Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I have the COM Surrogate virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 rs4221

rs4221

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 28 December 2014 - 10:30 PM

Thanks in advance for the help.

 

I am running Window 7, and based on Google searches, I believe that I have contracted the COM Surrogate virus.  While browsing, I received two notifications from Norton that intrusions had been blocked.  Immediately I noticed very high CPU and RAM usage.  I looked at Task Manager and saw suspicious activity from dvdupgrd.exe, napstat.exe, and "COM surrogate."  Subsequent Norton warnings mentioned "Magnitude Exploit Kit Website 2" and "Malicious File Download Request 27."  I have also noted applications DSD_3208 or DSD_3552 running - not sure what those are or if it's part of the problem.

 

I rebooted in Safe Mode and looked at Add/Remove Programs, and I didn't see anything suspicious added recently.  When I boot in Safe Mode with Networking, CPU usage is very high.  Without networking, CPU usage is low.

 

I ran your DDS utility in Safe Mode (no networking), and I hope that was right.  Here is dds.txt:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 MINIMAL

Internet Explorer: 11.0.9600.17496
Run by Ron at 21:49:22 on 2014-12-28
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7991.7183 [GMT -5:00]
.
AV: Norton Security Suite *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
SP: Norton Security Suite *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Security Suite *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mWinlogon: Userinit = userinit.exe
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\ips\ipsbho.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\coieplg.dll
uRun: [Safe PST Backup] "C:\Program Files (x86)\4Team Corporation\Safe PST Backup\SafePSTBackup.exe" /autostart
uRun: [AdobeBridge] <no file>
uRunOnce: [Adobe Speed Launcher] 1419814574
mRun: [ShwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe
mRun: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRun: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
mRun: [Cobian Backup 10 Interface] "C:\Program Files (x86)\Cobian Backup 10\cbInterface.exe" -service
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
mRun: [Adobe Creative Cloud] "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
mRun: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LOGITE~1.LNK - C:\Program Files (x86)\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SPYDER~1.LNK - C:\Program Files (x86)\Datacolor\Spyder4Pro\Utility\SpyderUtility.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TIMEXD~1.LNK - C:\Program Files (x86)\Timex\Data Link USB\DataLinkLauncher.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - C:\Users\Ron\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: dell.com
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{7C153691-C8BC-40AB-BEBB-275ACCA2B1A3} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{F5BE0EC7-33A0-41A6-8F53-FD08156C2165} : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{F5BE0EC7-33A0-41A6-8F53-FD08156C2165}\84F4D454D234436354 : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - 
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {B17A6CEB-057D-47DE-9F7C-0BB3FDF30F4C} - C:\Windows\SysWOW64\msiexec.exe /fpu {5D844410-F6BD-4AB6-9A2F-C6CDEEC56822} /q
x64-BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\coieplg.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - 
x64-TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\coieplg.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [DellStage] "C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe" "C:\Program Files (x86)\Dell Stage\Dell Stage\start.umj" --startup
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - <orphaned>
x64-Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - <orphaned>
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: GoToAssist - C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Ron\AppData\Roaming\Mozilla\Firefox\Profiles\ycz1w53a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll
FF - plugin: C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2011-3-23 55856]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\1506000.020\symds64.sys [2014-9-30 493656]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\1506000.020\symefa64.sys [2014-9-30 1148120]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2011-3-23 56344]
S1 BHDrvx64;BHDrvx64;C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20141209.001\BHDrvx64.sys [2014-12-10 1587416]
S1 ccSet_N360;N360 Settings Manager;C:\Windows\System32\drivers\N360x64\1506000.020\ccsetx64.sys [2014-9-30 162392]
S1 IDSVia64;IDSVia64;C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20141226.001\IDSviA64.sys [2014-12-26 637656]
S1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\1506000.020\ironx64.sys [2014-9-30 266968]
S1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\System32\drivers\N360x64\1506000.020\symnets.sys [2014-9-30 593112]
S2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [2011-9-1 169624]
S2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe [2011-4-9 67584]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 CobianBackup10;Cobian Backup 10;C:\Program Files (x86)\Cobian Backup 10\cbService.exe [2011-4-9 1125376]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2013-6-28 14624]
S2 N360;Norton Security Suite;C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\n360.exe [2014-9-30 265040]
S2 PanService;PandoraService;C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe [2012-3-7 624856]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
S3 athur;Wireless Network Adapter Service;C:\Windows\System32\drivers\athurx.sys [2011-9-29 1847296]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2014-12-11 142640]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-12-11 114688]
S3 Impcd;Impcd;C:\Windows\System32\drivers\Impcd.sys [2011-3-23 158976]
S3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-3-23 271872]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2011-3-23 321064]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
S3 Spyder4;Datacolor Spyder4;C:\Windows\System32\drivers\dccmtr.sys [2011-7-12 15360]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-11-13 56832]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-3-31 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2014-12-29 00:54:43 -------- d-----w- C:\NPE
2014-12-29 00:47:23 -------- d-----w- C:\Users\Ron\AppData\Local\NPE
2014-12-25 02:54:16 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-12-25 02:54:16 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-12-12 00:48:20 -------- d-----w- C:\Windows\System32\appraiser
2014-12-12 00:38:23 3209728 ----a-w- C:\Windows\SysWow64\mf.dll
2014-12-12 00:38:22 4121600 ----a-w- C:\Windows\System32\mf.dll
2014-12-12 00:34:59 119296 ----a-w- C:\Windows\System32\drivers\tdx.sys
2014-12-12 00:34:57 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-12-12 00:34:57 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-12-12 00:33:33 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2014-12-12 00:33:33 2048 ----a-w- C:\Windows\System32\tzres.dll
2014-12-03 06:31:20 227048 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2014-12-12 01:04:23 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-12 01:04:23 701616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-12-04 02:50:55 413184 ----a-w- C:\Windows\System32\generaltel.dll
2014-12-04 02:50:45 741376 ----a-w- C:\Windows\System32\invagent.dll
2014-12-04 02:50:40 396800 ----a-w- C:\Windows\System32\devinv.dll
2014-12-04 02:50:38 830976 ----a-w- C:\Windows\System32\appraiser.dll
2014-12-04 02:50:37 227328 ----a-w- C:\Windows\System32\aepdu.dll
2014-12-04 02:50:37 192000 ----a-w- C:\Windows\System32\aepic.dll
2014-12-04 02:44:48 1083392 ----a-w- C:\Windows\System32\aeinv.dll
2014-12-01 23:28:44 1232040 ----a-w- C:\Windows\System32\aitstatic.exe
2014-11-22 03:06:23 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-11-22 03:06:11 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-11-22 02:50:39 66560 ----a-w- C:\Windows\System32\iesetup.dll
2014-11-22 02:50:10 580096 ----a-w- C:\Windows\System32\vbscript.dll
2014-11-22 02:49:54 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-11-22 02:48:20 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2014-11-22 02:35:29 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-11-22 02:34:51 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-11-22 02:34:07 6039552 ----a-w- C:\Windows\System32\jscript9.dll
2014-11-22 02:26:31 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-11-22 02:20:44 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-11-22 02:14:16 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-11-22 02:07:43 501248 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-11-22 02:07:17 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-11-22 02:06:32 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05:02 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2014-11-22 01:54:30 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-11-22 01:47:10 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-11-22 01:46:58 2125312 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-11-22 01:40:04 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26 4299264 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-11-22 01:28:21 2358272 ----a-w- C:\Windows\System32\wininet.dll
2014-11-22 01:22:49 2052096 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-11-22 01:21:57 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:00:20 1888256 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-11-11 03:08:52 241152 ----a-w- C:\Windows\System32\pku2u.dll
2014-11-11 03:08:48 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-11-11 02:44:32 186880 ----a-w- C:\Windows\SysWow64\pku2u.dll
2014-11-11 02:44:25 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-10-30 02:03:43 165888 ----a-w- C:\Windows\System32\charmap.exe
2014-10-30 01:45:43 155136 ----a-w- C:\Windows\SysWow64\charmap.exe
2014-10-25 01:57:59 77824 ----a-w- C:\Windows\System32\packager.dll
2014-10-25 01:32:37 67584 ----a-w- C:\Windows\SysWow64\packager.dll
2014-10-18 02:05:23 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2014-10-18 01:33:18 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2014-10-14 02:16:37 155064 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-10-14 02:13:06 683520 ----a-w- C:\Windows\System32\termsrv.dll
2014-10-14 02:13:00 3241984 ----a-w- C:\Windows\System32\msi.dll
2014-10-14 02:12:57 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-10-14 02:09:31 146432 ----a-w- C:\Windows\System32\msaudite.dll
2014-10-14 02:07:31 681984 ----a-w- C:\Windows\System32\adtschema.dll
2014-10-14 01:50:47 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-10-14 01:50:41 2363904 ----a-w- C:\Windows\SysWow64\msi.dll
2014-10-14 01:49:38 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-10-14 01:47:30 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2014-10-14 01:46:02 681984 ----a-w- C:\Windows\SysWow64\adtschema.dll
2014-10-10 00:57:42 3198976 ----a-w- C:\Windows\System32\win32k.sys
2014-10-03 02:12:23 310272 ----a-w- C:\Windows\System32\WsmWmiPl.dll
2014-10-03 02:12:23 2020352 ----a-w- C:\Windows\System32\WsmSvc.dll
2014-10-03 02:12:22 346624 ----a-w- C:\Windows\System32\WSManMigrationPlugin.dll
2014-10-03 02:12:22 181248 ----a-w- C:\Windows\System32\WsmAuto.dll
2014-10-03 02:12:00 500224 ----a-w- C:\Windows\System32\AUDIOKSE.dll
2014-10-03 02:11:54 284672 ----a-w- C:\Windows\System32\EncDump.dll
2014-10-03 02:11:51 680960 ----a-w- C:\Windows\System32\audiosrv.dll
2014-10-03 02:11:51 440832 ----a-w- C:\Windows\System32\AudioEng.dll
2014-10-03 02:11:51 296448 ----a-w- C:\Windows\System32\AudioSes.dll
2014-10-03 02:11:49 266240 ----a-w- C:\Windows\System32\WSManHTTPConfig.exe
2014-10-03 01:45:03 248832 ----a-w- C:\Windows\SysWow64\WSManMigrationPlugin.dll
2014-10-03 01:45:03 214016 ----a-w- C:\Windows\SysWow64\WsmWmiPl.dll
2014-10-03 01:45:03 145920 ----a-w- C:\Windows\SysWow64\WsmAuto.dll
2014-10-03 01:45:03 1177088 ----a-w- C:\Windows\SysWow64\WsmSvc.dll
2014-10-03 01:44:42 442880 ----a-w- C:\Windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44:26 374784 ----a-w- C:\Windows\SysWow64\AudioEng.dll
2014-10-03 01:44:26 195584 ----a-w- C:\Windows\SysWow64\AudioSes.dll
2014-10-03 01:44:25 198656 ----a-w- C:\Windows\SysWow64\WSManHTTPConfig.exe
2014-10-02 18:23:20 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2014-10-02 18:23:20 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
.
============= FINISH: 21:51:48.67 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 31 December 2014 - 12:04 AM

