Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Keeps Changing Registry on Reboot (Profile Quota)


  • This topic is locked This topic is locked
12 replies to this topic

#1 alpha202ej

alpha202ej

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 14 January 2015 - 08:44 AM

Hello,

 

I have a computer that keeps applying a storage quota to its profile each time it reboots. No group policy is set to enforce a quota and it appears whatever is doing this sets the storage quota via registry entry. I have tried running Malwarebytes and the machine does have AV on it but it doesn't detect anything. I am nearly certain this is some form of malware but no scanners appear to be able to pin it down.

 

Below is my DDS output and the requested attach log is attached to this post.

 

Thanks in advance for the assistance!

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 8.0.7601.18667  BrowserJavaVersion: 10.71.2
Run by <REMOVED> at 16:45:38 on 2015-01-13
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3893.2392 [GMT -5:00]
.
AV: Managed Antivirus Managed Antivirus *Enabled/Updated* {FFE93D16-FD09-0282-C7D3-8B1731B6A051}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Managed Antivirus Managed Antivirus *Enabled/Updated* {4488DCF2-DB33-0D0C-FD63-B0654A31EAEC}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Advanced Monitoring Agent GP\winagent.exe
C:\PROGRA~2\ADVANC~1\patchman\lnssatt.exe
C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~2\ADVANC~1\webprotection\WebMon.Agent.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\PROGRA~2\ADVANC~1\managedav\SBAMSvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files (x86)\Advanced Monitoring Agent GP\systray\SysTray.exe
C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMTray.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\proquota.exe
C:\PROGRA~2\ADVANC~1\winagentrcl.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
c:\program files (x86)\teamviewer\version9\TeamViewer_Desktop.exe
C:\Windows\regedit.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://companyweb
uDefault_Page_URL = hxxp://companyweb
mStart Page = hxxp://www.google.com
uProxyServer = hxxp=127.0.0.1:49540;https=127.0.0.1:49540
uProxyOverride = <-loopback>
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - 
mWinlogon: Userinit = userinit.exe,
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [20131121] C:\Program Files\AVAST Software\Avast Business\setup\emupdate\95515d92-ae33-4bb3-85e3-9ead12fd5506.exe /check
mRun: [AdvancedMonitoringSysTray] "C:\PROGRA~2\ADVANC~1\systray\Launcher.exe"
mRun: [SBAMTray] "C:\PROGRA~2\ADVANC~1\managedav\SBAMTray.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-System: EnableProfileQuota = dword:1
uPolicies-System: ProfileQuotaMessage = You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
uPolicies-System: MaxProfileSize = dword:120000
uPolicies-System: WarnUser = dword:1
uPolicies-System: WarnUserTimeout = dword:150
uPolicies-Windows\System: ExcludeProfileDirs = Desktop;Local Settings;Temporary Internet Files;History;Temp; My Documents; Application Data\ACT;Application Data\Adobe;Application Data\Sun;Application Data\Macromedia;Application Data\Real;Application Data\Apple Computer;Application Data\Move Networks;Application Data\Roxio;PrivacIE;AppData\Roaming\Apple Computer;Dropbox;AppData\Roaming\Dropbox;Downloads;AppData\Roaming\Adobe\Flash Player;AppData\Roaming\Skype;AppData\Roaming\MacroMedia;AppData\Roaming\Real;AppData\Roaming\Research in Motion;AppData\Roaming\Malwarebytes;AppData\Roaming\Online Backup;AppData\Roaming\Adobe;AppData\Roaming\Mozilla;Google Drive
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: RunStartupScriptSync = dword:1
mPolicies-Windows\System: AddAdminGroupToRUP = dword:1
mPolicies-Windows\System: CompatibleRUPSecurity = dword:1
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP25EP3-11662/webex/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.3
TCP: Interfaces\{D3DD3AC9-823D-47D0-AB0B-4C9B8EE2A652} : DHCPNameServer = 192.168.0.3
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.99\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = www.google.com
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe"
x64-Run: [SBRegRebootCleaner] "C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBRC.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Users\barnold\AppData\Local\Citrix\Plugins\104\npappdetector.dll
FF - plugin: C:\Users\barnold\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.mymysearchdial.hmpgUrl - hxxp://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=
FF - user.js: extensions.mysearchdial.dfltSrch - true
FF - user.js: extensions.mysearchdial.srchPrvdr - 2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=
FF - user.js: extensions.mysearchdial.tlbrSrchUrl - hxxp://start.mysearchdial.com/?f=3&a=dsites0202&cd=2XzuyEtN2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=&q=
FF - user.js: extensions.mysearchdial.id - 7071BCA837F661C4
FF - user.js: extensions.mysearchdial.instlDay - 16126
FF - user.js: extensions.mysearchdial.vrsn - 1.8.21.0
FF - user.js: extensions.mysearchdial.vrsni - 1.8.21.0
FF - user.js: extensions.mysearchdial_i.vrsnTs - 1.8.21.015:29:10
FF - user.js: extensions.mysearchdial.prtnrId - mysearchdial
