreg\pcreg.exe" => File could not move.
"C:\Program Files\pcreg\service.exe" => File could not move.
"C:\Program Files\pcreg" => Directory could not move.
"C:\ProgramData\pennybee" => Directory could not move.
"C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe" => File could not move.
"C:\Program Files (x86)\AnyProtectEx\product.guid" => File could not move.
"C:\Program Files (x86)\AnyProtectEx" => Directory could not move.
"C:\Windows\Tasks\pennybee Runner.job" => File could not move.
"C:\Program Files\SupraSavings\mfs6A20.tmp" => File could not move.
"C:\Program Files\SupraSavings\mfsF01D.tmp" => File could not move.
"C:\Program Files\SupraSavings\mfsFE0E.tmp" => File could not move.
"C:\Program Files\SupraSavings" => Directory could not move.
"C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job" => File could not move.
"C:\Windows\Tasks\Adobe Flash Player Updater.job" => File could not move.
"C:\Windows\Tasks\Astromenda.job" => File could not move.
"C:\Windows\Tasks\CW.job" => File could not move.
"C:\Windows\Tasks\GNNZ.job" => File could not move.
"C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job" => File could not move.
"C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job" => File could not move.
"C:\Windows\Tasks\pennybee Runner.job" => File could not move.
"C:\Windows\Tasks\Tempo Runner.job" => File could not move.

==== End of Fixlog ====



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:55 AM

Posted 07 December 2014 - 08:59 PM

Try this tool see if it helps.

Download Windows Repair (All in One) from this site

Install the program then run it.

NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
NOTE 2. Disable your antivirus program before running Windows Repair.


Go to Step 2 and click on Check button next to 1. See If Check Disk Is Needed.
If the tool indicates that the Check Disk is needed click on Do It button next to 2. Check Disk.
In that case make sure you restart computer.

p22004342.gif


Once the above is done go to Step 3 and allow it to run System File Check by clicking on Do It button:

p22004343.gif


Go to Step 4 and under "System Restore" click on Create button:

p22004346.gif


Go to Start Repairs tab and click Start button.

Leave all checkmarks as they're.
NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design.

Click on Start button.

p22004347.gif

Post Windows Repair log which is located in the following folder:
64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs

 

 

Can you please run FRST this way this time.

 

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


 


Edited by fireman4it, 07 December 2014 - 09:01 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Egobrane

Egobrane
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 08 December 2014 - 02:49 PM

I was unable to run the recovery tool you provided in step 1 because it's also "blocked" by my "system administrator".

It's worth mentioning that this is a 64 bit windows 8 laptop.

 

I ran the FRST tool from command line and these were the results;

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-12-2014 01
Ran by Jose (ATTENTION: The logged in user is not administrator) on PABON on 08-12-2014 14:42:09
Running from d:\
Loaded Profile: Jose (Available profiles: Jose)
Platform: Windows 8 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\cmd.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McUICnt.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13538376 2013-05-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1307720 2013-04-24] (Realtek Semiconductor)
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM-x32\...\Run: [fst_us_239] => [X]
HKLM-x32\...\Run: [AnyProtect Scanner] => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe [17071616 2014-09-02] (AnyProtect.com)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132224 2013-02-28] ( (Qualcomm Atheros Commnucations))
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Run: [AcerCloud] => C:\Program Files (x86)\Acer\Acer Portal\acpanel_win.exe [2524416 2014-06-30] ()
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Run: [GoogleChromeAutoLaunch_8689F7E34788311E37318B02CC8C518C] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [860488 2014-08-06] (Google Inc.)
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1
IFEO\DatamngrCoordinator.exe: [Debugger] tasklist.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:55211;https=127.0.0.1:55211
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://t.msn.com/
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer13.msn.com/
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL =
SearchScopes: HKLM-x32 -> DefaultScope 006ee092-9658-4fd6-bd8e-a21a348e59f5 URL =
SearchScopes: HKLM-x32 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfoa&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
SearchScopes: HKU\.DEFAULT -> {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
BHO: IMinent WebBooster (BHO) -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} -> C:\Program Files (x86)\Iminent\Minibar.InternetExplorer.BHOx64.dll No File
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: No Name -> {84FF7BD6-B47F-46F8-9130-01B2696B36CB} ->  No File
BHO-x32: No Name -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} ->  No File
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
DPF: HKLM-x32 {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} https://www36.verizon.com/FiOSVoice/UnProtected/FiosVoiceVMUtil.CAB
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.)
Hosts: 127.0.0.1            d3oxij66pru1i3.cloudfront.net
Tcpip\Parameters: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{220025FD-E1A0-4F21-9736-150BCF17A071}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{4B5CA3CB-995A-40DC-ADE9-DF369AF8D0F2}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{633A3964-B654-423E-AE3A-1E7BD95024C6}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{97e1de57-d6fa-11e1-be62-806e6f6e6963}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{A64C2227-EEEF-4667-8335-8125D9EFD984}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{C02CAB3E-C922-4371-A1DD-E72CF76EF979}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{DBB9C189-F540-420B-949E-091A47B3341B}: [NameServer] 184.172.114.130,208.43.110.90

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_239.dll ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.5.20 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll No File
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2013-05-13]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2013-05-13]