Hello and welcome.  Please follow these guidelines while we work on your PC:

  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I have given you the ìAll clear.î  Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.

icon11.gif   Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 rs4221

rs4221
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 31 December 2014 - 08:15 AM

Hello.  I ran FRST64 after booting in safe mode (without networking).  Results are below and attached.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-12-2014

Ran by Ron (administrator) on RSM-DELL on 31-12-2014 08:05:37
Running from C:\Users\Ron\Desktop
Loaded Profile: Ron (Available profiles: Ron)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10060832 2010-02-08] (Realtek Semiconductor)
HKLM\...\Run: [DellStage] => C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe [1802472 2011-01-25] ()
HKLM\...\Run: [CanonMyPrinter] => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2184520 2009-03-23] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] => C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-03-17] (CANON INC.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ShwiconXP9106] => C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe [237568 2010-01-27] (Alcor Micro Corp.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [RoxWatchTray] => C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] => C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [IJNetworkScanUtility] => C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [136544 2009-05-19] (CANON INC.)
HKLM-x32\...\Run: [Cobian Backup 10 Interface] => C:\Program Files (x86)\Cobian Backup 10\cbInterface.exe [3154432 2010-09-23] (Luis Cobian, CobianSoft)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-03] (Apple Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1075296 2013-04-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2691480 2014-03-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [2771832 2012-12-07] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-07-08] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] => "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\...\Run: [Safe PST Backup] => C:\Program Files (x86)\4Team Corporation\Safe PST Backup\SafePSTBackup.exe [3585712 2011-01-25] (4Team Corporation)
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [59720 2013-11-20] (Apple Inc.)
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\...\Run: [DuckCapture] => C:\Program Files (x86)\DuckLink\DuckCapture\DuckCapture.exe [436736 2011-11-03] (DuckLink Software)
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\...\Run: [DellSystemDetect] => C:\Users\Ron\AppData\Local\Apps\2.0\E7G6HXEN.862\CPVNBK6T.J8P\dell..tion_e30b47f5d4a30e9e_0005.000c_1df9a4898fae00de\DellSystemDetect.exe [264488 2014-11-19] (Dell)
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\...\RunOnce: [Adobe Speed Launcher] => 1419814574
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
ShortcutTarget: Logitech Desktop Messenger.lnk -> C:\Program Files (x86)\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe (Logitech)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SpyderUtility.lnk
ShortcutTarget: SpyderUtility.lnk -> C:\Program Files (x86)\Datacolor\Spyder4Pro\Utility\SpyderUtility.exe ( )
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Timex Data Link USB Launcher.lnk
ShortcutTarget: Timex Data Link USB Launcher.lnk -> C:\Program Files (x86)\Timex\Data Link USB\DataLinkLauncher.exe (Timex Corporation)
ShellIconOverlayIdentifiers: [OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
ShellIconOverlayIdentifiers: [OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\buShell.dll (Symantec Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
SearchScopes: HKLM -> DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3734994908-2327064252-3493726566-1000 -> {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = 
SearchScopes: HKU\S-1-5-21-3734994908-2327064252-3493726566-1000 -> {66E60D30-A40A-4093-BEED-C137ABD0D0F4} URL = http://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
BHO-x32: Skype add-on for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF ProfilePath: C:\Users\Ron\AppData\Roaming\Mozilla\Firefox\Profiles\ycz1w53a.default
FF SelectedSearchEngine: Google
FF Homepage: hxxp://www.yahoo.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_246.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll (Adobe Systems)
FF SearchPlugin: C:\Users\Ron\AppData\Roaming\Mozilla\Firefox\Profiles\ycz1w53a.default\searchplugins\trovi-search.xml
FF Extension: Empty Cache Button - C:\Users\Ron\AppData\Roaming\Mozilla\Firefox\Profiles\ycz1w53a.default\Extensions\{4cc4a13b-94a6-7568-370d-5f9de54a9c7f} [2014-09-22]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_21.1.0.18\coFFPlgn [2014-12-28]
FF HKLM-x32\...\Firefox\Extensions: [{ACAA314B-EEBA-48e4-AD47-84E31C44796C}] - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff
FF Extension: DVDVideoSoft YouTube MP3 and Video Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff [2012-12-15]
 