FF - user.js: extensions.mysearchdial.prdct - mysearchdial
FF - user.js: extensions.mysearchdial.aflt - dsites0202
FF - user.js: extensions.mysearchdial_i.smplGrp - none
FF - user.js: extensions.mysearchdial.tlbrId - base
FF - user.js: extensions.mysearchdial.instlRef - 
FF - user.js: extensions.mysearchdial.dfltLng - 
FF - user.js: extensions.mysearchdial.appId - {CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}
FF - user.js: extensions.mysearchdial.excTlbr - false
FF - user.js: extensions.mysearchdial_i.hmpg - true
FF - user.js: extensions.mysearchdial.cr - 11295202
FF - user.js: extensions.mysearchdial.cd - 2XzuyEtN2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R
FF - user.js: extensions.mysearchdial.AL - 2
.
FF - user.js: extensions.irmysearch.instlRef - 
FF - user.js: extensions.irmysearch.cr - 11295202
FF - user.js: extensions.irmysearch.cd - 2XzuyEtN2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;C:\Windows\System32\drivers\gfibto.sys [2014-2-22 14456]
R2 Advanced Monitoring Agent;Advanced Monitoring Agent;C:\Program Files (x86)\Advanced Monitoring Agent GP\winagent.exe [2014-2-22 8373760]
R2 gfi_lanss11_attservice;GFI LanGuard 11 Attendant Service;C:\PROGRA~2\ADVANC~1\patchman\lnssatt.exe [2012-7-17 118640]
R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [2013-6-7 376168]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files (x86)\LogMeIn\x64\rainfo.sys [2013-4-30 16056]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\System32\drivers\LMIRfsDriver.sys [2012-4-10 72216]
R2 MSSQL$QSRNVIVO9;SQL Server (QSRNVIVO9);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\sqlservr.exe [2010-4-3 42884448]
R2 SBAMSvc;Managed Antivirus;C:\PROGRA~2\ADVANC~1\managedav\SBAMSvc.exe [2013-5-28 3681016]
R2 sbapifs;sbapifs;C:\Windows\System32\drivers\sbapifs.sys [2013-5-7 86968]
R2 TeamViewer9;TeamViewer 9;C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe [2014-12-22 5036352]
R2 UNS;Intel(R) Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-12-16 2320920]
R2 WebMonAgent;Web Protection Agent;C:\PROGRA~2\ADVANC~1\webprotection\WebMon.Agent.exe -s --> C:\PROGRA~2\ADVANC~1\webprotection\WebMon.Agent.exe -s [?]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2010-12-16 301232]
R3 HECIx64;Intel(R) Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-9-16 56344]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-12-16 271872]
R3 wtismon;wtismon;C:\PROGRA~2\ADVANC~1\webprotection\Interceptor\wtismon.sys [2014-3-26 91824]
S3 gfiark;gfiark;C:\Windows\System32\drivers\gfiark.sys [2014-2-25 41032]
S3 gfiutil;gfiutil;C:\Windows\System32\drivers\gfiutil.sys [2014-2-25 31264]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-12-22 59392]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-3 44896]
S4 SQLAgent$QSRNVIVO9;SQL Server Agent (QSRNVIVO9);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\SQLAGENT.EXE [2010-4-3 367456]
.
=============== Created Last 30 ================
.
2015-01-13 21:28:54	--------	d-----w-	C:\Users\barnold\AppData\Roaming\TeamViewer
2015-01-05 16:13:44	--------	d-----w-	C:\Users\barnold\AppData\Local\Mendeley Ltd
2015-01-05 16:13:31	--------	d-----w-	C:\Program Files (x86)\Mendeley Desktop
2014-12-22 20:50:09	--------	d-----w-	C:\Program Files (x86)\TeamViewer
.
==================== Find3M  ====================
.
2014-12-12 07:08:30	71344	----a-w-	C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-12 07:08:30	701616	----a-w-	C:\Windows\SysWow64\FlashPlayerApp.exe
2014-12-12 07:04:54	1190912	----a-w-	C:\Windows\System32\WindowsCodecs.dll
2014-12-12 07:04:54	1011200	----a-w-	C:\Windows\SysWow64\WindowsCodecs.dll
2014-12-02 18:17:06	129752	----a-w-	C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-11-19 09:31:16	1217192	----a-w-	C:\Windows\SysWow64\FM20.DLL
2014-11-14 07:06:51	77824	----a-w-	C:\Windows\System32\packager.dll
2014-11-14 07:06:51	67584	----a-w-	C:\Windows\SysWow64\packager.dll
2014-11-14 07:06:40	861696	----a-w-	C:\Windows\System32\oleaut32.dll
2014-11-14 07:06:40	571904	----a-w-	C:\Windows\SysWow64\oleaut32.dll
2014-11-14 07:04:25	2048	----a-w-	C:\Windows\SysWow64\msxml3r.dll
2014-11-11 03:08:52	241152	----a-w-	C:\Windows\System32\pku2u.dll
2014-11-11 03:08:48	728064	----a-w-	C:\Windows\System32\kerberos.dll
2014-11-11 02:44:32	186880	----a-w-	C:\Windows\SysWow64\pku2u.dll
2014-11-11 02:44:25	550912	----a-w-	C:\Windows\SysWow64\kerberos.dll
2014-11-03 13:46:50	92520	----a-w-	C:\Windows\System32\LMIinit.dll
2014-11-03 13:46:50	35688	----a-w-	C:\Windows\System32\LMIport.dll
2014-11-03 13:46:50	107392	----a-w-	C:\Windows\System32\LMIRfsClientNP.dll
2014-10-23 13:46:46	92520	----a-w-	C:\Windows\System32\LMIinit.dll.000.bak
2014-10-23 13:46:46	107392	----a-w-	C:\Windows\System32\LMIRfsClientNP.dll.000.bak
2014-10-17 06:09:56	98216	----a-w-	C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-17 06:03:07	1943696	----a-w-	C:\Windows\System32\dfshim.dll
2014-10-17 06:03:07	1131664	----a-w-	C:\Windows\SysWow64\dfshim.dll
2014-10-17 06:03:06	81560	----a-w-	C:\Windows\SysWow64\mscories.dll
2014-10-17 06:03:06	73880	----a-w-	C:\Windows\System32\mscories.dll
2014-10-17 06:03:06	156824	----a-w-	C:\Windows\SysWow64\mscorier.dll
2014-10-17 06:03:06	156312	----a-w-	C:\Windows\System32\mscorier.dll
.
============= FINISH: 16:46:08.89 ===============