Chrome:
=======
CHR Profile: C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Speedial) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\bakijjialdiiboeaknfpmflphhmljfkd [2014-06-25]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-30]
CHR Extension: (Groovorio New Tab) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmchfpimpbbdmgpcieclabeafkljbhm [2014-09-02]
CHR Extension: (Hangouts) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\nckgahadagoaajjgafhacjanaoiihapd [2014-08-12]
CHR Extension: (Google Wallet) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-04]
CHR HKLM\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - No Path
CHR HKLM-x32\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - No Path
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [eihhgekonheiliaidomffpplfhecmkag] - No Path
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - No Path
CHR HKLM-x32\...\Chrome\Extension: [nbljechdpodpbchbmjcoamidppmpnmlc] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [227968 2013-02-28] (Qualcomm Atheros Commnucations)
S3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [660040 2013-01-18] (Acer Incorporated)
S2 f1f78e38; c:\ProgramData\WinSpeed\WinSpeedSvc.dll [186192 2014-08-21] () [File not signed]
S2 GlobalUpdater; C:\Program Files (x86)\Common Files\IMGUpdater\IMGUpdater.exe [378152 2014-08-13] (SIEN S.A.)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [731648 2013-02-13] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-03-20] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-03-20] (Intel Corporation)
S2 LeapFrog Connect Device Service; C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe [7393280 2013-11-27] (LeapFrog Enterprises, Inc.) [File not signed]
S2 lmhosts; C:\Windows\system32\svchost.exe [29696 2013-04-21] (Microsoft Corporation)
S2 lmhosts; C:\Windows\SysWOW64\svchost.exe [23040 2013-04-21] (Microsoft Corporation)
S2 LMSvc; C:\Program Files\Acer\Acer Launch Manager\LMSvc.exe [431656 2013-04-25] (Acer Incorporate)
S2 McAfee SiteAdvisor Service; c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [155856 2014-06-03] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178048 2013-11-28] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\mcafee\actwiz\McAWFwk.exe [334760 2012-12-21] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 MfeASUM; C:\Program Files\McAfee\AppStats\MfeASUM.exe [335216 2013-10-31] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1025232 2013-12-11] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219272 2013-12-05] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [184800 2013-12-05] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 NlaSvc; C:\Windows\System32\svchost.exe [29696 2013-04-21] (Microsoft Corporation)
S2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [23040 2013-04-21] (Microsoft Corporation)
S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3943104 2012-08-15] (Symantec Corporation)
S2 nsi; C:\Windows\system32\svchost.exe [29696 2013-04-21] (Microsoft Corporation)
S2 nsi; C:\Windows\SysWOW64\svchost.exe [23040 2013-04-21] (Microsoft Corporation)
S2 pcregservice; C:\Program Files\pcreg\pcreg.exe [249024 2014-04-25] ()
S2 SupraSavingsService64; C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\SupraSavingsService64.exe [172544 2014-06-25] () [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16032 2014-09-22] (Microsoft Corporation)
S2 pennybee; "C:\PROGRA~3\pennybee\pennybee.exe" /task=4 /InstallOn=0 /closebr=0 /active=24 /update=24 /interval=2880 /pubId=1004 /affId=10040004 /appId=116 /uId=1555C9A6-6BCC-46F4-B510-A4F19D62A1A4 /version= /Override=0 /regAppName=pennybee /curSID= /logf=\10040004_loger_06_12_00_32_11_-1987315651.txt /mac=BC8556E6740B /tst=none /ts2=1 [X]
S2 Update fassurun; "C:\Program Files (x86)\fassurun\updatefassurun.exe" [X]
S2 wpennybeed; "C:\PROGRA~3\pennybee\wpennybeed.exe" -scm [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [5139968 2012-06-02] (Broadcom Corporation)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-02-28] (Qualcomm Atheros)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-25] (Microsoft Corporation)
S1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-12-05] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-01-09] (Acer Incorporated)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-03-20] (Intel Corporation)
S2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179792 2013-12-05] (McAfee, Inc.)
S1 MfeASKM; C:\Program Files\McAfee\AppStats\MfeASKM.sys [31408 2013-10-31] (McAfee, Inc.)
S2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311120 2013-12-05] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [69344 2013-12-05] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [519576 2013-12-05] (McAfee, Inc.)
S2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782616 2013-12-05] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [411944 2013-11-26] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [96112 2013-11-26] (McAfee, Inc.)
S2 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [343696 2013-12-05] (McAfee, Inc.)
S1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [46376 2014-06-12] (NetFilterSDK.com)
S3 QRDCIO; C:\Windows\System32\drivers\QRDCIO.sys [9728 2009-10-20] (QUANTA)
R3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [15704 2013-01-09] (Acer Incorporated)
S3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [455240 2013-03-05] (RTS Corporation)
S1 {55dce8ba-9dec-4013-937e-adbf9317d990}w64; C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys [61072 2014-07-30] (StdLib)
S1 {9d5747ee-0448-4681-8337-1555de75a3b6}Gw64; C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys [61120 2014-05-06] (StdLib)
S1 {fef7f75c-f985-4250-96f9-8183cd04238b}w64; C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys [61080 2014-09-02] (StdLib)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-08 14:23 - 2014-12-08 14:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-12-07 20:27 - 2014-12-08 14:15 - 00000378 _____ () C:\Windows\Tasks\APSnotifierPP1.job
2014-12-07 20:27 - 2014-12-07 23:30 - 00000376 _____ () C:\Windows\Tasks\APSnotifierPP2.job
2014-12-07 16:05 - 2014-12-08 14:42 - 00000000 ____D () C:\FRST
2014-12-05 21:59 - 2014-12-05 21:59 - 00002215 _____ () C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tech Live Connect Technical Support.lnk
2014-12-05 21:59 - 2014-12-05 21:59 - 00000000 ____D () C:\Users\Jose\AppData\Local\LogMeIn Rescue Applet
2014-12-01 06:06 - 2014-12-01 06:06 - 00578144 _____ () C:\Users\Jose\Downloads\Installation.exe
2014-12-01 05:23 - 2014-12-01 05:23 - 00328568 _____ (Swift Installer ) C:\Users\Jose\Downloads\fl_setup.exe
2014-11-30 23:59 - 2014-11-19 02:29 - 00582552 _____ (Microsoft Corporation) C:\Windows\system32\AutoUpdate.exe
2014-11-30 23:59 - 2014-11-19 02:29 - 00462760 _____ (Microsoft Corporation) C:\Windows\system32\NotificationUI.exe
2014-11-26 23:07 - 2014-11-26 23:07 - 00910104 _____ () C:\Users\Jose\Downloads\Setup v2 1.exe
2014-11-25 23:52 - 2014-12-07 23:30 - 00000764 _____ () C:\Windows\Tasks\pennybee Runner.job
2014-11-22 03:20 - 2014-11-05 01:40 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-22 03:20 - 2014-11-05 01:38 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-22 03:20 - 2014-11-04 22:16 - 00556544 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 02237952 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 01409536 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 00915968 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\UXInit.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-22 03:20 - 2014-10-25 20:55 - 19284480 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-22 03:20 - 2014-10-25 20:55 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-22 03:20 - 2014-10-25 20:55 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-22 03:20 - 2014-10-25 20:55 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 15399424 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 02655232 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-22 03:20 - 2014-10-25 20:53 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-22 03:20 - 2014-10-25 19:36 - 01762816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 14368768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00044032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UXInit.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 13758464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 02055168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-22 03:20 - 2014-10-25 19:34 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-22 03:20 - 2014-10-25 19:19 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-22 03:20 - 2014-10-25 19:13 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-22 03:20 - 2014-10-25 16:48 - 00534528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll
2014-11-22 03:20 - 2014-10-02 20:21 - 00522728 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-22 03:20 - 2014-10-02 17:29 - 00783872 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-22 03:20 - 2014-10-02 17:29 - 00267264 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-22 03:20 - 2014-10-02 17:29 - 00169472 _____ (Microsoft Corporation) C:\Windows\system32\AudioEndpointBuilder.dll
2014-11-22 03:20 - 2014-10-01 18:05 - 04068864 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-22 03:20 - 2014-09-22 00:53 - 00035320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdBoot.sys
2014-11-22 03:20 - 2014-08-26 17:08 - 00270024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdFilter.sys
2014-11-22 03:19 - 2014-09-13 01:24 - 02233152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-11-22 03:19 - 2014-09-05 19:46 - 00389176 _____ () C:\Windows\system32\ApnDatabase.xml
2014-11-22 03:19 - 2014-09-02 21:48 - 00457728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2014-11-22 03:19 - 2014-09-02 21:48 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2014-11-22 03:19 - 2014-09-02 21:22 - 00188928 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2014-11-22 03:19 - 2014-09-02 21:21 - 00623104 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2014-11-22 03:19 - 2014-09-02 21:21 - 00212992 _____ (Microsoft Corporation) C:\Windows\system32\dnsrslvr.dll
2014-11-22 03:19 - 2014-08-28 23:17 - 02043392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-11-22 03:19 - 2014-08-28 23:17 - 00227328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-11-22 03:19 - 2014-08-28 23:04 - 02837504 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-11-22 03:19 - 2014-08-28 23:04 - 00309248 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-11-22 03:19 - 2014-08-28 01:04 - 00499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FXSCOMEX.dll
2014-11-22 03:19 - 2014-08-28 01:04 - 00227840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FXSAPI.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00616448 _____ (Microsoft Corporation) C:\Windows\system32\FXSAPI.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00609280 _____ (Microsoft Corporation) C:\Windows\system32\FXSCOMEX.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00432640 _____ (Microsoft Corporation) C:\Windows\system32\FXSTIFF.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00254976 _____ (Microsoft Corporation) C:\Windows\system32\FXST30.dll
2014-11-22 03:19 - 2014-07-24 08:12 - 00328512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Classpnp.sys
2014-11-22 03:14 - 2014-10-18 03:44 - 00778240 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-22 03:14 - 2014-10-18 02:05 - 00567808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-22 03:04 - 2014-11-08 06:22 - 00238080 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-22 03:04 - 2014-11-08 06:21 - 00827904 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-22 03:04 - 2014-11-08 01:57 - 00187904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2014-11-22 03:04 - 2014-11-08 01:56 - 00666624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-22 03:04 - 2014-10-23 07:47 - 00079872 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-22 03:04 - 2014-10-23 06:04 - 00068096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-22 03:04 - 2014-10-11 03:35 - 00171840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-22 03:04 - 2014-10-11 02:45 - 10115072 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 03248640 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 00588288 _____ (Microsoft Corporation) C:\Windows\system32\SHCore.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 00393216 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2014-11-22 03:04 - 2014-10-11 02:43 - 02307072 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2014-11-22 03:04 - 2014-10-11 02:43 - 01281536 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-22 03:04 - 2014-10-11 00:58 - 08858624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2014-11-22 03:04 - 2014-10-11 00:57 - 02416640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-22 03:04 - 2014-10-11 00:57 - 00452608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SHCore.dll
2014-11-22 03:04 - 2014-10-11 00:57 - 00295424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2014-11-22 03:04 - 2014-10-11 00:56 - 02037760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2014-11-22 03:04 - 2014-10-11 00:41 - 00713728 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-22 03:04 - 2014-10-11 00:41 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-22 03:04 - 2014-10-11 00:05 - 00146944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-22 03:04 - 2014-10-11 00:04 - 00713728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-22 03:04 - 2014-09-24 18:29 - 00318976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-22 03:04 - 2014-09-24 18:29 - 00072192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncryptsslp.dll
2014-11-22 03:04 - 2014-09-24 18:01 - 00414208 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-22 03:04 - 2014-09-24 18:01 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\ncryptsslp.dll
2014-11-22 03:04 - 2014-08-21 18:56 - 01418752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-22 03:04 - 2014-08-21 18:27 - 01845760 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-08 14:34 - 2012-07-26 02:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-08 14:20 - 2012-07-26 02:28 - 00848230 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-08 14:15 - 2014-04-03 20:56 - 00000914 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job
2014-12-07 23:30 - 2014-09-02 16:44 - 00002662 _____ () C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job
2014-12-07 23:30 - 2014-09-02 16:44 - 00001342 _____ () C:\Windows\Tasks\GNNZ.job
2014-12-07 23:30 - 2014-09-02 16:44 - 00001338 _____ () C:\Windows\Tasks\CW.job
2014-12-07 20:25 - 2014-06-25 22:15 - 00000000 ____D () C:\ProgramData\pennybee
2014-12-07 16:14 - 2014-07-03 18:01 - 00000000 ____D () C:\Users\Jose\AppData\Local\CrashDumps
2014-12-06 00:22 - 2012-07-26 02:21 - 00436964 _____ () C:\Windows\setupact.log
2014-12-06 00:12 - 2014-07-31 07:12 - 00000300 _____ () C:\Windows\Tasks\Astromenda.job
2014-12-06 00:11 - 2013-11-04 13:34 - 00000906 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-05 22:10 - 2013-12-25 16:24 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-05 22:00 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\system32\sru
2014-12-05 21:20 - 2013-06-12 00:57 - 01455506 _____ () C:\Windows\WindowsUpdate.log
2014-12-02 02:32 - 2013-11-16 10:11 - 00000000 ____D () C:\Users\Jose\Documents\Financials
2014-12-02 02:10 - 2014-06-26 18:56 - 00000000 ____D () C:\Program Files\SupraSavings
2014-12-02 01:22 - 2013-11-22 01:07 - 00000000 ____D () C:\Users\Jose\Documents\Bluetooth Folder
2014-12-01 00:05 - 2012-07-26 02:59 - 00000000 ____D () C:\Windows\CbsTemp
2014-11-25 01:47 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\rescache
2014-11-25 01:20 - 2013-05-13 01:40 - 00062640 _____ () C:\Windows\PFRO.log
2014-11-23 23:45 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-11-23 14:59 - 2014-10-23 09:48 - 00429976 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-23 14:24 - 2014-07-10 20:59 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ____D () C:\Program Files\Windows Defender
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2014-11-23 14:23 - 2012-07-26 03:12 - 00000000 ___RD () C:\Windows\ToastData
2014-11-22 03:22 - 2013-11-11 19:03 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-22 03:18 - 2013-11-11 19:03 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-21 01:43 - 2013-10-31 22:46 - 00000000 ____D () C:\Users\Jose
2014-11-20 15:56 - 2014-10-21 13:45 - 00713672 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-20 15:56 - 2014-10-21 13:45 - 00106440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD, see Addition.txt for additional information.

==================== End Of Log ============================

 

 

 

 

 

 