Chrome: 
=======
CHR Profile: C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Docs) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-29]
CHR Extension: (Google Drive) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-29]
CHR Extension: (YouTube) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-29]
CHR Extension: (Google Search) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-29]
CHR Extension: (Norton Identity Protection) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [2014-01-29]
CHR Extension: (Gmail) - C:\Users\Ron\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-29]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\Exts\Chrome.crx [2014-09-30]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\Exts\Chrome.crx [2014-09-30]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 AdobeActiveFileMonitor10.0; C:\Program Files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [169624 2011-09-01] (Adobe Systems Incorporated)
S2 cbVSCService; C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe [67584 2010-09-23] (CobianSoft, Luis Cobian) [File not signed]
S2 CobianBackup10; C:\Program Files (x86)\Cobian Backup 10\cbService.exe [1125376 2010-09-23] (Luis Cobian, CobianSoft) [File not signed]
S2 N360; C:\Program Files (x86)\Norton Security Suite\Engine\21.6.0.32\N360.exe [265040 2014-09-22] (Symantec Corporation)
S2 PanService; C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe [624856 2012-04-05] (Pandora.TV)
S2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-02-01] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2009-07-23] (Intuit Inc.) [File not signed]
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S1 BHDrvx64; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20141209.001\BHDrvx64.sys [1587416 2014-10-03] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1506000.020\ccSetx64.sys [162392 2013-09-25] (Symantec Corporation)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-12-11] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-12-11] (Symantec Corporation)
S1 IDSVia64; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20141226.001\IDSvia64.sys [637656 2014-11-17] (Symantec Corporation)
S3 NAVENG; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20141227.007\ENG64.SYS [129752 2014-12-26] (Symantec Corporation)
S3 NAVEX15; C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20141227.007\EX64.SYS [2137304 2014-12-26] (Symantec Corporation)
S3 Spyder4; C:\Windows\System32\DRIVERS\dccmtr.sys [15360 2011-06-02] (Datacolor)
S3 SRTSP; C:\Windows\System32\Drivers\N360x64\1506000.020\SRTSP64.SYS [876248 2014-08-25] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360x64\1506000.020\SRTSPX64.SYS [37592 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\N360x64\1506000.020\SYMDS64.SYS [493656 2013-09-09] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\N360x64\1506000.020\SYMEFA64.SYS [1148120 2014-08-25] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2013-11-26] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360x64\1506000.020\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
S1 SymNetS; C:\Windows\System32\Drivers\N360x64\1506000.020\SYMNETS.SYS [593112 2014-08-25] (Symantec Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-31 08:05 - 2014-12-31 08:06 - 00020591 _____ () C:\Users\Ron\Desktop\FRST.txt
2014-12-31 08:05 - 2014-12-31 08:05 - 00000000 ____D () C:\FRST
2014-12-31 08:04 - 2014-12-28 10:13 - 02123264 _____ (Farbar) C:\Users\Ron\Desktop\FRST64.exe
2014-12-28 21:56 - 2014-12-28 21:56 - 00005821 _____ () C:\Users\Ron\Desktop\attach.zip
2014-12-28 21:51 - 2014-12-28 21:51 - 00022162 _____ () C:\Users\Ron\Desktop\attach.txt
2014-12-28 21:51 - 2014-12-28 21:51 - 00021372 _____ () C:\Users\Ron\Desktop\dds.txt
2014-12-28 21:47 - 2012-11-19 19:43 - 00688992 ____R (Swearware) C:\Users\Ron\Desktop\dds.com
2014-12-28 19:54 - 2014-12-28 19:55 - 00000000 ____D () C:\NPE
2014-12-28 19:47 - 2014-12-28 20:15 - 00000000 ____D () C:\Users\Ron\AppData\Local\NPE
2014-12-28 19:45 - 2014-09-19 12:49 - 03060320 ____N (Symantec Corporation) C:\Users\Ron\Desktop\NPE.exe
2014-12-28 19:45 - 2014-06-25 12:17 - 01022080 _____ (Symantec Corporation) C:\Users\Ron\Desktop\NBRT-Retail-Downloader.exe
2014-12-27 11:22 - 2014-12-27 11:23 - 00000000 ____D () C:\Users\Ron\Documents\Shopping
2014-12-24 21:54 - 2014-12-13 00:09 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-12-24 21:54 - 2014-12-12 22:33 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-12-24 11:03 - 2014-12-28 17:49 - 00528924 _____ () C:\Users\Ron\Desktop\txlibraries.xlsx
2014-12-11 19:48 - 2014-12-11 19:48 - 00000000 ____D () C:\Windows\system32\appraiser
2014-12-11 19:38 - 2014-10-17 21:05 - 04121600 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2014-12-11 19:38 - 2014-10-17 20:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll
2014-12-11 19:35 - 2014-12-03 21:50 - 00830976 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2014-12-11 19:35 - 2014-12-03 21:50 - 00741376 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2014-12-11 19:35 - 2014-12-03 21:50 - 00413184 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-12-11 19:35 - 2014-12-03 21:50 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2014-12-11 19:35 - 2014-12-03 21:50 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-12-11 19:35 - 2014-12-03 21:50 - 00192000 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2014-12-11 19:35 - 2014-12-03 21:44 - 01083392 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-12-11 19:35 - 2014-12-01 18:28 - 01232040 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2014-12-11 19:35 - 2014-11-26 20:43 - 00389296 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-12-11 19:35 - 2014-11-26 20:10 - 00342200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-12-11 19:35 - 2014-11-21 22:13 - 25059840 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-12-11 19:35 - 2014-11-21 22:06 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-12-11 19:35 - 2014-11-21 22:06 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-12-11 19:35 - 2014-11-21 21:50 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-12-11 19:35 - 2014-11-21 21:50 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-12-11 19:35 - 2014-11-21 21:49 - 02885120 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-12-11 19:35 - 2014-11-21 21:49 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-12-11 19:35 - 2014-11-21 21:48 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-12-11 19:35 - 2014-11-21 21:41 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-12-11 19:35 - 2014-11-21 21:40 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-12-11 19:35 - 2014-11-21 21:37 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-12-11 19:35 - 2014-11-21 21:35 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-12-11 19:35 - 2014-11-21 21:34 - 06039552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-12-11 19:35 - 2014-11-21 21:34 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-12-11 19:35 - 2014-11-21 21:26 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-12-11 19:35 - 2014-11-21 21:22 - 19749376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-12-11 19:35 - 2014-11-21 21:22 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-12-11 19:35 - 2014-11-21 21:20 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-12-11 19:35 - 2014-11-21 21:14 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-12-11 19:35 - 2014-11-21 21:09 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-12-11 19:35 - 2014-11-21 21:08 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-12-11 19:35 - 2014-11-21 21:07 