Attached Files


Edited by alpha202ej, 14 January 2015 - 01:09 PM.


BC AdBot (Login to Remove)

 


#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:56 AM

Posted 14 January 2015 - 10:30 AM

Hey my friend. :)

Please download FRST (by Farbar) from the link below and save it to your Desktop.

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 alpha202ej

alpha202ej
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 14 January 2015 - 01:00 PM

Hello and thanks for the response!

 

I have run the requested scan.

 

Please see below for the output.

 

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-01-2015 02
Ran by barnold (administrator) on W7-INTREX-09 on 14-01-2015 12:50:11
Running from \\CONDUCTOR\RedirectedFolders\barnold\Desktop
Loaded Profile: barnold (Available profiles: tech & tech & barnold & apiper & tech)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Remote Monitoring) C:\Program Files (x86)\Advanced Monitoring Agent GP\winagent.exe
(GFI Software Development Ltd.) C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\lnssatt.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(GFI Software Ltd.) C:\Program Files (x86)\Advanced Monitoring Agent GP\webprotection\WebMon.Agent.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(ThreatTrack Security, Inc.) C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
() C:\Program Files (x86)\Advanced Monitoring Agent GP\systray\SysTray.exe
(Managed Antivirus) C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMTray.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Windows\System32\proquota.exe
() C:\Program Files (x86)\Advanced Monitoring Agent GP\winagentrcl.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(Farbar) \\CONDUCTOR\RedirectedFolders\barnold\Desktop\FRST64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe
(Microsoft Corporation) C:\Windows\SysWOW64\SearchProtocolHost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10810912 2010-05-07] (Realtek Semiconductor)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2013-04-30] (LogMeIn, Inc.)
HKLM\...\Run: [SBRegRebootCleaner] => C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBRC.exe [202648 2013-05-28] (ThreatTrack Security, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [20131121] => C:\Program Files\AVAST Software\Avast Business\setup\emupdate\95515d92-ae33-4bb3-85e3-9ead12fd5506.exe /check
HKLM-x32\...\Run: [AdvancedMonitoringSysTray] => C:\Program Files (x86)\Advanced Monitoring Agent GP\systray\Launcher.exe [291328 2014-04-16] ()
HKLM-x32\...\Run: [SBAMTray] => C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMTray.exe [3232152 2013-05-28] (Managed Antivirus)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-02-26] (Google Inc.)
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [EnableProfileQuota] 1
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [ProfileQuotaMessage] You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [MaxProfileSize] 120000
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [WarnUser] 1
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [WarnUserTimeout] 150
AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found
Startup: C:\Users\apiper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> \\W7-intrex-10\c$\Users\apiper\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyServer: [S-1-5-21-3568843429-1778139777-3686794816-1187] => http=127.0.0.1:49540;https=127.0.0.1:49540
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
URLSearchHook: HKU\S-1-5-21-3568843429-1778139777-3686794816-1187 - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0202&cd=2XzuyEtN2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0D0Tzu0SyBzzyBtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=11295202&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0202&cd=2XzuyEtN2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0D0Tzu0SyBzzyBtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=11295202&ir=
SearchScopes: HKU\S-1-5-21-3568843429-1778139777-3686794816-1187 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0202&cd=2XzuyEtN2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0D0Tzu0SyBzzyBtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=11295202&ir=
SearchScopes: HKU\S-1-5-21-3568843429-1778139777-3686794816-1187 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0202&cd=2XzuyEtN2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0D0Tzu0SyBzzyBtN1L2XzutBtFtBtFtCyDtFtCyCtAtCtN1L1CzutBtAtDtC1N1R&cr=11295202&ir=
SearchScopes: HKU\S-1-5-21-3568843429-1778139777-3686794816-1187 -> {1875C4FA-ABC9-4D72-84A2-0CDFD86E6B7D} URL = http://www.search.ask.com/web?tpid=ORJ&o=100000031&pf=V5&p2=&gct=sb&itbv=12.10.3.24&apn_uid=0C5A5D30-F950-46F6-B97F-3FCFBD5A24D4&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_dbr=ie_8.0.7600.16385&doi=2014-02-07&trgb=IE,FF&q={searchTerms}&psv=
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-3568843429-1778139777-3686794816-1187 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP25EP3-11662/webex/ieatgpc1.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.0.3

FireFox:
========
FF ProfilePath: C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3568843429-1778139777-3686794816-1187: @citrixonline.com/appdetectorplugin -> C:\Users\barnold\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF user.js: detected! => C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\barnold\AppData\Roaming\mozilla\plugins\npatgpc.dll (Cisco WebEx LLC)
FF SearchPlugin: C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\searchplugins\ask-search.xml
FF SearchPlugin: C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\searchplugins\askcom.xml
FF SearchPlugin: C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\searchplugins\askcomsearch.xml
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-07-09]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-09-11]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2012-10-17]

Chrome: 
=======
CHR Profile: C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-06]
CHR Extension: (Google Drive) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-06]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-23]
CHR Extension: (YouTube) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-06]
CHR Extension: (Google Search) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-06]
CHR Extension: (Google Wallet) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-06]
CHR Extension: (Gmail) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-06]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Advanced Monitoring Agent; C:\Program Files (x86)\Advanced Monitoring Agent GP\winagent.exe [8373760 2014-11-03] (Remote Monitoring) [File not signed]
R2 gfi_lanss11_attservice; C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\lnssatt.exe [118640 2012-07-17] (GFI Software Development Ltd.)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376168 2014-11-03] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226152 2014-11-03] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2013-04-30] (LogMeIn, Inc.)
R2 MSSQL$QSRNVIVO9; c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\sqlservr.exe [42884448 2010-04-03] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2012-02-08] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2012-02-08] (Hewlett-Packard) [File not signed]
R2 SBAMSvc; C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMSvc.exe [3681016 2013-05-28] (ThreatTrack Security, Inc.)
S4 SQLAgent$QSRNVIVO9; c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\SQLAGENT.EXE [367456 2010-04-03] (Microsoft Corporation)
R2 WebMonAgent; C:\Program Files (x86)\Advanced Monitoring Agent GP\webprotection\WebMon.Agent.exe [1816920 2014-03-26] (GFI Software Ltd.)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 gfiark; C:\Windows\System32\drivers\gfiark.sys [41032 2013-05-23] (ThreatTrack Security)
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2012-02-13] (GFI Software)
R3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [31264 2013-09-04] (ThreatTrack Security)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-04-30] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
R3 wtismon; C:\Program Files (x86)\Advanced Monitoring Agent GP\webprotection\Interceptor\wtismon.sys [91824 2014-03-26] (GFI Software)
S1 netfilter64; system32\drivers\netfilter64.sys [X]
S3 radpms; system32\DRIVERS\radpms.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-14 12:42 - 2015-01-14 12:50 - 00000000 ____D () C:\FRST
2015-01-13 17:31 - 2015-01-13 17:31 - 03714048 _____ () C:\Users\barnold\Downloads\grs14 (1).xls
2015-01-13 17:28 - 2015-01-13 17:28 - 03714048 _____ () C:\Users\barnold\Downloads\grs14.xls
2015-01-13 17:26 - 2015-01-13 17:26 - 00006730 _____ () C:\Users\barnold\Downloads\pop.xls
2015-01-13 16:28 - 2015-01-13 16:28 - 00000000 ____D () C:\Users\barnold\AppData\Roaming\TeamViewer
2015-01-13 16:23 - 2015-01-13 16:23 - 436854820 _____ () C:\Windows\MEMORY.DMP
2015-01-13 16:23 - 2015-01-13 16:23 - 00460344 _____ () C:\Windows\Minidump\011315-22542-01.dmp
2015-01-13 16:23 - 2015-01-13 16:23 - 00000000 ____D () C:\Windows\Minidump
2015-01-13 15:34 - 2015-01-13 15:34 - 00380416 _____ () C:\Users\barnold\Downloads\8k4dvvb3.exe
2015-01-07 11:46 - 2013-05-21 11:53 - 00000000 ____D () C:\Users\barnold\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-01-06 09:19 - 2015-01-06 09:19 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-01-05 11:13 - 2015-01-05 11:13 - 00000000 ____D () C:\Users\barnold\AppData\Local\Mendeley Ltd
2015-01-05 11:12 - 2015-01-05 11:12 - 22521632 _____ () C:\Users\barnold\Downloads\Mendeley-Desktop-1.12.4-win32.exe
2014-12-22 15:50 - 2014-12-22 15:50 - 00000000 ____D () C:\Program Files (x86)\TeamViewer