ADDITION.TXT

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-12-2014 01
Ran by Jose at 2014-12-08 14:43:07
Running from d:\
Boot Mode: Safe Mode (minimal)
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: McAfee Anti-Virus and Anti-Spyware (Disabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee Anti-Virus and Anti-Spyware (Disabled - Out of date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall (Disabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acer Docs Office AddIn (HKLM-x32\...\{DCBF3379-246B-47E1-8173-639B63940838}) (Version: 3.01.2001 - Acer)
Acer Launch Manager (HKLM\...\{C18D55BD-1EC6-466D-B763-8EEDDDA9100E}) (Version: 8.00.3004 - Acer Incorporated)
Acer Power Management (HKLM\...\{91F52DE4-B789-42B0-9311-A349F10E5479}) (Version: 7.00.3012 - Acer Incorporated)
Acer Recovery Management (HKLM\...\{07F2005A-8CAC-4A4B-83A2-DA98A722CA61}) (Version: 6.00.3016 - Acer Incorporated)
Acer USB Charge Manager (HKLM\...\{07E867C5-0C48-40FF-A013-DDAF4565AD47}) (Version: 2.00.3004 - Acer Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.239 - Adobe Systems Incorporated)
Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Canon MP250 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series) (Version:  - )
Cradle Of Egypt Collector's Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
CyberLink MediaEspresso 6.5 (HKLM-x32\...\InstallShield_{E3739848-5329-48E3-8D28-5BBD6E8BE384}) (Version: 6.5.3729_45993 - CyberLink Corp.)
Delicious: Emily's Childhood Memories Premium Edition (x32 Version: 3.0.2.32 - WildTangent) Hidden
Dolby Home Theater v4 (HKLM-x32\...\{B26438B4-BF51-49C3-9567-7F14A5E40CB9}) (Version: 7.2.8000.17 - Dolby Laboratories Inc)
Dora's World Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 36.0.1985.143 - Google Inc.)
Identity Card (HKLM-x32\...\{3D9CB654-99AD-4301-89C6-0D12A790767C}) (Version: 2.00.3006 - Acer Incorporated)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.0.1428 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.18.10.3165 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.5.0.1066 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 3.0.0.63463 - Intel Corporation)
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
LeapFrog Connect (HKLM-x32\...\UPCShell) (Version: 5.2.4.18506 - LeapFrog)
LeapFrog Connect (x32 Version: 5.2.4.18506 - LeapFrog) Hidden
LeapFrog My Pals Plugin (x32 Version: 5.1.26.18340 - LeapFrog) Hidden
Live Updater (HKLM-x32\...\{EE26E302-876A-48D9-9058-3129E5B99999}) (Version: 2.00.3010 - Acer Incorporated)
McAfee Internet Security Suite (HKLM-x32\...\MSC) (Version: 12.8.908 - McAfee, Inc.)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mystery P.I. - Curious Case of Counterfeit Cove (x32 Version: 2.2.0.98 - WildTangent) Hidden
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.2.3.51r2 - Symantec Corporation)
Norton Online Backup ARA (x32 Version: 4.1.0.14 - Symantec Corporation) Hidden
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.222 - Qualcomm Atheros Communications)
Qualcomm Atheros WLAN and Bluetooth Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 11.43 - Qualcomm Atheros)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.14.327.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6909 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C9661090-C134-46E8-90B2-76D72355C2A6}) (Version: 6.2.9200.21222 - Realtek Semiconductor Corp.)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Spotify (HKLM-x32\...\Spotify) (Version: 0.8.4.99.ga249b5f1 - Spotify AB)
Tales of Lagoona (x32 Version: 2.2.0.110 - WildTangent) Hidden
The Chronicles of Emerland Solitaire (x32 Version: 3.0.2.32 - WildTangent) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin) (HKLM-x32\...\MyPalsPlugin) (Version:  - LeapFrog)
Visual Studio 2005 Tools for Office Second Edition Runtime (HKLM-x32\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version:  - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version:  - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App (x32 Version: 4.0.10.5 - WildTangent) Hidden
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net  (09/10/2009 02.03.05.012) (HKLM\...\8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D) (Version: 09/10/2009 02.03.05.012 - Leapfrog)
WinSpeed (HKLM-x32\...\{5F189DF5-2D05-472B-9091-84D9848AE48B}{f1f78e38}) (Version:  - 24soft) <==== ATTENTION

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

Could not list Restore Points. Check "winmgmt" service or repair WMI.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 00:26 - 2014-07-03 17:59 - 00000867 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1            d3oxij66pru1i3.cloudfront.net

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job => ? <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => ?
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\Astromenda.job => ?
Task: C:\Windows\Tasks\CW.job => ?
Task: C:\Windows\Tasks\GNNZ.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => ?
Task: C:\Windows\Tasks\pennybee Runner.job => ?
Task: C:\Windows\Tasks\Tempo Runner.job => ?

==================== Loaded Modules (whitelisted) =============


==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "UseAlternateShell"="1"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-1568040461-2792508260-1395258070-500 - Administrator - Disabled)
Guest (S-1-5-21-1568040461-2792508260-1395258070-501 - Administrator - Disabled)
HomeGroupUser$ (S-1-5-21-1568040461-2792508260-1395258070-1003 - Administrator - Enabled)
Jose (S-1-5-21-1568040461-2792508260-1395258070-1001 - Limited - Enabled) => C:\Users\Jose

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (12/08/2014 02:36:13 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "select * from __InstanceModificationEvent where targetinstance isa '__ArbitratorConfiguration'" could not be reactivated in namespace "//./root" because of error 0x80041033. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "select * from __InstanceModificationEvent where targetinstance isa '__ArbitratorConfiguration'" could not be reactivated in namespace "//./root" because of error 0x80041033. Events cannot be delivered through this filter until the problem is corrected.

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root/CIMV2 namespace does not exist. The query will be ignored.

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root/subscription namespace does not exist. The query will be ignored.

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root/subscription namespace does not exist. The query will be ignored.

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root/CIMV2 namespace does not exist. The query will be ignored.

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __TimerEvent" whose target class "__TimerEvent" in //./root namespace does not exist. The query will be ignored.

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __NamespaceOperationEvent" whose target class "__NamespaceOperationEvent" in //./root/CIMV2 namespace does not exist. The query will be ignored.

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __NamespaceOperationEvent" whose target class "__NamespaceOperationEvent" in //./root/subscription namespace does not exist. The query will be ignored.

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider $Core attempted to register query "select * from __SystemEvent" whose target class "__SystemEvent" in //./root namespace does not exist. The query will be ignored.


System errors:
=============
Error: (12/08/2014 02:41:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: 1084McNaiAnnUnavailable{C90134D2-4AE9-407A-919A-4A2EF09C6C51}

Error: (12/08/2014 02:41:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: 1084McNaiAnnUnavailable{C90134D2-4AE9-407A-919A-4A2EF09C6C51}

Error: (12/08/2014 02:41:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: 1084McNaiAnnUnavailable{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (12/08/2014 02:41:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: 1084McNaiAnnUnavailable{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (12/08/2014 02:41:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: 1084McNaiAnnUnavailable{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (12/08/2014 02:41:00 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: 1084McNaiAnnUnavailable{DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

Error: (12/08/2014 02:36:56 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network Location Awareness service depends on the DHCP Client service which failed to start because of the following error:
%%1068

Error: (12/08/2014 02:36:56 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:
%%1068

Error: (12/08/2014 02:36:56 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:
%%1068

Error: (12/08/2014 02:36:56 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub System service which failed to start because of the following error:
%%31


Microsoft Office Sessions:
=========================
Error: (12/08/2014 02:36:13 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: //./rootselect * from __InstanceModificationEvent where targetinstance isa '__ArbitratorConfiguration'0x80041033

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: //./rootselect * from __InstanceModificationEvent where targetinstance isa '__ArbitratorConfiguration'0x80041033

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __TimerEvent__TimerEvent//./root/CIMV2

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __TimerEvent__TimerEvent//./root/subscription

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __SystemEvent__SystemEvent//./root/subscription

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __SystemEvent__SystemEvent//./root/CIMV2

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __TimerEvent__TimerEvent//./root

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __NamespaceOperationEvent__NamespaceOperationEvent//./root/CIMV2

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __NamespaceOperationEvent__NamespaceOperationEvent//./root/subscription

Error: (12/07/2014 11:34:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: $Coreselect * from __SystemEvent__SystemEvent//./root


==================== Memory info ===========================

Processor: Intel® Core™ i5-4200U CPU @ 1.60GHz
Percentage of memory in use: 9%
Total physical RAM: 7848.27 MB
Available physical RAM: 7097.02 MB
Total Pagefile: 9000.27 MB
Available Pagefile: 8282.29 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:681.39 GB) (Free:613.24 GB) NTFS
Drive d: () (Removable) (Total:3.63 GB) (Free:3.54 GB) FAT32

==================== MBR & Partition Table ==================

==================== End Of Log ============================



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:55 AM

Posted 08 December 2014 - 04:54 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
 

HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
S2 pcregservice; C:\Program Files\pcreg\pcreg.exe
C:\Program Files\pcreg
HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
HKLM-x32\...\Run: [fst_us_239] => [X]
HKLM-x32\...\Run: [AnyProtect Scanner] => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe [17071616 2014-09-02] (AnyProtect.com)
C:\Program Files (x86)\AnyProtectEx
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
IFEO\DatamngrCoordinator.exe: [Debugger] tasklist.exe
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL =
SearchScopes: HKLM-x32 -> DefaultScope 006ee092-9658-4fd6-bd8e-a21a348e59f5 URL =
SearchScopes: HKLM-x32 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfoa&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
SearchScopes: HKU\.DEFAULT -> {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
BHO: IMinent WebBooster (BHO) -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} -> C:\Program Files (x86)\Iminent\Minibar.InternetExplorer.BHOx64.dll No File
 C:\Program Files (x86)\Iminent
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO-x32: No Name -> {84FF7BD6-B47F-46F8-9130-01B2696B36CB} ->  No File
BHO-x32: No Name -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} ->  No File
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
S2 f1f78e38; c:\ProgramData\WinSpeed\WinSpeedSvc.dll [186192 2014-08-21] () [File not signed]
c:\ProgramData\WinSpeed
S2 SupraSavingsService64; C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\SupraSavingsService64.exe [172544 2014-06-25] () [File not signed]
C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF
S2 pennybee; "C:\PROGRA~3\pennybee\pennybee.exe" /task=4 /InstallOn=0 /closebr=0 /active=24 /update=24 /interval=2880 /pubId=1004 /affId=10040004 /appId=116 /uId=1555C9A6-6BCC-46F4-B510-A4F19D62A1A4 /version= /Override=0 /regAppName=pennybee /curSID= /logf=\10040004_loger_06_12_00_32_11_-1987315651.txt /mac=BC8556E6740B /tst=none /ts2=1 [X]
S2 Update fassurun; "C:\Program Files (x86)\fassurun\updatefassurun.exe" [X]
S2 wpennybeed; "C:\PROGRA~3\pennybee\wpennybeed.exe" -scm [X]
C:\PROGRA~3\pennybee
C:\Program Files (x86)\fassurun
S1 {55dce8ba-9dec-4013-937e-adbf9317d990}w64; C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys [61072 2014-07-30] (StdLib)
S1 {9d5747ee-0448-4681-8337-1555de75a3b6}Gw64; C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys [61120 2014-05-06] (StdLib)
S1 {fef7f75c-f985-4250-96f9-8183cd04238b}w64; C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys [61080 2014-09-02] (StdLib)
C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys
C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys
C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys
2014-11-25 23:52 - 2014-12-07 23:30 - 00000764 _____ () C:\Windows\Tasks\pennybee Runner.job
2014-12-07 20:25 - 2014-06-25 22:15 - 00000000 ____D () C:\ProgramData\pennybee
Task: C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job => ? <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => ?
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\Astromenda.job => ?
Task: C:\Windows\Tasks\CW.job => ?
Task: C:\Windows\Tasks\GNNZ.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => ?
Task: C:\Windows\Tasks\pennybee Runner.job => ?
Task: C:\Windows\Tasks\Tempo Runner.job => ?