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-12-11 19:35 - 2014-11-21 21:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-12-11 19:35 - 2014-11-21 21:06 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-12-11 19:35 - 2014-11-21 21:05 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-12-11 19:35 - 2014-11-21 21:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-12-11 19:35 - 2014-11-21 21:01 - 02277888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-12-11 19:35 - 2014-11-21 20:59 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-12-11 19:35 - 2014-11-21 20:58 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-12-11 19:35 - 2014-11-21 20:56 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-12-11 19:35 - 2014-11-21 20:54 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-12-11 19:35 - 2014-11-21 20:49 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-12-11 19:35 - 2014-11-21 20:49 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-12-11 19:35 - 2014-11-21 20:47 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-12-11 19:35 - 2014-11-21 20:46 - 02125312 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-12-11 19:35 - 2014-11-21 20:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-12-11 19:35 - 2014-11-21 20:43 - 14412800 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-12-11 19:35 - 2014-11-21 20:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-12-11 19:35 - 2014-11-21 20:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-12-11 19:35 - 2014-11-21 20:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-12-11 19:35 - 2014-11-21 20:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-12-11 19:35 - 2014-11-21 20:29 - 04299264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-12-11 19:35 - 2014-11-21 20:28 - 02358272 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-12-11 19:35 - 2014-11-21 20:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-12-11 19:35 - 2014-11-21 20:22 - 02052096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-12-11 19:35 - 2014-11-21 20:21 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-12-11 19:35 - 2014-11-21 20:15 - 01548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-12-11 19:35 - 2014-11-21 20:13 - 12836864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-12-11 19:35 - 2014-11-21 20:03 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-12-11 19:35 - 2014-11-21 20:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-12-11 19:35 - 2014-11-21 19:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-12-11 19:35 - 2014-11-21 19:54 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-12-11 19:35 - 2014-10-29 21:03 - 00165888 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2014-12-11 19:35 - 2014-10-29 20:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\charmap.exe
2014-12-11 19:35 - 2014-10-02 21:12 - 02020352 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2014-12-11 19:35 - 2014-10-02 21:12 - 00346624 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2014-12-11 19:35 - 2014-10-02 21:12 - 00310272 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2014-12-11 19:35 - 2014-10-02 21:12 - 00181248 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2014-12-11 19:35 - 2014-10-02 21:11 - 00266240 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2014-12-11 19:35 - 2014-10-02 20:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll
2014-12-11 19:35 - 2014-10-02 20:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManMigrationPlugin.dll
2014-12-11 19:35 - 2014-10-02 20:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll
2014-12-11 19:35 - 2014-10-02 20:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll
2014-12-11 19:35 - 2014-10-02 20:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WSManHTTPConfig.exe
2014-12-11 19:34 - 2014-11-10 22:09 - 01424384 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2014-12-11 19:34 - 2014-11-10 21:44 - 01230336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2014-12-11 19:34 - 2014-11-10 20:46 - 00119296 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2014-12-11 19:33 - 2014-11-07 22:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-12-11 19:33 - 2014-11-07 21:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-12-09 10:26 - 2014-12-09 10:26 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-12-28 21:47 - 2009-07-14 00:13 - 00800010 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-28 20:28 - 2011-04-01 09:16 - 00000000 ____D () C:\ProgramData\Norton
2014-12-28 20:28 - 2009-07-14 00:10 - 01598768 _____ () C:\Windows\WindowsUpdate.log
2014-12-28 20:19 - 2011-04-01 09:16 - 00000000 ____D () C:\Users\Public\Downloads\Norton
2014-12-28 20:18 - 2011-04-01 20:53 - 00000000 ____D () C:\Users\Ron\Documents\Outlook Files
2014-12-28 20:06 - 2009-07-13 23:45 - 00022464 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-28 20:06 - 2009-07-13 23:45 - 00022464 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-28 19:55 - 2011-04-09 20:07 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-12-28 19:54 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-28 19:54 - 2009-07-13 23:51 - 00055286 _____ () C:\Windows\setupact.log
2014-12-28 18:19 - 2012-02-24 13:53 - 00000000 ____D () C:\Users\Ron\AppData\Local\CrashDumps
2014-12-28 17:51 - 2011-04-09 20:07 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-28 17:32 - 2012-04-09 12:36 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-28 11:51 - 2013-05-22 10:13 - 00003440 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2014-12-28 07:32 - 2011-04-01 09:39 - 00000000 ____D () C:\Users\Ron\AppData\Local\Adobe
2014-12-27 13:06 - 2011-04-01 21:34 - 00000000 ____D () C:\Users\Ron\Documents\Computer
2014-12-27 13:01 - 2011-04-01 21:33 - 00000000 ____D () C:\Users\Ron\Documents\Volleyball
2014-12-27 11:28 - 2011-04-01 21:33 - 00000000 ____D () C:\Users\Ron\Documents\Travel
2014-12-27 11:24 - 2011-04-01 21:35 - 00000000 ____D () C:\Users\Ron\Documents\Timex
2014-12-26 16:54 - 2011-04-01 21:34 - 00000000 ____D () C:\Users\Ron\Documents\Financial
2014-12-26 13:16 - 2011-03-23 07:38 - 01600192 _____ () C:\Windows\PFRO.log
2014-12-24 19:05 - 2011-04-01 18:14 - 00000000 ____D () C:\Users\Ron\Documents\Quicken
2014-12-24 12:05 - 2011-04-01 21:33 - 00028160 _____ () C:\Users\Ron\Documents\Christmas Cards.xls
2014-12-24 08:45 - 2011-04-01 13:31 - 00000000 ____D () C:\Program Files (x86)\Microsoft Streets & Trips 2010
2014-12-13 15:52 - 2011-04-15 20:36 - 00000000 ____D () C:\Users\Ron\AppData\Roaming\ZoomBrowser EX
2014-12-13 15:51 - 2011-04-15 20:35 - 00000000 ____D () C:\Users\Ron\AppData\Roaming\CameraWindowDC
2014-12-13 10:09 - 2011-03-23 06:10 - 00000000 ____D () C:\ProgramData\Sonic
2014-12-12 00:08 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-12-11 20:04 - 2012-04-09 12:36 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-11 20:04 - 2012-04-09 12:36 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-11 20:04 - 2011-10-19 10:04 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-11 19:50 - 2012-09-18 12:30 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-12-11 19:48 - 2014-04-25 21:19 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-12-11 19:48 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-12-11 19:48 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\AppCompat
2014-12-11 19:44 - 2011-04-01 08:42 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-12-11 19:43 - 2013-07-11 05:52 - 00000000 ____D () C:\Windows\system32\MRT
2014-12-11 19:39 - 2011-03-31 18:21 - 112710672 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-12-10 16:54 - 2014-10-15 13:26 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
 