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-14 12:49 - 2014-02-22 03:27 - 00000000 ____D () C:\Program Files (x86)\Advanced Monitoring Agent GP
2015-01-14 12:47 - 2010-12-16 16:46 - 01222627 _____ () C:\Windows\WindowsUpdate.log
2015-01-14 12:46 - 2009-07-13 23:45 - 00014960 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-14 12:46 - 2009-07-13 23:45 - 00014960 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-14 12:43 - 2013-02-26 09:30 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-14 12:15 - 2012-04-05 09:35 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-14 12:11 - 2014-11-04 11:03 - 00000592 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3568843429-1778139777-3686794816-1187.job
2015-01-14 12:03 - 2010-12-17 15:59 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3568843429-1778139777-3686794816-1154UA.job
2015-01-14 11:47 - 2010-12-17 15:41 - 00000120 _____ () C:\Windows\system32\config\netlogon.ftl
2015-01-14 10:15 - 2012-04-05 09:35 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-14 10:15 - 2012-04-05 09:35 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-14 10:15 - 2011-06-27 08:16 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-14 08:43 - 2013-02-26 09:30 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-14 07:56 - 2014-06-17 15:35 - 00000000 ____D () C:\Users\ekeefe
2015-01-14 07:56 - 2014-05-07 16:28 - 00000000 ____D () C:\Users\tech.DOMAIN
2015-01-14 07:56 - 2012-09-20 08:24 - 00000000 ____D () C:\Users\apiper
2015-01-14 07:56 - 2012-04-27 10:56 - 00000000 ____D () C:\Users\khoover
2015-01-14 07:56 - 2010-12-17 15:44 - 00000000 ____D () C:\Users\tech
2015-01-14 07:56 - 2010-12-16 16:46 - 00000000 ____D () C:\Users\tech
2015-01-14 06:14 - 2014-02-22 06:15 - 00000000 ____D () C:\Windows\Patches
2015-01-13 16:28 - 2011-02-08 16:32 - 00005210 __RSH () C:\Users\barnold\ntuser.pol
2015-01-13 16:28 - 2011-02-08 14:26 - 00000000 ____D () C:\Users\barnold
2015-01-13 16:24 - 2014-01-22 04:10 - 00001004 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2015-01-13 16:24 - 2014-01-22 04:10 - 00000988 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-01-13 16:23 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-13 16:23 - 2009-07-13 23:51 - 00031834 _____ () C:\Windows\setupact.log
2015-01-13 16:10 - 2011-02-08 14:26 - 00001394 ___SH () C:\Users\barnold\ntuser.ini
2015-01-13 16:04 - 2010-12-17 15:59 - 00000868 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3568843429-1778139777-3686794816-1154Core.job
2015-01-13 15:54 - 2014-02-25 16:13 - 00003338 _____ () C:\Windows\System32\Tasks\Advanced System Protector
2015-01-13 06:37 - 2011-01-05 11:50 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-01-12 13:18 - 2009-07-14 00:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-01-07 11:41 - 2014-02-25 16:39 - 00000000 ____D () C:\Users\barnold\AppData\Roaming\Managed Antivirus
2015-01-07 11:05 - 2009-07-14 00:13 - 00805640 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-02 05:25 - 2014-11-04 11:03 - 00003624 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3568843429-1778139777-3686794816-1187
2014-12-22 15:50 - 2014-06-03 15:47 - 00001102 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9 Host.lnk

Some content of TEMP:
====================
C:\Users\tech\AppData\Local\Temp\ose00000.exe
C:\Users\barnold\AppData\Local\Temp\6_Offer_16.exe
C:\Users\barnold\AppData\Local\Temp\ApnStub.exe
C:\Users\barnold\AppData\Local\Temp\G2MInstallerExtractor.exe
C:\Users\barnold\AppData\Local\Temp\install_flashplayer11x32axau_gtba_chra_dy_aih[1].exe
C:\Users\barnold\AppData\Local\Temp\install_flashplayer11x32axau_gtba_chra_dy_aih[1]_1.exe
C:\Users\barnold\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_au_aih[1].exe
C:\Users\barnold\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_au_aih[1]_1.exe
C:\Users\barnold\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_au_aih[1]_2.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u39-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\setup.exe
C:\Users\barnold\AppData\Local\Temp\System.Data.SQLite.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 07:49