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

Let me know how the machine is after this fix


Edited by fireman4it, 08 December 2014 - 04:55 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Egobrane

Egobrane
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 08 December 2014 - 05:47 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-12-2014 01
Ran by Jose at 2014-12-08 17:37:49 Run:2
Running from d:\
Loaded Profile: Jose (Available profiles: Jose)
Boot Mode: Safe Mode (minimal)
==============================================

Content of fixlist:
*****************
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
S2 pcregservice; C:\Program Files\pcreg\pcreg.exe
C:\Program Files\pcreg
HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
HKLM-x32\...\Run: [fst_us_239] => [X]
HKLM-x32\...\Run: [AnyProtect Scanner] => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe [17071616 2014-09-02] (AnyProtect.com)
C:\Program Files (x86)\AnyProtectEx
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
IFEO\DatamngrCoordinator.exe: [Debugger] tasklist.exe
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL =
SearchScopes: HKLM-x32 -> DefaultScope 006ee092-9658-4fd6-bd8e-a21a348e59f5 URL =
SearchScopes: HKLM-x32 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfoa&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
SearchScopes: HKU\.DEFAULT -> {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
BHO: IMinent WebBooster (BHO) -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} -> C:\Program Files (x86)\Iminent\Minibar.InternetExplorer.BHOx64.dll No File
 C:\Program Files (x86)\Iminent
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO-x32: No Name -> {84FF7BD6-B47F-46F8-9130-01B2696B36CB} ->  No File
BHO-x32: No Name -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} ->  No File
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
S2 f1f78e38; c:\ProgramData\WinSpeed\WinSpeedSvc.dll [186192 2014-08-21] () [File not signed]
c:\ProgramData\WinSpeed
S2 SupraSavingsService64; C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\SupraSavingsService64.exe [172544 2014-06-25] () [File not signed]
C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF
S2 pennybee; "C:\PROGRA~3\pennybee\pennybee.exe" /task=4 /InstallOn=0 /closebr=0 /active=24 /update=24 /interval=2880 /pubId=1004 /affId=10040004 /appId=116 /uId=1555C9A6-6BCC-46F4-B510-A4F19D62A1A4 /version= /Override=0 /regAppName=pennybee /curSID= /logf=\10040004_loger_06_12_00_32_11_-1987315651.txt /mac=BC8556E6740B /tst=none /ts2=1 [X]
S2 Update fassurun; "C:\Program Files (x86)\fassurun\updatefassurun.exe" [X]
S2 wpennybeed; "C:\PROGRA~3\pennybee\wpennybeed.exe" -scm [X]
C:\PROGRA~3\pennybee
C:\Program Files (x86)\fassurun
S1 {55dce8ba-9dec-4013-937e-adbf9317d990}w64; C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys [61072 2014-07-30] (StdLib)
S1 {9d5747ee-0448-4681-8337-1555de75a3b6}Gw64; C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys [61120 2014-05-06] (StdLib)
S1 {fef7f75c-f985-4250-96f9-8183cd04238b}w64; C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys [61080 2014-09-02] (StdLib)
C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys
C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys
C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys
2014-11-25 23:52 - 2014-12-07 23:30 - 00000764 _____ () C:\Windows\Tasks\pennybee Runner.job
2014-12-07 20:25 - 2014-06-25 22:15 - 00000000 ____D () C:\ProgramData\pennybee
Task: C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job => ? <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => ?
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\Astromenda.job => ?
Task: C:\Windows\Tasks\CW.job => ?
Task: C:\Windows\Tasks\GNNZ.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => ?
Task: C:\Windows\Tasks\pennybee Runner.job => ?
Task: C:\Windows\Tasks\Tempo Runner.job => ?
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => Value could not be deleted.
pcregservice => Error deleting Service

"C:\Program Files\pcreg" directory move:

Could not move "C:\Program Files\pcreg\a.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg\msvcr100.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg\nodown.txt" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg\pcreg.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg\service.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files\pcreg" directory. => Scheduled to move on reboot.

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\pcreg => Value could not be deleted.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\fst_us_239 => Value could not be deleted.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AnyProtect Scanner => Value could not be deleted.

"C:\Program Files (x86)\AnyProtectEx" directory move:

Could not move "C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\AnyProtectEx\product.guid" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\AnyProtectEx" directory. => Scheduled to move on reboot.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoControlPanel => Value could not be deleted.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => Value could not be deleted.

"C:\Windows\system32\GroupPolicy\Machine" directory move:

Could not move "C:\Windows\system32\GroupPolicy\Machine\Registry.pol" => Scheduled to move on reboot.
Could not move "C:\Windows\system32\GroupPolicy\Machine" directory. => Scheduled to move on reboot.

Could not move "C:\Windows\system32\GroupPolicy\GPT.ini" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Policies\Google" => Error deleting key. The key could be protected.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\DatamngrCoordinator.exe" => Error deleting key. The key could be protected.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => Value could not be deleted.
"HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Error deleting key. The key could be protected.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Secondary Start Pages => Value could not be deleted.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => Error deleting key. The key could be protected.
"HKCR\CLSID\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CC865B26-C31D-4D23-B17B-96548EEF03F6}" => Error deleting key. The key could be protected.
"HKCR\CLSID\{CC865B26-C31D-4D23-B17B-96548EEF03F6}" => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Error setting value.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}" => Error deleting key. The key could be protected.
"HKCR\Wow6432Node\CLSID\{006ee092-9658-4fd6-bd8e-a21a348e59f5}" => Key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value could not be deleted.
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9C234A3C-49C9-45C0-AE72-75DA67DA969C}" => Error deleting key. The key could be protected.
"HKCR\CLSID\{9C234A3C-49C9-45C0-AE72-75DA67DA969C}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}" => Error deleting key. The key could be protected.
"HKCR\CLSID\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}" => Error deleting key. The key could be protected.
"C:\Program Files (x86)\Iminent" => File/Directory not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Error deleting key. The key could be protected.
"HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}" => Error deleting key. The key could be protected.
"HKCR\Wow6432Node\CLSID\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}" => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}" => Error deleting key. The key could be protected.
"HKCR\Wow6432Node\CLSID\{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}" => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{ae07101b-46d4-4a98-af68-0333ea26e113} => Value could not be deleted.
"HKCR\CLSID\{ae07101b-46d4-4a98-af68-0333ea26e113}" => Error deleting key. The key could be protected.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{ae07101b-46d4-4a98-af68-0333ea26e113} => Value could not be deleted.
"HKCR\Wow6432Node\CLSID\{ae07101b-46d4-4a98-af68-0333ea26e113}" => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{ae07101b-46d4-4a98-af68-0333ea26e113} => Value could not be deleted.
"HKCR\Wow6432Node\CLSID\{ae07101b-46d4-4a98-af68-0333ea26e113}" => Key not found.
f1f78e38 => Error deleting Service

"c:\ProgramData\WinSpeed" directory move:

Could not move "c:\ProgramData\WinSpeed\WinSpeed.dll" => Scheduled to move on reboot.
Could not move "c:\ProgramData\WinSpeed\WinSpeedSvc.dll" => Scheduled to move on reboot.
Could not move "c:\ProgramData\WinSpeed\WinSpeed_x64.dll" => Scheduled to move on reboot.
Could not move "c:\ProgramData\WinSpeed" directory. => Scheduled to move on reboot.

SupraSavingsService64 => Error deleting Service

"C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF" directory move:

Could not move "C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\64.ico" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\libeay32.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\nfapi.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\nfregdrv.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\ProtocolFilters.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\ssleay32.dll" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\SupraSavingsService64.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\uninstall_l.exe" => Scheduled to move on reboot.
Could not move "C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF" directory. => Scheduled to move on reboot.

pennybee => Error deleting Service
Update fassurun => Error deleting Service
wpennybeed => Error deleting Service

"C:\PROGRA~3\pennybee" directory move:

Could not move "C:\PROGRA~3\pennybee" directory. => Scheduled to move on reboot.

"C:\Program Files (x86)\fassurun" => File/Directory not found.
{55dce8ba-9dec-4013-937e-adbf9317d990}w64 => Error deleting Service
{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64 => Error deleting Service
{fef7f75c-f985-4250-96f9-8183cd04238b}w64 => Error deleting Service
Could not move "C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys" => Scheduled to move on reboot.
Could not move "C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys" => Scheduled to move on reboot.
Could not move "C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\pennybee Runner.job" => Scheduled to move on reboot.

"C:\ProgramData\pennybee" directory move:

Could not move "C:\ProgramData\pennybee" directory. => Scheduled to move on reboot.

Could not move "C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\Adobe Flash Player Updater.job" => Scheduled to move on reboot.
C:\Windows\Tasks\APSnotifierPP1.job => Moved successfully.
C:\Windows\Tasks\APSnotifierPP2.job => Moved successfully.
Could not move "C:\Windows\Tasks\Astromenda.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\CW.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\GNNZ.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\pennybee Runner.job" => Scheduled to move on reboot.
Could not move "C:\Windows\Tasks\Tempo Runner.job" => Scheduled to move on reboot.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-12-08 17:45:05)<=

==> ATTENTION: System is not rebooted.
"C:\Program Files\pcreg\a.exe" => File could not move.
"C:\Program Files\pcreg\msvcr100.dll" => File could not move.
"C:\Program Files\pcreg\nodown.txt" => File could not move.
"C:\Program Files\pcreg\pcreg.exe" => File could not move.
"C:\Program Files\pcreg\service.exe" => File could not move.
"C:\Program Files\pcreg" => Directory could not move.
"C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe" => File could not move.
"C:\Program Files (x86)\AnyProtectEx\product.guid" => File could not move.
"C:\Program Files (x86)\AnyProtectEx" => Directory could not move.
"C:\Windows\system32\GroupPolicy\Machine\Registry.pol" => File could not move.
"C:\Windows\system32\GroupPolicy\Machine" => Directory could not move.
"C:\Windows\system32\GroupPolicy\GPT.ini" => File could not move.
"c:\ProgramData\WinSpeed\WinSpeed.dll" => File could not move.
"c:\ProgramData\WinSpeed\WinSpeedSvc.dll" => File could not move.
"c:\ProgramData\WinSpeed\WinSpeed_x64.dll" => File could not move.
"c:\ProgramData\WinSpeed" => Directory could not move.
"C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\64.ico" => File could not move.
"C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\libeay32.dll" => File could not move.
"C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\nfapi.dll" => File could not move.
"C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\nfregdrv.exe" => File could not move.
"C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\ProtocolFilters.dll" => File could not move.
"C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\ssleay32.dll" => File could not move.
"C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\SupraSavingsService64.exe" => File could not move.
"C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\uninstall_l.exe" => File could not move.
"C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF" => Directory could not move.
"C:\PROGRA~3\pennybee" => Directory could not move.
"C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys" => File could not move.
"C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys" => File could not move.
"C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys" => File could not move.
"C:\Windows\Tasks\pennybee Runner.job" => File could not move.
"C:\ProgramData\pennybee" => Directory could not move.
"C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job" => File could not move.
"C:\Windows\Tasks\Adobe Flash Player Updater.job" => File could not move.
"C:\Windows\Tasks\Astromenda.job" => File could not move.
"C:\Windows\Tasks\CW.job" => File could not move.
"C:\Windows\Tasks\GNNZ.job" => File could not move.
"C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job" => File could not move.
"C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job" => File could not move.
"C:\Windows\Tasks\pennybee Runner.job" => File could not move.
"C:\Windows\Tasks\Tempo Runner.job" => File could not move.