Some content of TEMP:
====================
C:\Users\Ron\AppData\Local\Temp\mny706.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-12-25 00:15
 
==================== End Of Log ============================

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 31 December 2014 - 10:56 AM

Please do this next:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
C:\Users\Ron\AppData\Local\Temp\mny706.exe
CustomCLSID: HKU\S-1-5-21-3734994908-2327064252-3493726566-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\Software\Classes\.exe:  =>  <===== ATTENTION!
EmptyTemp:
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 rs4221

rs4221
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 31 December 2014 - 11:53 AM

FRST requested a restart after executing.  I did not do that yet.  Here is Fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-12-2014

Ran by Ron at 2014-12-31 11:37:20 Run:1
Running from C:\Users\Ron\Desktop
Loaded Profile: Ron (Available profiles: Ron)
Boot Mode: Safe Mode (minimal)
==============================================
 
Content of fixlist:
*****************
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
C:\Users\Ron\AppData\Local\Temp\mny706.exe
CustomCLSID: HKU\S-1-5-21-3734994908-2327064252-3493726566-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\Software\Classes\.exe:  =>  <===== ATTENTION!
EmptyTemp:
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
C:\Users\Ron\AppData\Local\Temp\mny706.exe => Moved successfully.
HKU\S-1-5-21-3734994908-2327064252-3493726566-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found. 
"HKU\S-1-5-21-3734994908-2327064252-3493726566-1000\Software\Classes\.exe" => Key deleted successfully.
EmptyTemp: => Removed 33.7 GB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 11:46:00 ====


#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 31 December 2014 - 12:28 PM

Please do this next:

icon11.gif  Download Combofix from HERE, and save it to your desktop.  

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back.  Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registry key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • ComboFix log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 rs4221

rs4221
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 31 December 2014 - 12:58 PM

Sorry, I'm having trouble.  I booted in safe mode with networking, and I downloaded ComboFix.  I didn't think that Norton was running because I didn't see it in the task bar.  When I ran ComboFix, it warned me that Norton Security Suite is indeed running, and I was told to disable it before clicking OK.  Again, I don't see any sign of it in the task bar so I don't know how to disable it.  I tried launching the user interface via shortcut and the Start button, and I just get a dialog box that says:  "Would you like to do a system scan?"  When I click No, it just closes, and that's the end.  Not sure how to proceed.



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 31 December 2014 - 01:54 PM

If you are in the safe mode Norton is not loaded and it is OK to ignore those warnings and let ComboFix run.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 rs4221

rs4221
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 31 December 2014 - 03:54 PM

OK, here is ComboFix.txt:

 