==================== End Of Log ============================

Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-01-2015 02
Ran by barnold at 2015-01-14 12:50:59
Running from \\CONDUCTOR\RedirectedFolders\barnold\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Managed Antivirus Managed Antivirus (Enabled - Up to date) {FFE93D16-FD09-0282-C7D3-8B1731B6A051}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Managed Antivirus Managed Antivirus (Enabled - Up to date) {4488DCF2-DB33-0D0C-FD63-B0654A31EAEC}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 13.2.1 - Hewlett-Packard) Hidden
Adobe Connect Add-in (HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Adobe Connect Add-in) (Version:  - )
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Advanced Monitoring Agent GP (HKLM-x32\...\Advanced Monitoring Agent GP) (Version: 1.0.0 - Remote Monitoring Services)
Advanced Monitoring Agent GP (x32 Version: 1.0 - InstallAware Software Corporation) Hidden
Advanced Monitoring Agent GP (x32 Version: 1.0.0 - Remote Monitoring Services) Hidden
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
avast! Antivirus (x32 Version: 4.8 - ALWIL Software) Hidden
AxCrypt 1.7.3156.0 (HKLM\...\{8B49CDB9-824C-44D6-A5D3-D0235D3030B8}) (Version: 1.7.3156.0 - Axantum Software AB)
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM-x32\...\{77463C86-BB3A-426E-A6C2-06B4D28C250F}) (Version: 1.0.223 - Citrix)
GFI LanGuard 11 Agent (x32 Version: 11.0.2012.0717 - GFI Software Ltd) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.99 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
GoToMeeting 7.0.5.2152 (HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\GoToMeeting) (Version: 7.0.5.2152 - CitrixOnline)
IBM SPSS Statistics 20 (HKLM\...\{2AF8017B-E503-408F-AACE-8A335452CAD2}) (Version: 20.0.0.0 - IBM Corp)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2141 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 6.0.0.1179 - Intel Corporation)
Intel(R) Network Connections 15.3.68.0 (HKLM\...\PROSetDX) (Version: 15.3.68.0 - Intel)
Java 7 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
LogMeIn (HKLM-x32\...\{2BFDA78F-39F7-4537-9995-71424CFA88BB}) (Version: 4.1.2138 - LogMeIn, Inc.)
LogMeIn (HKLM-x32\...\{CB7AF84A-1B7F-4C6B-8A58-EB7CDE48C23A}) (Version: 4.1.3268 - LogMeIn, Inc.)
LogMeIn (HKLM-x32\...\{D3AE96EE-2876-4B3F-847C-D3A4AD689E43}) (Version: 4.1.1578 - LogMeIn, Inc.)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Managed Antivirus (HKLM-x32\...\{C1D1FC57-3EB9-4B21-BCA3-F1C927508200}) (Version: 6.2.5528 - GFI Software)
Managed Antivirus (x32 Version: 6.2.5528 - GFI Software) Hidden
Mendeley Desktop 1.12.4 (HKLM-x32\...\Mendeley Desktop) (Version: 1.12.4 - Mendeley Ltd.)
Microsoft Office Live Meeting 2007 (HKLM-x32\...\{389F8A7A-8611-42E8-8169-20D2BAF0C595}) (Version: 8.0.6362.215 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 (HKLM-x32\...\Microsoft SQL Server 2008 R2) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Native Client (HKLM\...\{2180B33F-3225-423E-BBC1-7798CFD3CD1F}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Setup (English) (HKLM-x32\...\{72DE3C67-FB48-450E-8BEA-4EB1B3B5355D}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft SQL Server 2008 Setup Support Files  (HKLM-x32\...\{D441BD04-E548-4F8E-97A4-1B66135BAAA8}) (Version: 10.1.2731.0 - Microsoft Corporation)
Microsoft SQL Server Browser (HKLM-x32\...\{BF9BF038-FE03-429D-9B26-2FA0FD756052}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{288D79EE-A2D1-42AF-9597-B0ADCC23A8ED}) (Version: 10.50.1600.1 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 34.0.5 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 34.0.5 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
QSR NVivo 9.2 (HKLM-x32\...\{82184A1C-52B8-438F-A79B-8D7580114987}) (Version: 9.2.81.0 - QSR International Pty Ltd)
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6106 - Realtek Semiconductor Corp.)
SavingsBull (x32 Version: 1.0.0.0 - SavingsBull) Hidden <==== ATTENTION
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
SQL Server 2008 R2 Common Files (x32 Version: 10.50.1600.1 - Microsoft Corporation) Hidden
SQL Server 2008 R2 Database Engine Services (x32 Version: 10.50.1600.1 - Microsoft Corporation) Hidden
SQL Server 2008 R2 Database Engine Shared (x32 Version: 10.50.1600.1 - Microsoft Corporation) Hidden
Sql Server Customer Experience Improvement Program (x32 Version: 10.50.1600.1 - Microsoft Corporation) Hidden
TeamViewer 9 Host (HKLM-x32\...\TeamViewer 9 Host) (Version: 9.0.29327 - TeamViewer)
Web Protection Agent (HKLM\...\{F68D22FE-1BD1-4E5D-AAA2-1B6947131E40}) (Version: 8.2.14085 - )
WebEx (HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Windows Small Business Server 2008 ClientAgent (HKLM\...\{E4FF4DF1-F99C-49AC-B398-BE0887432846}) (Version: 6.0.5601.0 - Microsoft Corporation)
Windows Small Business Server 2008 Desktop Links Gadget (HKLM\...\{F5E5D7CA-0F94-41A3-8106-66473C2F3728}) (Version: 6.0.5601.0 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3568843429-1778139777-3686794816-1187_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\barnold\AppData\Local\Citrix\GoToMeeting\1468\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Restore Points  =========================