==== End of Fixlog ====



#8 Egobrane

Egobrane
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 08 December 2014 - 05:48 PM

I wonder, is there any way to modify these anti-malware applications to circumvent the applocker policies? and is there any known way to elevate my privileges?



#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:55 AM

Posted 08 December 2014 - 06:17 PM

I see you ran it in safemode again. This is not what my directions said to do this is why we are getting no where. Please read the directions again and run it from the System recovery options. The fix needs to be done in Sytem Recovery Options method or it will not work.

 

This post shows you how to run it in System Recovery mode

This post tell you how to do the fix in System Recovery Mode.


Edited by fireman4it, 08 December 2014 - 06:21 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 Egobrane

Egobrane
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 08 December 2014 - 06:34 PM

Care to explain how I can do that in windows 8 with no accessible administrative accounts other than homegrown user? Every option outside of the 3 safe modes prompts for credentials from an administrative account. Would booting from a windows 8 recovery disc work?

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:55 AM

Posted 08 December 2014 - 06:48 PM

 

Would booting from a windows 8 recovery disc work?

Yes, That would put you in System Recovery mode. WIndows 8 should have a built in Sytstem Recovery Option by Pressing F8 and following my direction above. You dont need admin acct priviledges for this, but go ahead and use the repair disc if you want I have directions for using it also posted already in my previous post.


Edited by fireman4it, 08 December 2014 - 06:49 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 Egobrane

Egobrane
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 08 December 2014 - 08:44 PM

Okay, the F8 options in windows 8 are disabled by default unless you enable them. I was however able to access the repair console prompt with an installation USB so thanks for that.

Here's the log of what was fixed this time;

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-12-2014 01
Ran by SYSTEM at 2014-12-08 20:42:08 Run:3
Running from E:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
S2 pcregservice; C:\Program Files\pcreg\pcreg.exe
C:\Program Files\pcreg
HKLM-x32\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe [89816 2014-04-25] ()
HKLM-x32\...\Run: [fst_us_239] => [X]
HKLM-x32\...\Run: [AnyProtect Scanner] => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe [17071616 2014-09-02] (AnyProtect.com)
C:\Program Files (x86)\AnyProtectEx
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
IFEO\DatamngrCoordinator.exe: [Debugger] tasklist.exe
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL =
SearchScopes: HKLM-x32 -> DefaultScope 006ee092-9658-4fd6-bd8e-a21a348e59f5 URL =
SearchScopes: HKLM-x32 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfoa&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
SearchScopes: HKU\.DEFAULT -> {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
BHO: IMinent WebBooster (BHO) -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} -> C:\Program Files (x86)\Iminent\Minibar.InternetExplorer.BHOx64.dll No File
 C:\Program Files (x86)\Iminent
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO-x32: No Name -> {84FF7BD6-B47F-46F8-9130-01B2696B36CB} ->  No File
BHO-x32: No Name -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} ->  No File
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
S2 f1f78e38; c:\ProgramData\WinSpeed\WinSpeedSvc.dll [186192 2014-08-21] () [File not signed]
c:\ProgramData\WinSpeed
S2 SupraSavingsService64; C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF\SupraSavingsService64.exe [172544 2014-06-25] () [File not signed]
C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF
S2 pennybee; "C:\PROGRA~3\pennybee\pennybee.exe" /task=4 /InstallOn=0 /closebr=0 /active=24 /update=24 /interval=2880 /pubId=1004 /affId=10040004 /appId=116 /uId=1555C9A6-6BCC-46F4-B510-A4F19D62A1A4 /version= /Override=0 /regAppName=pennybee /curSID= /logf=\10040004_loger_06_12_00_32_11_-1987315651.txt /mac=BC8556E6740B /tst=none /ts2=1 [X]
S2 Update fassurun; "C:\Program Files (x86)\fassurun\updatefassurun.exe" [X]
S2 wpennybeed; "C:\PROGRA~3\pennybee\wpennybeed.exe" -scm [X]
C:\PROGRA~3\pennybee
C:\Program Files (x86)\fassurun
S1 {55dce8ba-9dec-4013-937e-adbf9317d990}w64; C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys [61072 2014-07-30] (StdLib)
S1 {9d5747ee-0448-4681-8337-1555de75a3b6}Gw64; C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys [61120 2014-05-06] (StdLib)
S1 {fef7f75c-f985-4250-96f9-8183cd04238b}w64; C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys [61080 2014-09-02] (StdLib)
C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys
C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys
C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys
2014-11-25 23:52 - 2014-12-07 23:30 - 00000764 _____ () C:\Windows\Tasks\pennybee Runner.job
2014-12-07 20:25 - 2014-06-25 22:15 - 00000000 ____D () C:\ProgramData\pennybee
Task: C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job => ? <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => ?
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\Astromenda.job => ?
Task: C:\Windows\Tasks\CW.job => ?
Task: C:\Windows\Tasks\GNNZ.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job => ?
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => ?
Task: C:\Windows\Tasks\pennybee Runner.job => ?
Task: C:\Windows\Tasks\Tempo Runner.job => ?
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
pcregservice => Service deleted successfully.
C:\Program Files\pcreg => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\pcreg => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\fst_us_239 => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AnyProtect Scanner => value deleted successfully.
C:\Program Files (x86)\AnyProtectEx => Moved successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoControlPanel => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value deleted successfully.
C:\Windows\System32\GroupPolicy\Machine => Moved successfully.
C:\Windows\System32\GroupPolicy\GPT.ini => Moved successfully.
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION => Error: The entry should be fixed outside recovery mode.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\DatamngrCoordinator.exe" => Key deleted successfully.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => Value not found.
"HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key not found.
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL = => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKLM-x32 -> DefaultScope 006ee092-9658-4fd6-bd8e-a21a348e59f5 URL = => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKLM-x32 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfoa&q={searchTerms} => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKU\.DEFAULT -> DefaultScope {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL = => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKU\.DEFAULT -> {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL = => Error: The entry should be fixed outside recovery mode.
BHO: IMinent WebBooster (BHO) -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} -> C:\Program Files (x86)\Iminent\Minibar.InternetExplorer.BHOx64.dll No File => Error: The entry should be fixed outside recovery mode.
"C:\Program Files (x86)\Iminent" => File/Directory not found.
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File => Error: The entry should be fixed outside recovery mode.
BHO-x32: No Name -> {84FF7BD6-B47F-46F8-9130-01B2696B36CB} ->  No File => Error: The entry should be fixed outside recovery mode.
BHO-x32: No Name -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} ->  No File => Error: The entry should be fixed outside recovery mode.
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File => Error: The entry should be fixed outside recovery mode.
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File => Error: The entry should be fixed outside recovery mode.
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File => Error: The entry should be fixed outside recovery mode.
f1f78e38 => Service deleted successfully.
c:\ProgramData\WinSpeed => Moved successfully.
SupraSavingsService64 => Service deleted successfully.
C:\Program Files (x86)\6E6B36EB-9156-411B-B951-C735F4747DCF => Moved successfully.
pennybee => Service deleted successfully.
Update fassurun => Service deleted successfully.
wpennybeed => Service deleted successfully.
C:\PROGRA~3\pennybee => Moved successfully.
"C:\Program Files (x86)\fassurun" => File/Directory not found.
{55dce8ba-9dec-4013-937e-adbf9317d990}w64 => Service deleted successfully.
{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64 => Service deleted successfully.
{fef7f75c-f985-4250-96f9-8183cd04238b}w64 => Service deleted successfully.
C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}w64.sys => Moved successfully.
C:\Windows\System32\drivers\{9d5747ee-0448-4681-8337-1555de75a3b6}Gw64.sys => Moved successfully.
C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys => Moved successfully.
C:\Windows\Tasks\pennybee Runner.job => Moved successfully.
"C:\ProgramData\pennybee" => File/Directory not found.
Task: C:\Windows\Tasks\9046c00c-af8b-420b-873b-632fa42a58e2-4.job => ? <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => ? => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\Astromenda.job => ? => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\CW.job => ? => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\GNNZ.job => ? => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4fa9b4576a5.job => ? => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => ? => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\pennybee Runner.job => ? => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\Tempo Runner.job => ? => Error: The entry should be fixed outside recovery mode.

==== End of Fixlog ====



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:55 AM

Posted 08 December 2014 - 09:21 PM

OK that is much better. Now see if you have control of the system in regular mode. Please run FRST again and post the FRST.txt log. Make sure to run the scan in Recovery mode.