ComboFix 14-12-30.01 - Ron 12/31/2014  15:36:07.1.4 - x64 NETWORK

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.7991.5618 [GMT -5:00]
Running from: c:\users\Ron\Desktop\ComboFix.exe
AV: Norton Security Suite *Enabled/Updated* {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
FW: Norton Security Suite *Enabled* {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
SP: Norton Security Suite *Enabled/Updated* {631E4324-D31C-783F-EC5C-35AD42B18466}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\6426\AddOnDownloaded\0124e21d-018c-4ce0-92a3-b9e205a76bc0.dll
c:\programdata\PCDr\6426\AddOnDownloaded\ee4747a4-1d1b-42c1-8a8c-1de04bbb2379.dll
c:\users\Ron\AppData\Roaming\Mozilla\Firefox\Profiles\ycz1w53a.default\searchplugins\trovi-search.xml
c:\windows\msdownld.tmp
c:\windows\RPSETUP.EXE.LOG
c:\windows\SysWow64\bszip.dll
I:\Autorun.inf
J:\Autorun.inf
.
.
(((((((((((((((((((((((((   Files Created from 2014-11-28 to 2014-12-31  )))))))))))))))))))))))))))))))
.
.
2014-12-31 20:44 . 2014-12-31 20:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-12-31 13:05 . 2014-12-31 16:46 -------- d-----w- C:\FRST
2014-12-29 00:54 . 2014-12-29 00:55 -------- d-----w- C:\NPE
2014-12-29 00:47 . 2014-12-29 01:15 -------- d-----w- c:\users\Ron\AppData\Local\NPE
2014-12-25 02:54 . 2014-12-13 05:09 144384 ----a-w- c:\windows\system32\ieUnatt.exe
2014-12-25 02:54 . 2014-12-13 03:33 115712 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-12-12 00:48 . 2014-12-12 00:48 -------- d-----w- c:\windows\system32\appraiser
2014-12-12 00:38 . 2014-10-18 01:33 3209728 ----a-w- c:\windows\SysWow64\mf.dll
2014-12-12 00:38 . 2014-10-18 02:05 4121600 ----a-w- c:\windows\system32\mf.dll
2014-12-12 00:34 . 2014-11-11 01:46 119296 ----a-w- c:\windows\system32\drivers\tdx.sys
2014-12-12 00:34 . 2014-11-11 03:09 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-12-12 00:34 . 2014-11-11 02:44 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2014-12-12 00:33 . 2014-11-08 03:16 2048 ----a-w- c:\windows\system32\tzres.dll
2014-12-12 00:33 . 2014-11-08 02:45 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-12-03 06:31 . 2014-12-03 06:31 227048 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-12 01:04 . 2012-04-09 17:36 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-12-12 01:04 . 2011-10-19 15:04 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-12 00:39 . 2011-03-31 23:21 112710672 ----a-w- c:\windows\system32\MRT.exe
2014-11-11 03:08 . 2014-11-20 12:45 241152 ----a-w- c:\windows\system32\pku2u.dll
2014-11-11 03:08 . 2014-11-20 12:45 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-11-11 02:44 . 2014-11-20 12:45 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
2014-11-11 02:44 . 2014-11-20 12:45 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-10-25 01:57 . 2014-11-13 01:22 77824 ----a-w- c:\windows\system32\packager.dll
2014-10-25 01:32 . 2014-11-13 01:22 67584 ----a-w- c:\windows\SysWow64\packager.dll
2014-10-18 02:05 . 2014-11-13 01:20 861696 ----a-w- c:\windows\system32\oleaut32.dll
2014-10-18 01:33 . 2014-11-13 01:20 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2014-10-14 02:16 . 2014-11-15 13:03 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 02:13 . 2014-11-15 13:03 683520 ----a-w- c:\windows\system32\termsrv.dll
2014-10-14 02:13 . 2014-11-15 13:00 3241984 ----a-w- c:\windows\system32\msi.dll
2014-10-14 02:12 . 2014-11-15 13:03 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-10-14 02:09 . 2014-11-15 13:03 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-10-14 02:07 . 2014-11-15 13:03 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-10-14 01:50 . 2014-11-15 13:03 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-10-14 01:50 . 2014-11-15 13:00 2363904 ----a-w- c:\windows\SysWow64\msi.dll
2014-10-14 01:49 . 2014-11-15 13:03 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-10-14 01:47 . 2014-11-15 13:03 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
2014-10-14 01:46 . 2014-11-15 13:03 681984 ----a-w- c:\windows\SysWow64\adtschema.dll
2014-10-10 00:57 . 2014-11-13 01:20 3198976 ----a-w- c:\windows\system32\win32k.sys
2014-10-03 02:12 . 2014-11-13 01:22 500224 ----a-w- c:\windows\system32\AUDIOKSE.dll
2014-10-03 02:11 . 2014-11-13 01:22 284672 ----a-w- c:\windows\system32\EncDump.dll
2014-10-03 02:11 . 2014-11-13 01:22 680960 ----a-w- c:\windows\system32\audiosrv.dll
2014-10-03 02:11 . 2014-11-13 01:22 440832 ----a-w- c:\windows\system32\AudioEng.dll
2014-10-03 02:11 . 2014-11-13 01:22 296448 ----a-w- c:\windows\system32\AudioSes.dll
2014-10-03 01:44 . 2014-11-13 01:22 442880 ----a-w- c:\windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44 . 2014-11-13 01:22 374784 ----a-w- c:\windows\SysWow64\AudioEng.dll
2014-10-03 01:44 . 2014-11-13 01:22 195584 ----a-w- c:\windows\SysWow64\AudioSes.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Safe PST Backup"="c:\program files (x86)\4Team Corporation\Safe PST Backup\SafePSTBackup.exe" [2011-01-25 3585712]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-11-20 59720]
"DuckCapture"="c:\program files (x86)\DuckLink\DuckCapture\DuckCapture.exe" [2011-11-04 436736]
"DellSystemDetect"="c:\users\Ron\AppData\Local\Apps\2.0\E7G6HXEN.862\CPVNBK6T.J8P\dell..tion_e30b47f5d4a30e9e_0005.000c_1df9a4898fae00de\DellSystemDetect.exe" [2014-11-19 264488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ShwiconXP9106"="c:\program files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe" [2010-01-27 237568]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"Cobian Backup 10 Interface"="c:\program files (x86)\Cobian Backup 10\cbInterface.exe" [2010-09-23 3154432]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-07-03 43816]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2013-04-25 1075296]
"Adobe Creative Cloud"="c:\program files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" [2014-03-21 2691480]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-12-07 2771832]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-07-08 152392]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-11-20 1021128]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-10-02 421888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files (x86)\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start [2011-4-3 169472]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2013-2-1 1155912]
SpyderUtility.lnk - c:\program files (x86)\Datacolor\Spyder4Pro\Utility\SpyderUtility.exe [2012-2-8 8241767]
Timex Data Link USB Launcher.lnk - c:\program files (x86)\Timex\Data Link USB\DataLinkLauncher.exe [2011-4-3 40960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R1 BHDrvx64;BHDrvx64;c:\program files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20141209.001\BHDrvx64.sys;c:\program files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20141209.001\BHDrvx64.sys [x]
R1 ccSet_N360;N360 Settings Manager;c:\windows\system32\drivers\N360x64\1506000.020\ccSetx64.sys;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\ccSetx64.sys [x]
R1 IDSVia64;IDSVia64;c:\program files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20141226.001\IDSvia64.sys;c:\program files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20141226.001\IDSvia64.sys [x]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\1506000.020\Ironx64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\Ironx64.SYS [x]
R1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\N360x64\1506000.020\SYMNETS.SYS;c:\windows\SYSNATIVE\Drivers\N360x64\1506000.020\SYMNETS.SYS [x]
R2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [x]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files (x86)\Cobian Backup 10\cbVSCService.exe;c:\program files (x86)\Cobian Backup 10\cbVSCService.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 CobianBackup10;Cobian Backup 10;c:\program files (x86)\Cobian Backup 10\cbService.exe;c:\program files (x86)\Cobian Backup 10\cbService.exe [x]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
R2 N360;Norton Security Suite;c:\program files (x86)\Norton Security Suite\Engine\21.6.0.32\N360.exe;c:\program files (x86)\Norton Security Suite\Engine\21.6.0.32\N360.exe [x]
R2 PanService;PandoraService;c:\program files (x86)\PANDORA.TV\PanService\PandoraService.exe;c:\program files (x86)\PANDORA.TV\PanService\PandoraService.exe [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R3 Spyder4;Datacolor Spyder4;c:\windows\system32\DRIVERS\dccmtr.sys;c:\windows\SYSNATIVE\DRIVERS\dccmtr.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\1506000.020\SYMDS64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\1506000.020\SYMEFA64.SYS;c:\windows\SYSNATIVE\drivers\N360x64\1506000.020\SYMEFA64.SYS [x]
S3 athur;Wireless Network Adapter Service;c:\windows\system32\DRIVERS\athurx.sys;c:\windows\SYSNATIVE\DRIVERS\athurx.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{B17A6CEB-057D-47DE-9F7C-0BB3FDF30F4C}]
2010-11-20 12:17 73216 ----a-w- c:\windows\SysWOW64\msiexec.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 01:04]
.
2014-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-10 16:36]
.
2014-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-04-10 16:36]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-09 10060832]
"DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-01-25 1802472]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 2184520]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 392984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 417560]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2014-02-28 558496]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Free YouTube to MP3 Converter - c:\users\Ron\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: dell.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Ron\AppData\Roaming\Mozilla\Firefox\Profiles\ycz1w53a.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKLM-RunOnce-c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe - c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
AddRemove-Uninstall_is1 - c:\program files (x86)\Common Files\DVDVideoSoft\unins000.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton Security Suite\Engine\21.6.0.32\N360.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton Security Suite\Engine\21.6.0.32\diMaster.dll\" /prefetch:1"
"ImagePath"="\SystemRoot\System32\Drivers\N360x64\1506000.020\SYMNETS.SYS"
"TrustedImagePaths"="c:\program files (x86)\Norton Security Suite\Engine\21.6.0.32;c:\program files (x86)\Norton Security Suite\Engine64\21.6.0.32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-31  15:46:52
ComboFix-quarantined-files.txt  2014-12-31 20:46
.
Pre-Run: 494,781,792,256 bytes free
Post-Run: 494,375,870,464 bytes free
.
- - End Of File - - CA9E2DB65C8CB6A88D36B4706A1635B5
CDB4DE4BBD714F152979DA2DCBEF57EB