20-12-2014 00:00:01 Scheduled Checkpoint
27-12-2014 00:00:01 Scheduled Checkpoint
03-01-2015 00:00:02 Scheduled Checkpoint
11-01-2015 00:00:01 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {07691A1B-E334-4F3E-8C56-21753D1602F8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-20] (Google Inc.)
Task: {1F06F356-DC35-4701-A174-60EEB6C4BA82} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-20] (Google Inc.)
Task: {2935DCE3-C588-430E-90A9-D4EEE6AE6E42} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {36AC9ECF-C67D-4C0B-B2BC-DE2735357813} - System32\Tasks\Advanced System Protector => C:\Program Files (x86)\RegClean Pro\SystweakASP.exe <==== ATTENTION
Task: {4D96CF72-CA5D-4447-8FA5-F087D6900AEE} - \RegClean Pro No Task File <==== ATTENTION
Task: {5083A19B-CCE3-4CDC-AB8B-6633E8207012} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-01-14] (Adobe Systems Incorporated)
Task: {5FB48E62-AB71-4808-AE6B-DAE9DC9D4793} - System32\Tasks\{068B979A-D936-4469-81EA-1F17452FA88D} => pcalua.exe -a D:\Express.exe
Task: {72AB67D2-7A7C-4971-BFA4-E60935263DCE} - \BrowserSafeguard Update Task No Task File <==== ATTENTION
Task: {89999017-E1DD-495D-85FB-DCE0BD1E5898} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3568843429-1778139777-3686794816-1154UA => C:\Users\ssmith\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-17] (Google Inc.)
Task: {9265221B-59A9-4CFF-9219-6C75B5EBDB68} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {A35CBA91-245E-4A1E-9BBD-7DA54CBAA33D} - System32\Tasks\G2MUpdateTask-S-1-5-21-3568843429-1778139777-3686794816-1187 => C:\Users\barnold\AppData\Local\Citrix\GoToMeeting\2152\g2mupdate.exe [2015-01-02] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {F9244D83-D9F6-4829-A2AB-0DE3BFF8F078} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3568843429-1778139777-3686794816-1154Core => C:\Users\ssmith\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-17] (Google Inc.)
Task: {FF11F70F-C9DB-4957-AA82-2E0277CA15D0} - \Advanced System Protector_startup No Task File <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3568843429-1778139777-3686794816-1187.job => C:\Users\barnold\AppData\Local\Citrix\GoToMeeting\2152\g2mupdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3568843429-1778139777-3686794816-1154Core.job => C:\Users\ssmith\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3568843429-1778139777-3686794816-1154UA.job => C:\Users\ssmith\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2009-10-01 09:08 - 2009-10-01 13:08 - 00015360 _____ () C:\Windows\System32\KOAZ8A_L.DLL
2013-09-05 00:17 - 2013-09-05 00:17 - 04300456 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2014-02-24 09:23 - 2014-04-16 15:30 - 00291328 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\systray\SysTray.exe
2014-02-22 03:33 - 2014-02-25 09:44 - 00470016 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\winagentrcl.exe
2012-07-17 17:20 - 2012-07-17 17:20 - 00305520 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\apistrings.dll
2012-07-17 17:24 - 2012-07-17 17:24 - 00159600 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\modlop.dll
2012-07-23 07:32 - 2012-07-23 07:32 - 00099184 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\httpserverattplugin.dll
2013-05-23 09:05 - 2013-05-23 09:05 - 02021240 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\crmimodule.dll
2012-07-17 17:29 - 2012-07-17 17:29 - 00208752 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\patchautodownload.dll
2014-07-17 09:37 - 2014-07-17 09:37 - 00422000 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\remediationattplugin.dll
2009-07-13 16:03 - 2009-07-13 20:15 - 00364544 _____ () C:\Windows\SysWOW64\msjetoledb40.dll
2013-01-21 07:05 - 2013-01-21 07:05 - 00183672 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\scanmngsys.dll
2012-07-17 17:29 - 2012-07-17 17:29 - 00049520 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\schedcompactdb.dll
2012-07-17 17:29 - 2012-07-17 17:29 - 00054640 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\schedupdates.dll
2014-03-26 12:32 - 2014-03-26 12:32 - 00054784 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\webprotection\Interceptor\wtismon.dll
2014-02-25 16:41 - 2014-12-19 05:01 - 00192376 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\Definitions\libBase64.dll
2014-02-25 16:41 - 2014-12-19 05:01 - 00180088 _____ () C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\Definitions\libMachoUniv.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf
2013-02-14 15:46 - 2013-02-14 15:46 - 01044048 _____ () C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll
2010-10-20 15:45 - 2010-10-20 15:45 - 08801120 _____ () C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-658649277-234581320-2012140849-500 - Administrator - Disabled)
tech (S-1-5-21-658649277-234581320-2012140849-1000 - Administrator - Enabled) => C:\Users\tech
Guest (S-1-5-21-658649277-234581320-2012140849-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

Name: avast! Firewall NDIS Filter Miniport
Description: avast! Firewall NDIS Filter Miniport
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: ALWIL Software
Service: aswNdis
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.

Name: netfilter64
Description: netfilter64
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: netfilter64
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/13/2015 04:29:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: TeamViewer.exe, version: 9.0.29327.0, time stamp: 0x5391cd23
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0xffecf564
Faulting process id: 0xd40
Faulting application start time: 0xTeamViewer.exe0
Faulting application path: TeamViewer.exe1
Faulting module path: TeamViewer.exe2
Report Id: TeamViewer.exe3

Error: (01/13/2015 04:05:58 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winagent.exe, version: 1.0.0.1, time stamp: 0x54576275
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x70756b63
Faulting process id: 0x1714
Faulting application start time: 0xwinagent.exe0
Faulting application path: winagent.exe1
Faulting module path: winagent.exe2
Report Id: winagent.exe3

Error: (01/09/2015 05:00:47 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: Windows Windows cannot update your roaming profile completely. Check previous events for more details.

Error: (01/08/2015 04:44:40 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: Windows Windows cannot update your roaming profile completely. Check previous events for more details.

Error: (01/07/2015 04:58:06 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: Windows Windows cannot update your roaming profile completely. Check previous events for more details.

Error: (01/07/2015 11:47:28 AM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: Windows Windows cannot update your roaming profile completely. Check previous events for more details.

Error: (01/07/2015 11:43:49 AM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: Windows Windows cannot update your roaming profile completely. Check previous events for more details.

Error: (12/11/2014 09:29:25 AM) (Source: MsiInstaller) (EventID: 1024) (User: domain)
Description: Product: Adobe Reader XI (11.0.09) - Update '{AC76BA86-7AD7-0000-2550-7A8C40011010}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (11/25/2014 03:44:48 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: Windows Windows cannot update your roaming profile completely. Check previous events for more details.

Error: (11/24/2014 04:43:08 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: Windows Windows cannot update your roaming profile completely. Check previous events for more details.


System errors:
=============
Error: (01/13/2015 04:25:28 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
netfilter64

Error: (01/13/2015 04:23:53 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x0000009f (0x0000000000000004, 0x0000000000000258, 0xfffffa8003868040, 0xfffff80000b9c510)C:\Windows\MEMORY.DMP011315-22542-01

Error: (01/13/2015 04:11:30 PM) (Source: Service Control Manager) (EventID: 7043) (User: )
Description: The Group Policy Client service did not shut down properly after receiving a preshutdown control.