Edited by fireman4it, 08 December 2014 - 09:23 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 Egobrane

Egobrane
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 08 December 2014 - 09:50 PM

Did you want me to run the scan in Recovery mode where I ran the fix previously? If so, that's posted below. I also scanned it while booting the PC in normal mode and those results are in italics below that. I still have a limited account and the group policy settings remain. However when I booted in normal mode the usual popups did not display, although the system is still clearly infected. I was able to open REGEDIT in the command prompt via recovery console and remove these group policies but after that I booted straight to normal mode and the settings were re-set.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-12-2014 01
Ran by SYSTEM on MININT-6AHN7VU on 08-12-2014 21:30:31
Running from E:\
Platform: Windows 8 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13538376 2013-05-12] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1307720 2013-04-24] (Realtek Semiconductor)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132224 2013-02-28] ( (Qualcomm Atheros Commnucations))
HKU\Default\...\RunOnce: [RegAutoPlay] => C:\Windows\system32\cmd.exe /c reg import "C:\Program Files (x86)\Acer\Acer Media_\RegAutoPlay.reg"
HKU\Default\...\RunOnce: [RegDXVA1] => C:\Windows\system32\cmd.exe /c reg import "C:\Program Files (x86)\Acer\Acer Media_\SwitchUserVideoKey.reg"
HKU\Default User\...\RunOnce: [RegAutoPlay] => C:\Windows\system32\cmd.exe /c reg import "C:\Program Files (x86)\Acer\Acer Media_\RegAutoPlay.reg"
HKU\Default User\...\RunOnce: [RegDXVA1] => C:\Windows\system32\cmd.exe /c reg import "C:\Program Files (x86)\Acer\Acer Media_\SwitchUserVideoKey.reg"
HKU\Jose\...\Run: [AcerCloud] => C:\Program Files (x86)\Acer\Acer Portal\acpanel_win.exe [2524416 2014-06-30] ()
Startup: C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [227968 2013-02-28] (Qualcomm Atheros Commnucations)
S3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [660040 2013-01-18] (Acer Incorporated)
S2 GlobalUpdater; C:\Program Files (x86)\Common Files\IMGUpdater\IMGUpdater.exe [378152 2014-08-13] (SIEN S.A.)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-03-19] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-03-19] (Intel Corporation)
S2 LMSvc; C:\Program Files\Acer\Acer Launch Manager\LMSvc.exe [431656 2013-04-25] (Acer Incorporate)
S2 McAfee SiteAdvisor Service; c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [155856 2014-06-03] (McAfee, Inc.)
S2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178048 2013-11-28] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\mcafee\actwiz\McAWFwk.exe [334760 2012-12-21] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 MfeASUM; C:\Program Files\McAfee\AppStats\MfeASUM.exe [335216 2013-10-31] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1025232 2013-12-11] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219272 2013-12-05] (McAfee, Inc.)
S2 mfevtp; C:\windows\system32\mfevtps.exe [184800 2013-12-05] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3943104 2012-08-15] (Symantec Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16032 2014-09-21] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [5139968 2012-06-02] (Broadcom Corporation)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-02-28] (Qualcomm Atheros)
S3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-25] (Microsoft Corporation)
S1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-12-05] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-01-09] (Acer Incorporated)
S3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-03-19] (Intel Corporation)
S2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179792 2013-12-05] (McAfee, Inc.)
S1 MfeASKM; C:\Program Files\McAfee\AppStats\MfeASKM.sys [31408 2013-10-31] (McAfee, Inc.)
S2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311120 2013-12-05] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [69344 2013-12-05] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [519576 2013-12-05] (McAfee, Inc.)
S2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782616 2013-12-05] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [411944 2013-11-26] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [96112 2013-11-26] (McAfee, Inc.)
S2 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [343696 2013-12-05] (McAfee, Inc.)
S1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [46376 2014-06-12] (NetFilterSDK.com)
S3 QRDCIO; C:\Windows\System32\drivers\QRDCIO.sys [9728 2009-10-20] (QUANTA)
S3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [15704 2013-01-09] (Acer Incorporated)
S3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [455240 2013-03-05] (RTS Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-08 20:30 - 2014-12-08 20:30 - 00000000 _____ () C:\Recovery.txt
2014-12-07 13:05 - 2014-12-08 21:19 - 00000000 ____D () C:\FRST
2014-11-30 20:59 - 2014-11-18 23:29 - 00582552 _____ (Microsoft Corporation) C:\Windows\System32\AutoUpdate.exe
2014-11-30 20:59 - 2014-11-18 23:29 - 00462760 _____ (Microsoft Corporation) C:\Windows\System32\NotificationUI.exe
2014-11-22 00:20 - 2014-11-04 22:40 - 00304128 _____ (Microsoft Corporation) C:\Windows\System32\generaltel.dll
2014-11-22 00:20 - 2014-11-04 22:38 - 00228864 _____ (Microsoft Corporation) C:\Windows\System32\aepdu.dll
2014-11-22 00:20 - 2014-11-04 19:16 - 00556544 _____ (Microsoft Corporation) C:\Windows\System32\aeinv.dll
2014-11-22 00:20 - 2014-10-25 17:56 - 02237952 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2014-11-22 00:20 - 2014-10-25 17:56 - 01409536 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2014-11-22 00:20 - 2014-10-25 17:56 - 00915968 _____ (Microsoft Corporation) C:\Windows\System32\uxtheme.dll
2014-11-22 00:20 - 2014-10-25 17:56 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\UXInit.dll
2014-11-22 00:20 - 2014-10-25 17:56 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2014-11-22 00:20 - 2014-10-25 17:55 - 19284480 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2014-11-22 00:20 - 2014-10-25 17:55 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2014-11-22 00:20 - 2014-10-25 17:55 - 00197120 _____ (Microsoft Corporation) C:\Windows\System32\msrating.dll
2014-11-22 00:20 - 2014-10-25 17:55 - 00097280 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 15399424 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 02655232 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 00451584 _____ (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 00281600 _____ (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 00255488 _____ (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 00053760 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2014-11-22 00:20 - 2014-10-25 17:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2014-11-22 00:20 - 2014-10-25 17:53 - 01509376 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2014-11-22 00:20 - 2014-10-25 16:36 - 01762816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-22 00:20 - 2014-10-25 16:35 - 14368768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-22 00:20 - 2014-10-25 16:35 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-22 00:20 - 2014-10-25 16:35 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-22 00:20 - 2014-10-25 16:35 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-22 00:20 - 2014-10-25 16:35 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-22 00:20 - 2014-10-25 16:35 - 00044032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UXInit.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 13758464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 02055168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-22 00:20 - 2014-10-25 16:34 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-22 00:20 - 2014-10-25 16:34 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-22 00:20 - 2014-10-25 16:19 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2014-11-22 00:20 - 2014-10-25 16:13 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-22 00:20 - 2014-10-25 13:48 - 00534528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll
2014-11-22 00:20 - 2014-10-02 17:21 - 00522728 _____ (Microsoft Corporation) C:\Windows\System32\AUDIOKSE.dll
2014-11-22 00:20 - 2014-10-02 14:29 - 00783872 _____ (Microsoft Corporation) C:\Windows\System32\audiosrv.dll
2014-11-22 00:20 - 2014-10-02 14:29 - 00267264 _____ (Microsoft Corporation) C:\Windows\System32\EncDump.dll
2014-11-22 00:20 - 2014-10-02 14:29 - 00169472 _____ (Microsoft Corporation) C:\Windows\System32\AudioEndpointBuilder.dll
2014-11-22 00:20 - 2014-10-01 15:05 - 04068864 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2014-11-22 00:20 - 2014-09-21 21:53 - 00035320 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\WdBoot.sys
2014-11-22 00:20 - 2014-08-26 14:08 - 00270024 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\WdFilter.sys
2014-11-22 00:19 - 2014-09-12 22:24 - 02233152 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2014-11-22 00:19 - 2014-09-02 18:48 - 00457728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2014-11-22 00:19 - 2014-09-02 18:48 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2014-11-22 00:19 - 2014-09-02 18:22 - 00188928 _____ (Microsoft Corporation) C:\Windows\System32\rpchttp.dll
2014-11-22 00:19 - 2014-09-02 18:21 - 00623104 _____ (Microsoft Corporation) C:\Windows\System32\dnsapi.dll
2014-11-22 00:19 - 2014-09-02 18:21 - 00212992 _____ (Microsoft Corporation) C:\Windows\System32\dnsrslvr.dll
2014-11-22 00:19 - 2014-08-28 20:17 - 02043392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-11-22 00:19 - 2014-08-28 20:17 - 00227328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-11-22 00:19 - 2014-08-28 20:04 - 02837504 _____ (Microsoft Corporation) C:\Windows\System32\WsmSvc.dll
2014-11-22 00:19 - 2014-08-28 20:04 - 00309248 _____ (Microsoft Corporation) C:\Windows\System32\WsmWmiPl.dll
2014-11-22 00:19 - 2014-08-27 22:04 - 00499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FXSCOMEX.dll
2014-11-22 00:19 - 2014-08-27 22:04 - 00227840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FXSAPI.dll
2014-11-22 00:19 - 2014-08-27 21:59 - 00616448 _____ (Microsoft Corporation) C:\Windows\System32\FXSAPI.dll
2014-11-22 00:19 - 2014-08-27 21:59 - 00609280 _____ (Microsoft Corporation) C:\Windows\System32\FXSCOMEX.dll
2014-11-22 00:19 - 2014-08-27 21:59 - 00432640 _____ (Microsoft Corporation) C:\Windows\System32\FXSTIFF.dll
2014-11-22 00:19 - 2014-08-27 21:59 - 00254976 _____ (Microsoft Corporation) C:\Windows\System32\FXST30.dll
2014-11-22 00:19 - 2014-07-24 05:12 - 00328512 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\Classpnp.sys
2014-11-22 00:14 - 2014-10-18 00:44 - 00778240 _____ (Microsoft Corporation) C:\Windows\System32\oleaut32.dll
2014-11-22 00:14 - 2014-10-17 23:05 - 00567808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-22 00:04 - 2014-11-08 03:22 - 00238080 _____ (Microsoft Corporation) C:\Windows\System32\pku2u.dll
2014-11-22 00:04 - 2014-11-08 03:21 - 00827904 _____ (Microsoft Corporation) C:\Windows\System32\kerberos.dll
2014-11-22 00:04 - 2014-11-07 22:57 - 00187904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2014-11-22 00:04 - 2014-11-07 22:56 - 00666624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-22 00:04 - 2014-10-23 04:47 - 00079872 _____ (Microsoft Corporation) C:\Windows\System32\packager.dll
2014-11-22 00:04 - 2014-10-23 03:04 - 00068096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-22 00:04 - 2014-10-11 00:35 - 00171840 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2014-11-22 00:04 - 2014-10-10 23:45 - 10115072 _____ (Microsoft Corporation) C:\Windows\System32\twinui.dll
2014-11-22 00:04 - 2014-10-10 23:44 - 03248640 _____ (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2014-11-22 00:04 - 2014-10-10 23:44 - 02885632 _____ (Microsoft Corporation) C:\Windows\System32\msi.dll
2014-11-22 00:04 - 2014-10-10 23:44 - 00588288 _____ (Microsoft Corporation) C:\Windows\System32\SHCore.dll
2014-11-22 00:04 - 2014-10-10 23:44 - 00393216 _____ (Microsoft Corporation) C:\Windows\System32\msihnd.dll
2014-11-22 00:04 - 2014-10-10 23:43 - 02307072 _____ (Microsoft Corporation) C:\Windows\System32\authui.dll
2014-11-22 00:04 - 2014-10-10 23:43 - 01281536 _____ (Microsoft Corporation) C:\Windows\System32\lsasrv.dll
2014-11-22 00:04 - 2014-10-10 21:58 - 08858624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2014-11-22 00:04 - 2014-10-10 21:57 - 02416640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-22 00:04 - 2014-10-10 21:57 - 00452608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SHCore.dll
2014-11-22 00:04 - 2014-10-10 21:57 - 00295424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2014-11-22 00:04 - 2014-10-10 21:56 - 02037760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2014-11-22 00:04 - 2014-10-10 21:41 - 00713728 _____ (Microsoft Corporation) C:\Windows\System32\adtschema.dll
2014-11-22 00:04 - 2014-10-10 21:41 - 00146944 _____ (Microsoft Corporation) C:\Windows\System32\msaudite.dll
2014-11-22 00:04 - 2014-10-10 21:05 - 00146944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-22 00:04 - 2014-10-10 21:04 - 00713728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-22 00:04 - 2014-09-24 15:29 - 00318976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-22 00:04 - 2014-09-24 15:29 - 00072192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncryptsslp.dll
2014-11-22 00:04 - 2014-09-24 15:01 - 00414208 _____ (Microsoft Corporation) C:\Windows\System32\schannel.dll
2014-11-22 00:04 - 2014-09-24 15:01 - 00086528 _____ (Microsoft Corporation) C:\Windows\System32\ncryptsslp.dll
2014-11-22 00:04 - 2014-08-21 15:56 - 01418752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-22 00:04 - 2014-08-21 15:27 - 01845760 _____ (Microsoft Corporation) C:\Windows\System32\msxml3.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-08 16:05 - 2012-07-25 23:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-08 15:25 - 2012-07-25 21:26 - 00524288 ___SH () C:\Windows\System32\config\BBI
2014-12-08 14:44 - 2014-09-02 13:44 - 00001338 _____ () C:\Windows\Tasks\CW.job
2014-12-08 14:44 - 2012-07-25 23:21 - 00437682 _____ () C:\Windows\setupact.log
2014-12-08 12:42 - 2014-07-03 15:01 - 00000000 ____D () C:\Users\Jose\AppData\Local\CrashDumps
2014-12-08 11:20 - 2012-07-25 23:28 - 00848230 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-12-05 21:32 - 2012-07-25 21:26 - 00262144 ___SH () C:\Windows\System32\config\ELAM
2014-12-05 21:12 - 2014-07-31 04:12 - 00000300 _____ () C:\Windows\Tasks\Astromenda.job
2014-12-05 19:00 - 2012-07-26 00:12 - 00000000 ____D () C:\Windows\System32\sru
2014-12-05 18:20 - 2013-06-11 21:57 - 01455506 _____ () C:\Windows\WindowsUpdate.log
2014-12-01 22:22 - 2013-11-21 22:07 - 00000000 ____D () C:\Users\Jose\Documents\Bluetooth Folder
2014-11-30 21:05 - 2012-07-25 23:59 - 00000000 ____D () C:\Windows\CbsTemp
2014-11-25 13:10 - 2013-12-25 13:24 - 00003718 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-11-24 22:47 - 2012-07-26 00:12 - 00000000 ____D () C:\Windows\rescache
2014-11-24 22:20 - 2013-05-12 22:40 - 00062640 _____ () C:\Windows\PFRO.log
2014-11-23 20:45 - 2012-07-26 00:12 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-11-23 11:59 - 2014-10-23 06:48 - 00429976 _____ () C:\Windows\System32\FNTCACHE.DAT
2014-11-23 11:24 - 2014-07-10 17:59 - 00000000 ___SD () C:\Windows\System32\CompatTel
2014-11-23 11:24 - 2012-07-26 00:12 - 00000000 ____D () C:\Program Files\Windows Defender
2014-11-23 11:24 - 2012-07-26 00:12 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2014-11-23 11:23 - 2012-07-26 00:12 - 00000000 ___RD () C:\Windows\ToastData
2014-11-22 00:22 - 2013-11-11 16:03 - 00000000 ____D () C:\Windows\System32\MRT
2014-11-22 00:18 - 2013-11-11 16:03 - 103374192 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2014-11-20 22:43 - 2013-10-31 19:46 - 00000000 ____D () C:\users\Jose
2014-11-20 12:56 - 2014-10-21 10:45 - 00713672 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-20 12:56 - 2014-10-21 10:45 - 00106440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2014-10-19 14:31] - [2014-06-27 22:57] - 1341952 ____A (Microsoft Corporation) FAC7814096952227B0EBB08175D82B40