#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 31 December 2014 - 04:42 PM

Thanks.  Please do this next:

icon11.gif  Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup-2.x.x.xxxx.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

icon11.gif   Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Please include the following in your next post:
  • MBAM log
  • adwCleaner log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 rs4221

rs4221
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 31 December 2014 - 06:11 PM

OK, I think I got this to work, but I'll mention a few issues I've noticed.  I was unable to download files in IE11 - I get a dialog box that says my security settings don't allow me download, I think - so I used Firefox instead, which worked.  After doing a normal boot, I tried to run adwCleaner.  I got a license screen, and I accepted, but then it just disappeared.  I launched it again, but didn't see anything.  I saw associated processes in Task Manager, but no application.  I did see DSD_3208 running, but I don't know what that is - Dell System Detect maybe?  Anyway, I rebooted in Safe Mode with networking and was able to run adwCleaner.  It identified one item (Pandora), but I took no action on it.  Here are the two logs:

 

Malwarebytes Anti-Malware

www.malwarebytes.org
 
Scan Date: 12/31/2014
Scan Time: 4:57:18 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2014.12.31.05
Rootkit Database: v2014.12.30.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Ron
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 388155
Time Elapsed: 7 min, 49 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
PUP.Optional.SearchProtect.A, HKU\S-1-5-21-3734994908-2327064252-3493726566-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}, Quarantined, [70f1a0c98eeed95d7b9bc31bbb474db3], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 2
PUP.Optional.OpenCandy, C:\Users\Ron\AppData\Roaming\OpenCandy, Quarantined, [ec75e28783f9fe38c37de64528db9769], 
PUP.Optional.OpenCandy, C:\Users\Ron\AppData\Roaming\OpenCandy\18A314A294D74CC59462F716F7ED44FB, Quarantined, [ec75e28783f9fe38c37de64528db9769], 
 
Files: 1
PUP.Optional.OpenCandy, C:\Users\Ron\Downloads\KMPlayer_EN_3.1.0.0_R2.exe, Quarantined, [e67b4722b9c394a282286347b55035cb], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
---
 
# AdwCleaner v4.106 - Report created 31/12/2014 at 17:48:55
# Updated 21/12/2014 by Xplode
# Database : 2014-12-30.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Ron - RSM-DELL
# Running from : C:\Users\Ron\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
Service Found : PanService
 
***** [ Files / Folders ] *****
 
Folder Found : C:\Program Files (x86)\Common Files\DVDVideoSoft\TB
Folder Found : C:\Program Files (x86)\NCH Software
Folder Found : C:\Program Files (x86)\PANDORA.TV
Folder Found : C:\ProgramData\NCH Software
Folder Found : C:\Users\Ron\AppData\Roaming\dvdvideosoftiehelpers
Folder Found : C:\Users\Ron\AppData\Roaming\NCH Software
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\delta.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\timeshighereducation.co.uk
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\websearch.about.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.ask.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.delta.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.timeshighereducation.co.uk
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4476B401-61AB-45F6-B851-B2E06B4A5E54}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4CB6A1BF-F717-465A-82CD-4F5A6FFA7BCA}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6479AC05-5444-4CCE-A0F9-5325C8C7BFA7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{72EF0088-0831-47A0-9CA5-BB3B8390FEE3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7F0AFE92-5E08-4FC5-800C-618FD23786A7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F09C36C5-D66B-44B2-BA4E-4072A7BF9608}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FE2B4A74-8565-45DA-BE11-C4B46B366891}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.1
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{6479AC05-5444-4CCE-A0F9-5325C8C7BFA7}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{F09C36C5-D66B-44B2-BA4E-4072A7BF9608}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{ACAA314B-EEBA-48E4-AD47-84E31C44796C}]
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17496
 
 
-\\ Mozilla Firefox v34.0.5 (x86 en-US)
 
 
-\\ Google Chrome v
 
 
*************************
 
AdwCleaner[R0].txt - [4768 octets] - [31/12/2014 17:48:55]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [4828 octets] ##########


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 31 December 2014 - 06:49 PM

icon11.gif  Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.  Please go to www.java.com and press the "Free Java Download" button near the center of the page.  Follow the prompts to install the latest version and remove any older, insecure versions.

icon11.gif  Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
    <-Uncheck any lines related to software you wish to keep->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

icon11.gif  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.

Please include the following in your next post:
  • How is the computer running now?
  • adwCleaner log
  • ESET log


Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 rs4221

rs4221
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 01 January 2015 - 01:24 PM

How is the computer running?  Although I haven't done much with it, it's certainly better in that I don't see heavy CPU or RAM usage.  I've encountered several issues along the way:

 
1) As mentioned previously, I can't download a file through IE. I get a message box that says: "Your current security settings do not allow this file to be downloaded."  So I've been using FireFox instead.
 
2) I updated Java per your instructions, but I had Java disabled previously because I read somewhere about vulnerabilities.  I have now enabled Java.
 
3) I believe this DSD_#### application that I keep seeing is Dell System Detect.  I'm inclined to uninstall it, but I'll wait for your guidance on that.
 
4) When I clicked the Clean button in AdwCleaner and it got to the step of closing programs programs, it crashed twice, with the message:  "Aut2Exe has stopped working."  I eventually ran it again after that message and got it to work.
 