Error: (01/13/2015 04:06:05 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Advanced Monitoring Agent service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/12/2015 01:13:37 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/20/2014 03:54:31 PM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/16/2014 08:55:36 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/16/2014 08:45:42 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send to Microsoft OneNote 15 Driver required for printer Send To OneNote 2013 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/10/2014 09:35:47 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
netfilter64

Error: (12/02/2014 01:34:44 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load: 
netfilter64


Microsoft Office Sessions:
=========================
Error: (01/13/2015 04:29:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: TeamViewer.exe9.0.29327.05391cd23unknown0.0.0.000000000c0000005ffecf564d4001d02f77ed03ee46c:\program files (x86)\teamviewer\version9\TeamViewer.exeunknown31add87f-9b6b-11e4-ad8d-7071bca837f6

Error: (01/13/2015 04:05:58 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: winagent.exe1.0.0.154576275unknown0.0.0.000000000c000000570756b63171401d01e28d40ef964C:\Program Files (x86)\Advanced Monitoring Agent GP\winagent.exeunknownf831fe53-9b67-11e4-addb-7071bca837f6

Error: (01/09/2015 05:00:47 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: 

Error: (01/08/2015 04:44:40 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: 

Error: (01/07/2015 04:58:06 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: 

Error: (01/07/2015 11:47:28 AM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: 

Error: (01/07/2015 11:43:49 AM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: 

Error: (12/11/2014 09:29:25 AM) (Source: MsiInstaller) (EventID: 1024) (User: domain)
Description: Adobe Reader XI (11.0.09){AC76BA86-7AD7-0000-2550-7A8C40011010}1625(NULL)(NULL)(NULL)

Error: (11/25/2014 03:44:48 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: 

Error: (11/24/2014 04:43:08 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1504) (User: domain)
Description: 


CodeIntegrity Errors:
===================================
  Date: 2015-01-12 13:13:26.363
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-20 15:54:28.570
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-12-16 08:45:39.491
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-11-25 20:54:16.880
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-11-25 20:43:40.433
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-11-24 08:38:55.203
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-11-21 09:06:01.499
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-11-20 09:09:50.181
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-11-14 18:29:20.639
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

  Date: 2014-11-12 17:22:03.924
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i3 CPU 540 @ 3.07GHz
Percentage of memory in use: 46%
Total physical RAM: 3893.32 MB
Available physical RAM: 2089.82 MB
Total Pagefile: 7784.82 MB
Available Pagefile: 5966.18 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:596.17 GB) (Free:533.72 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596.2 GB) (Disk ID: E02BE02B)
Partition 1: (Active) - (Size=596.2 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Thanks!



#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:56 AM

Posted 14 January 2015 - 03:13 PM

Hey,

Step 1: Adwarecleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1
  • Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
  • Click Scan and let the scan run.
  • When it finishes, click Clean, following the on screen prompts
  • After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: C:\AdwCleaner\

Step 2: Malwarebytes

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Step 3: Junkware Removal Tool

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 alpha202ej

alpha202ej
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 15 January 2015 - 12:17 PM

Hi Machiavelli,

 

I was able to run AdwCleaner but for some reason it decided not to retain the logs. As you mentioned, there is suppose to be a log file in C:\AdwCleaner\ but the folder was not present following the scan. I also tried clicking on the Report button but it decided to reference Z:\AdwCleaner\ (which doesn't exist on the mapped drive). It appeared that AdwCleaner did find some items as it rebooted the machine but I have no log to show exactly what it did.

 

I know this process is a very structured approach, so how should I proceed from here?

 

Thanks!



#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:56 AM

Posted 15 January 2015 - 02:01 PM

OK, then proceed with Step 2. :)

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#7 alpha202ej

alpha202ej
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 15 January 2015 - 03:06 PM

Hi Machiavelli,

 

Understood.

 

Here are the logs for MWB:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/14/2015
Scan Time: 8:42:26 PM
Logfile: 
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.15.02
Rootkit Database: v2015.01.14.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: barnold