C:\Windows\SysWOW64\User32.dll
[2014-10-19 14:31] - [2014-06-27 18:23] - 1126400 ____A (Microsoft Corporation) BBC180F529B08A65100536A08724ED58

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2014-10-19 14:32] - [2014-07-04 02:52] - 0328000 ____A (Microsoft Corporation) AA37946941ED3805AB3A924965907147


==================== Restore Points  =========================

Restore point made on: 2014-11-11 07:30:33
Restore point made on: 2014-11-22 00:17:22
Restore point made on: 2014-11-30 21:04:20

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 7848.27 MB
Available physical RAM: 7017.98 MB
Total Pagefile: 7848.27 MB
Available Pagefile: 7039.63 MB
Total Virtual: 8192 MB
Available Virtual: 8191.87 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:681.39 GB) (Free:613.13 GB) NTFS
Drive d: (ESD-USB) (Removable) (Total:7.8 GB) (Free:5.1 GB) FAT32
Drive e: () (Removable) (Total:0.12 GB) (Free:0.08 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 7066BAC8)

Partition: GPT Partition Type.

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 7.8 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

========================================================
Disk: 2 (Size: 123.5 MB) (Disk ID: 218A2286)
Partition 1: (Active) - (Size=123 MB) - (Type=06)


LastRegBack: 2014-11-27 21:19

==================== End Of Log ============================

 

 

 

 

 

 

 

NORMAL MODE SCAN:

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-12-2014 01
Ran by Jose (ATTENTION: The logged in user is not administrator) on PABON on 08-12-2014 21:39:44
Running from D:\
Loaded Profile: Jose (Available profiles: Jose)
Platform: Windows 8 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exe
(Dolby Laboratories Inc.) C:\Dolby PCEE4\pcee4.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
() C:\Program Files (x86)\Acer\Acer Portal\acpanel_win.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Power Management\ePowerTray.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13538376 2013-05-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1307720 2013-04-24] (Realtek Semiconductor)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe [132224 2013-02-28] ( (Qualcomm Atheros Commnucations))
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\...\Run: [AcerCloud] => C:\Program Files (x86)\Acer\Acer Portal\acpanel_win.exe [2524416 2014-06-30] ()
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)
Startup: C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2010 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:55211;https=127.0.0.1:55211
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://t.msn.com/
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer13.msn.com/
HKU\S-1-5-21-1568040461-2792508260-1395258070-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acer13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages =
SearchScopes: HKLM -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKLM -> {CC865B26-C31D-4D23-B17B-96548EEF03F6} URL =
SearchScopes: HKLM-x32 -> DefaultScope 006ee092-9658-4fd6-bd8e-a21a348e59f5 URL =
SearchScopes: HKLM-x32 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPAMW02fR3s5PAVMZpZbM61lWNTdgwQHuH_l8fMQr5kRlG85BPTEaWjLGpjdkXRl9OUtvOkpbbZGb4xAyGvgBcWcRKjsJnDE68nJqF1eMCa6ZiB6N9f7ZgEIG5wN7EoQBrqdwcI8QFCdVg-7bFX5ia23Zvbc7a-lMyrCxbHvJFzbfoa&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
SearchScopes: HKU\.DEFAULT -> {9C234A3C-49C9-45C0-AE72-75DA67DA969C} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
BHO: IMinent WebBooster (BHO) -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} -> C:\Program Files (x86)\Iminent\Minibar.InternetExplorer.BHOx64.dll No File
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: No Name -> {84FF7BD6-B47F-46F8-9130-01B2696B36CB} ->  No File
BHO-x32: No Name -> {A09AB6EB-31B5-454C-97EC-9B294D92EE2A} ->  No File
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
DPF: HKLM-x32 {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} https://www36.verizon.com/FiOSVoice/UnProtected/FiosVoiceVMUtil.CAB
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.)
Hosts: 127.0.0.1            d3oxij66pru1i3.cloudfront.net
Tcpip\Parameters: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{220025FD-E1A0-4F21-9736-150BCF17A071}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{4B5CA3CB-995A-40DC-ADE9-DF369AF8D0F2}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{633A3964-B654-423E-AE3A-1E7BD95024C6}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{97e1de57-d6fa-11e1-be62-806e6f6e6963}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{A64C2227-EEEF-4667-8335-8125D9EFD984}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{C02CAB3E-C922-4371-A1DD-E72CF76EF979}: [NameServer] 184.172.114.130,208.43.110.90
Tcpip\..\Interfaces\{DBB9C189-F540-420B-949E-091A47B3341B}: [NameServer] 184.172.114.130,208.43.110.90

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_239.dll ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_239.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=3.5.20 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll No File
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2013-05-13]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2013-05-13]

Chrome:
=======
CHR Profile: C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Speedial) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\bakijjialdiiboeaknfpmflphhmljfkd [2014-06-25]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-30]
CHR Extension: (Groovorio New Tab) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\blmchfpimpbbdmgpcieclabeafkljbhm [2014-09-02]
CHR Extension: (Hangouts) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\nckgahadagoaajjgafhacjanaoiihapd [2014-08-12]
CHR Extension: (Google Wallet) - C:\Users\Jose\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-04]
CHR HKLM\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - No Path
CHR HKLM-x32\...\Chrome\Extension: [blmchfpimpbbdmgpcieclabeafkljbhm] - No Path
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [eihhgekonheiliaidomffpplfhecmkag] - No Path
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - No Path
CHR HKLM-x32\...\Chrome\Extension: [nbljechdpodpbchbmjcoamidppmpnmlc] - No Path