5) The last time I started IE, I got a message that said:  "An unknown program would like to change your default search to Bing."
 
6) When I tried to run the online scanner from ESET out of IE, I got a message that said:  "The add-on for this website failed to run."  I instead downloaded the installation program through FireFox, and used that instead.
 
Here are the AdwCleaner and ESET logs:
 
# AdwCleaner v4.106 - Report created 31/12/2014 at 19:51:41
# Updated 21/12/2014 by Xplode
# Database : 2014-12-30.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Ron - RSM-DELL
# Running from : C:\Users\Ron\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
[#] Service Deleted : PanService
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\NCH Software
Folder Deleted : C:\Program Files (x86)\NCH Software
Folder Deleted : C:\Program Files (x86)\PANDORA.TV
Folder Deleted : C:\Program Files (x86)\Common Files\DVDVideoSoft\TB
Folder Deleted : C:\Users\Ron\AppData\Roaming\dvdvideosoftiehelpers
Folder Deleted : C:\Users\Ron\AppData\Roaming\NCH Software
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{ACAA314B-EEBA-48E4-AD47-84E31C44796C}]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{065C1A21-97F8-45FB-A9F0-861B60FACEC8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3204358F-5904-46A6-841F-D6B5BE3EF4E3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3AE67737-0E3E-44AA-AA5E-46A68BF017FF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3EE5B726-044A-48D2-AA7B-049BD9A0F62A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4476B401-61AB-45F6-B851-B2E06B4A5E54}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4CB6A1BF-F717-465A-82CD-4F5A6FFA7BCA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60FBBE03-57FF-49D8-B38E-053D3F489825}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6479AC05-5444-4CCE-A0F9-5325C8C7BFA7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6A5182F1-C0B8-42B8-96CC-7F329CD46913}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C153418-8E4D-4FAF-AF27-5201E38463A7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{72EF0088-0831-47A0-9CA5-BB3B8390FEE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7F0AFE92-5E08-4FC5-800C-618FD23786A7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A26A2F05-AC4D-4A1E-9531-9125F7309B78}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5D6240-7DF0-435D-9B9B-F8586A99DE86}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F09C36C5-D66B-44B2-BA4E-4072A7BF9608}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F343045E-E20A-46E1-82D8-9962C43EFC9E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FBB360DC-CB6C-4D6A-808A-2C773151BFFF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE2B4A74-8565-45DA-BE11-C4B46B366891}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFD7DDAC-EC28-42A5-8D39-917B9078604B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{6479AC05-5444-4CCE-A0F9-5325C8C7BFA7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{F09C36C5-D66B-44B2-BA4E-4072A7BF9608}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{49606DC7-976D-4030-A74E-9FB5C842FA68}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.1
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\delta.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\timeshighereducation.co.uk
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\websearch.about.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.delta.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.timeshighereducation.co.uk
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17496
 
 
-\\ Mozilla Firefox v34.0.5 (x86 en-US)
 
 
-\\ Google Chrome v
 
 
*************************
 
AdwCleaner[R0].txt - [4932 octets] - [31/12/2014 17:48:55]
AdwCleaner[R1].txt - [4992 octets] - [31/12/2014 19:39:36]
AdwCleaner[R2].txt - [5111 octets] - [31/12/2014 19:46:31]
AdwCleaner[R3].txt - [5230 octets] - [31/12/2014 19:50:42]
AdwCleaner[S0].txt - [328 octets] - [31/12/2014 19:41:00]
AdwCleaner[S1].txt - [328 octets] - [31/12/2014 19:49:52]
AdwCleaner[S2].txt - [5145 octets] - [31/12/2014 19:51:41]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [5205 octets] ##########
 
 
 
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Common Files\DVDVideoSoft\TB\ConduitInstaller.exe.vir Win32/Toolbar.Conduit potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\Switch\switch.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\Switch\switchsetup_v4.22.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\NCH Software\Switch\uninst.exe.vir a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Users\Ron\AppData\LocalLow\ombeigv.dll a variant of Win32/Kryptik.CSQX trojan
C:\Users\Ron\Downloads\FFSetup290 (1).zip a variant of Win32/ELEX potentially unwanted application
C:\Users\Ron\Downloads\FFSetup290.zip a variant of Win32/ELEX potentially unwanted application
C:\Users\Ron\Downloads\freeripmp3-setup.exe Win32/Toolbar.Zugo potentially unwanted application
C:\Users\Ron\Downloads\switchsetup.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application


#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 AM

Posted 01 January 2015 - 02:37 PM

This will take care of the one ESET detection that is dangerous and not already in quarantine:

icon11.gif   Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it in the same location as FRST (usually your desktop) as fixlist.txt

C:\Users\Ron\AppData\LocalLow\ombeigv.dll
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now run FRST again.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) please post it to your reply.


I’ll attempt to address your other issues/concerns in order:

1.  I would recommend following the instructions in this LINK to reset Internet Explorer.  That should resolve some of the issues you are having with IE, but it will also revert any changes you intentionally made (homepage, search provider, etc) back to their defaults.

2.  Disabling or uninstalling Java is not a bad idea.  See this POST for additional information.

3.  I would think that your assumption is correct. I noticed a few Dell related items in your logs.  There is no harm in uninstalling any of them if you don’t find them useful.

4.  I’m not sure what happened there, but from the looks of your log it eventually worked properly.

5.  ComboFix restores many setting back to their default.  That is likely what caused this change.

6.  This is related to ‘under the hood’ settings in IE that should be resolved with the instructions I posted in item #1 above.  

Please include the following in your next post:
  • fixlog.txt report
  • Any remaining issues with the PC

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 rs4221

rs4221
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 01 January 2015 - 03:31 PM

I noticed that the initial scan pointed to the Poweliks trojan, which I'm gathering was the big problem.  I found this page:  http://www.bleepingcomputer.com/virus-removal/remove-poweliks-trojan  I'm wondering if following just steps 1 and 2 there would fix my issues 1 and 6 without resetting all of my IE settings.  Worth trying?

 

I've seen some of the utilities we used appear in the system tray - not sure if that's permanent.  Have they left things left behind that I should now remove?

 

Given that Norton didn't stop the trojan, and I don't know which website gave it to me, should I be doing something differently to avoid ending up infected again?

 

Here is fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-12-2014

Ran by Ron at 2015-01-01 15:01:43 Run:2
Running from C:\Users\Ron\Desktop
Loaded Profile: Ron (Available profiles: Ron)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
C:\Users\Ron\AppData\LocalLow\ombeigv.dll
*****************
 
"C:\Users\Ron\AppData\LocalLow\ombeigv.dll" => File/Directory not found.
 
==== End of Fixlog 15:01:43 ====





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users