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Qualcomm Atheros\Bluetooth Suite\adminservice.exe [227968 2013-02-28] (Qualcomm Atheros Commnucations)
R3 ePowerSvc; C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe [660040 2013-01-18] (Acer Incorporated)
R2 GlobalUpdater; C:\Program Files (x86)\Common Files\IMGUpdater\IMGUpdater.exe [378152 2014-08-13] (SIEN S.A.)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [731648 2013-02-13] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [820184 2013-02-13] (Intel® Corporation)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-03-20] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-03-20] (Intel Corporation)
R2 LeapFrog Connect Device Service; C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe [7393280 2013-11-27] (LeapFrog Enterprises, Inc.) [File not signed]
R2 lmhosts; C:\Windows\system32\svchost.exe [29696 2013-04-21] (Microsoft Corporation)
R2 lmhosts; C:\Windows\SysWOW64\svchost.exe [23040 2013-04-21] (Microsoft Corporation)
R2 LMSvc; C:\Program Files\Acer\Acer Launch Manager\LMSvc.exe [431656 2013-04-25] (Acer Incorporate)
R2 McAfee SiteAdvisor Service; c:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [155856 2014-06-03] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178048 2013-11-28] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\mcafee\actwiz\McAWFwk.exe [334760 2012-12-21] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [602944 2013-08-02] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 MfeASUM; C:\Program Files\McAfee\AppStats\MfeASUM.exe [335216 2013-10-31] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1025232 2013-12-11] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219272 2013-12-05] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [184800 2013-12-05] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 NlaSvc; C:\Windows\System32\svchost.exe [29696 2013-04-21] (Microsoft Corporation)
R2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [23040 2013-04-21] (Microsoft Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3943104 2012-08-15] (Symantec Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [29696 2013-04-21] (Microsoft Corporation)
R2 nsi; C:\Windows\SysWOW64\svchost.exe [23040 2013-04-21] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16032 2014-09-22] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [5139968 2012-06-02] (Broadcom Corporation)
R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-02-28] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [202752 2012-07-25] (Microsoft Corporation)
R1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-12-05] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R3 LMDriver; C:\Windows\System32\drivers\LMDriver.sys [21360 2013-01-09] (Acer Incorporated)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-03-20] (Intel Corporation)
R2 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179792 2013-12-05] (McAfee, Inc.)
R1 MfeASKM; C:\Program Files\McAfee\AppStats\MfeASKM.sys [31408 2013-10-31] (McAfee, Inc.)
R2 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [311120 2013-12-05] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [69344 2013-12-05] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [519576 2013-12-05] (McAfee, Inc.)
R2 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [782616 2013-12-05] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [411944 2013-11-26] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [96112 2013-11-26] (McAfee, Inc.)
R2 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [343696 2013-12-05] (McAfee, Inc.)
R1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [46376 2014-06-12] (NetFilterSDK.com)
S3 QRDCIO; C:\Windows\System32\drivers\QRDCIO.sys [9728 2009-10-20] (QUANTA)
R3 RadioShim; C:\Windows\System32\drivers\RadioShim.sys [15704 2013-01-09] (Acer Incorporated)
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [455240 2013-03-05] (RTS Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-08 23:30 - 2014-12-08 23:30 - 00000000 _____ () C:\Recovery.txt
2014-12-08 17:41 - 2014-12-08 17:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2014-12-07 16:05 - 2014-12-08 21:39 - 00000000 ____D () C:\FRST
2014-12-05 21:59 - 2014-12-05 21:59 - 00002215 _____ () C:\Users\Jose\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tech Live Connect Technical Support.lnk
2014-11-30 23:59 - 2014-11-19 02:29 - 00582552 _____ (Microsoft Corporation) C:\Windows\system32\AutoUpdate.exe
2014-11-30 23:59 - 2014-11-19 02:29 - 00462760 _____ (Microsoft Corporation) C:\Windows\system32\NotificationUI.exe
2014-11-22 03:20 - 2014-11-05 01:40 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-22 03:20 - 2014-11-05 01:38 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-22 03:20 - 2014-11-04 22:16 - 00556544 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 02237952 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 01409536 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 00915968 _____ (Microsoft Corporation) C:\Windows\system32\uxtheme.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\UXInit.dll
2014-11-22 03:20 - 2014-10-25 20:56 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-22 03:20 - 2014-10-25 20:55 - 19284480 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-22 03:20 - 2014-10-25 20:55 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-22 03:20 - 2014-10-25 20:55 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-22 03:20 - 2014-10-25 20:55 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 15399424 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 02655232 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-22 03:20 - 2014-10-25 20:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-22 03:20 - 2014-10-25 20:53 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-22 03:20 - 2014-10-25 19:36 - 01762816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 14368768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-22 03:20 - 2014-10-25 19:35 - 00044032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\UXInit.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 13758464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 02055168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-22 03:20 - 2014-10-25 19:34 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-22 03:20 - 2014-10-25 19:34 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-22 03:20 - 2014-10-25 19:19 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-22 03:20 - 2014-10-25 19:13 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-22 03:20 - 2014-10-25 16:48 - 00534528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\uxtheme.dll
2014-11-22 03:20 - 2014-10-02 20:21 - 00522728 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-22 03:20 - 2014-10-02 17:29 - 00783872 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-22 03:20 - 2014-10-02 17:29 - 00267264 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-22 03:20 - 2014-10-02 17:29 - 00169472 _____ (Microsoft Corporation) C:\Windows\system32\AudioEndpointBuilder.dll
2014-11-22 03:20 - 2014-10-01 18:05 - 04068864 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-22 03:20 - 2014-09-22 00:53 - 00035320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdBoot.sys
2014-11-22 03:20 - 2014-08-26 17:08 - 00270024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdFilter.sys
2014-11-22 03:19 - 2014-09-13 01:24 - 02233152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2014-11-22 03:19 - 2014-09-02 21:48 - 00457728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2014-11-22 03:19 - 2014-09-02 21:48 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpchttp.dll
2014-11-22 03:19 - 2014-09-02 21:22 - 00188928 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2014-11-22 03:19 - 2014-09-02 21:21 - 00623104 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2014-11-22 03:19 - 2014-09-02 21:21 - 00212992 _____ (Microsoft Corporation) C:\Windows\system32\dnsrslvr.dll
2014-11-22 03:19 - 2014-08-28 23:17 - 02043392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-11-22 03:19 - 2014-08-28 23:17 - 00227328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-11-22 03:19 - 2014-08-28 23:04 - 02837504 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-11-22 03:19 - 2014-08-28 23:04 - 00309248 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-11-22 03:19 - 2014-08-28 01:04 - 00499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FXSCOMEX.dll
2014-11-22 03:19 - 2014-08-28 01:04 - 00227840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FXSAPI.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00616448 _____ (Microsoft Corporation) C:\Windows\system32\FXSAPI.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00609280 _____ (Microsoft Corporation) C:\Windows\system32\FXSCOMEX.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00432640 _____ (Microsoft Corporation) C:\Windows\system32\FXSTIFF.dll
2014-11-22 03:19 - 2014-08-28 00:59 - 00254976 _____ (Microsoft Corporation) C:\Windows\system32\FXST30.dll
2014-11-22 03:19 - 2014-07-24 08:12 - 00328512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Classpnp.sys
2014-11-22 03:14 - 2014-10-18 03:44 - 00778240 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-22 03:14 - 2014-10-18 02:05 - 00567808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-22 03:04 - 2014-11-08 06:22 - 00238080 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-22 03:04 - 2014-11-08 06:21 - 00827904 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-22 03:04 - 2014-11-08 01:57 - 00187904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2014-11-22 03:04 - 2014-11-08 01:56 - 00666624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-22 03:04 - 2014-10-23 07:47 - 00079872 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-22 03:04 - 2014-10-23 06:04 - 00068096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-22 03:04 - 2014-10-11 03:35 - 00171840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-22 03:04 - 2014-10-11 02:45 - 10115072 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 03248640 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 00588288 _____ (Microsoft Corporation) C:\Windows\system32\SHCore.dll
2014-11-22 03:04 - 2014-10-11 02:44 - 00393216 _____ (Microsoft Corporation) C:\Windows\system32\msihnd.dll
2014-11-22 03:04 - 2014-10-11 02:43 - 02307072 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2014-11-22 03:04 - 2014-10-11 02:43 - 01281536 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-22 03:04 - 2014-10-11 00:58 - 08858624 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2014-11-22 03:04 - 2014-10-11 00:57 - 02416640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-22 03:04 - 2014-10-11 00:57 - 00452608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SHCore.dll
2014-11-22 03:04 - 2014-10-11 00:57 - 00295424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msihnd.dll
2014-11-22 03:04 - 2014-10-11 00:56 - 02037760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2014-11-22 03:04 - 2014-10-11 00:41 - 00713728 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-22 03:04 - 2014-10-11 00:41 - 00146944 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-22 03:04 - 2014-10-11 00:05 - 00146944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-22 03:04 - 2014-10-11 00:04 - 00713728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-22 03:04 - 2014-09-24 18:29 - 00318976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-22 03:04 - 2014-09-24 18:29 - 00072192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncryptsslp.dll
2014-11-22 03:04 - 2014-09-24 18:01 - 00414208 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-22 03:04 - 2014-09-24 18:01 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\ncryptsslp.dll
2014-11-22 03:04 - 2014-08-21 18:56 - 01418752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-22 03:04 - 2014-08-21 18:27 - 01845760 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-08 21:39 - 2014-09-02 16:41 - 00000008 __RSH () C:\ProgramData\ntuser.pol
2014-12-08 21:39 - 2014-07-03 18:01 - 00000000 ____D () C:\Users\Jose\AppData\Local\CrashDumps
2014-12-08 21:39 - 2012-07-26 02:21 - 00438478 _____ () C:\Windows\setupact.log
2014-12-08 21:38 - 2014-09-02 16:44 - 00001338 _____ () C:\Windows\Tasks\CW.job
2014-12-08 21:38 - 2012-07-26 02:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-08 14:20 - 2012-07-26 02:28 - 00848230 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-06 00:12 - 2014-07-31 07:12 - 00000300 _____ () C:\Windows\Tasks\Astromenda.job
2014-12-05 22:00 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\system32\sru
2014-12-05 21:20 - 2013-06-12 00:57 - 01455506 _____ () C:\Windows\WindowsUpdate.log
2014-12-02 01:22 - 2013-11-22 01:07 - 00000000 ____D () C:\Users\Jose\Documents\Bluetooth Folder
2014-12-01 00:05 - 2012-07-26 02:59 - 00000000 ____D () C:\Windows\CbsTemp
2014-11-25 01:47 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\rescache
2014-11-25 01:20 - 2013-05-13 01:40 - 00062640 _____ () C:\Windows\PFRO.log
2014-11-23 23:45 - 2012-07-26 03:12 - 00000000 ____D () C:\Windows\AUInstallAgent
2014-11-23 14:59 - 2014-10-23 09:48 - 00429976 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-23 14:24 - 2014-07-10 20:59 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ____D () C:\Program Files\Windows Defender
2014-11-23 14:24 - 2012-07-26 03:12 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2014-11-23 14:23 - 2012-07-26 03:12 - 00000000 ___RD () C:\Windows\ToastData
2014-11-22 03:22 - 2013-11-11 19:03 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-22 03:18 - 2013-11-11 19:03 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-21 01:43 - 2013-10-31 22:46 - 00000000 ____D () C:\Users\Jose
2014-11-20 15:56 - 2014-10-21 13:45 - 00713672 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-20 15:56 - 2014-10-21 13:45 - 00106440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD, see Addition.txt for additional information.

==================== End Of Log ============================



#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:55 AM

Posted 08 December 2014 - 10:04 PM

So if I understand you correctly you can change those restrictions so you have control until you reboot then it goes back correct?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users