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 610814
Time Elapsed: 12 min, 30 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 76
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\prefs.js, Good: (), Bad: (user_pref("extensions.mysearchdial.dfltSrch", true);), Replaced,[e36e57a0e0a95bdbf3dc2ca31bea1be5]
PUP.Optional.MySearch.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (user_pref("extensions.irmysearch.instlRef", "");), Replaced,[c09149ae2762bb7b3f884c83c83d21df]
PUP.Optional.MySearch.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (ons.mymysearchdial.hmpgUrl", "http://start.mysearc), Replaced,[fa572bccd2b7eb4bc403b31c15f0e51b]
PUP.Optional.MySearch.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11), Replaced,[8ec3a84f32578fa77552854a8f76c23e]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (user_pref("extensions.mysearchdial.dfltSrch", true);), Replaced,[f958a45304854beb4987eae5fd0844bc]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");
u), Replaced,[1839f304f1985fd7933d309fd23357a9]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (tAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");
user_pref("extensions.mysearchdial.dfltSrch", true);
user_pref("extensions.mysearchdial.srchPrvdr", 2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCy), Replaced,[cf82c730c8c1bb7b14bc9c33739211ef]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (ensions.mysearchdial.dfltSrch", true);
user_pref("extension), Replaced,[a8a9e611e6a376c08848d5fa41c4f50b]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (archdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0), Replaced,[6be69463d2b7bb7bc8086b64e91c6997]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (ymysearchdial.hmpgUrl", "http://start.mysearchdial.com), Replaced,[4c053eb996f3fd39b31de3ec59acde22]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (mymysearchdial.hmpgUrl", "http://start.mysearchdial.com), Replaced,[b1a039be216845f15b75fbd454b1817f]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (ymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0Azzt), Replaced,[b39e0fe85d2cf6400ac69a35e3227d83]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (al.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0Fy), Replaced,[fd54c82fe3a655e17b55f6d924e1c43c]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (rchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0Azz), Replaced,[18393fb8d6b30432339d7c53b64fe61a]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (earchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0), Replaced,[99b8c730d5b4df57f2de656a30d59e62]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (mysearchdial.hmpgUrl", "http://start.mysearchdial.com/t), Replaced,[d37e01f6b3d649ed0bc54b84dd28db25]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (ymysearchdial.hmpgUrl", "http://start.mysearchdial.c), Replaced,[3a1746b189000531a62aa42b65a05fa1]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchd), Replaced,[cb86d6210b7e3402fad6a12e52b3fd03]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (ons.mymysearchdial.hmpgUrl", "http://start.mysear), Replaced,[6fe2cd2a1079181ec60ae9e614f14db3]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (ions.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0C), Replaced,[4b06c73004854ee820b03996d035718f]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (//start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEt), Replaced,[28290cebfb8e0f278b457e51d233748c]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (ons.mymysearchdial.hmpgUrl", "http://start.mysearchd), Replaced,[bd9435c24d3cce6814bc9c331aeb4cb4]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=1129), Replaced,[e66beb0cfd8c2b0b5a768649d431728e]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1), Replaced,[c58c7c7b4445c076824ec7083dc8916f]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (user_pref("extensions.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");), Replaced,[371a8077216874c227aac00f80858080]
PUP.Optional.MySearchDial.A, C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default\user.js, Good: (), Bad: (, 2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");
user_pref("extensions.mysearchdial.tlbrSrchUrl", "http://start.mysearchdial.com/?f=3&a=dsites0202&cd=2XzuyEt), Replaced,[e26fd7206c1dcd69458c606fdd286799]
PUP.Optional.MySearch.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (user_pref("extensions.irmysearch.instlRef", "");), Replaced,[94bdc92e7217e056aa1d2ea16a9bec14]
PUP.Optional.MySearch.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (ons.mymysearchdial.hmpgUrl", "http://start.mysearc), Replaced,[6ae7cf280c7de056586fcd029075f808]
PUP.Optional.MySearch.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11), Replaced,[0c4528cf3f4ace684e79b31cdd28e818]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (user_pref("extensions.mysearchdial.dfltSrch", true);), Replaced,[153c827591f84aeca0309e312adb9868]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");
u), Replaced,[c58cde195b2e1026e8e8359a6e97768a]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (tAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");
user_pref("extensions.mysearchdial.dfltSrch", true);
user_pref("extensions.mysearchdial.srchPrvdr", 2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCy), Replaced,[f859e1165e2b39fd814f7e518d787c84]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (ensions.mysearchdial.dfltSrch", true);
user_pref("extension), Replaced,[331e13e40089d85e15bb04cb30d56f91]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (archdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0), Replaced,[3d140ceb8dfc171fd9f7eee16a9b5fa1]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (ymysearchdial.hmpgUrl", "http://start.mysearchdial.com), Replaced,[9fb2fff830599b9b943c2aa5cd38cc34]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (mymysearchdial.hmpgUrl", "http://start.mysearchdial.com), Replaced,[2130d52248411d19636de6e9b1544fb1]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (ymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0Azzt), Replaced,[2d24c92eef9aac8a6c64efe016efb749]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (al.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0Fy), Replaced,[5100c631f891171fe8e80fc0e0255aa6]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (rchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0Azz), Replaced,[79d851a64a3f39fde2eef2ddee17c43c]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (earchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0), Replaced,[8bc604f3f099989e8d43d9f62bda7e82]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (mysearchdial.hmpgUrl", "http://start.mysearchdial.com/t), Replaced,[aaa7797e0584f1453c94ca0553b2cd33]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (ymysearchdial.hmpgUrl", "http://start.mysearchdial.c), Replaced,[bb965d9a3257e74f428e8b44d431b24e]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchd), Replaced,[a7aa41b63653be78e8e8f4dbfd0825db]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (ons.mymysearchdial.hmpgUrl", "http://start.mysear), Replaced,[68e9589f9ced53e3636da827d62f34cc]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (ions.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0C), Replaced,[2a27af484c3d3402814f5f70fc09738d]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (//start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEt), Replaced,[2b268d6ab0d9132329a73b9423e2b848]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (ons.mymysearchdial.hmpgUrl", "http://start.mysearchd), Replaced,[99b809ee5d2c9f97636d458aaf56649c]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=1129), Replaced,[ed6464930386bf777a56d5fad92cf907]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1), Replaced,[c48d8a6db8d194a20dc3b916947134cc]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (user_pref("extensions.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");), Replaced,[153cf2053950a096dcf5993619eced13]
PUP.Optional.MySearchDial.A, C:\Users\emartinez\AppData\Roaming\Mozilla\Firefox\Profiles\3r66wha2.default\user.js, Good: (), Bad: (, 2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");
user_pref("extensions.mysearchdial.tlbrSrchUrl", "http://start.mysearchdial.com/?f=3&a=dsites0202&cd=2XzuyEt), Replaced,[470adf18820782b4973a379853b2ee12]
PUP.Optional.MySearch.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (user_pref("extensions.irmysearch.instlRef", "");), Replaced,[6de467904a3fa6903e89715e17eea060]
PUP.Optional.MySearch.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (ons.mymysearchdial.hmpgUrl", "http://start.mysearc), Replaced,[be93c235484187afd7f0dff0fd0852ae]
PUP.Optional.MySearch.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11), Replaced,[96bbc33478118babdaedf2dd62a34fb1]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (user_pref("extensions.mysearchdial.dfltSrch", true);), Replaced,[450c5b9c8efb4beb339d8d4293720af6]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");
u), Replaced,[dc754ea9a7e2290d7a561db201044bb5]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (tAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");
user_pref("extensions.mysearchdial.dfltSrch", true);
user_pref("extensions.mysearchdial.srchPrvdr", 2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCy), Replaced,[ada4ac4be3a686b00cc4c807788dd729]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (ensions.mysearchdial.dfltSrch", true);
user_pref("extension), Replaced,[41106394a5e491a5daf6ad2226df1ce4]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (archdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0), Replaced,[3120fdfafb8ed16504ccb71811f4e020]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (ymysearchdial.hmpgUrl", "http://start.mysearchdial.com), Replaced,[3918d91eafdaac8a29a72ca3887dc43c]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (mymysearchdial.hmpgUrl", "http://start.mysearchdial.com), Replaced,[262b9760acdd11250fc10fc08382f808]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (ymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0Azzt), Replaced,[85cc6196eb9e39fd3c94c00f90753fc1]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (al.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0Fy), Replaced,[67ea2dca0287b68015bb705f3acbef11]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (rchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0Azz), Replaced,[eb666c8b88013ef8339d844b867ffa06]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (earchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0), Replaced,[1d348b6c2c5dfb3bf3dd606f867fe31d]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (mysearchdial.hmpgUrl", "http://start.mysearchdial.com/t), Replaced,[d97810e78009f2445f719b344abb03fd]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (ymysearchdial.hmpgUrl", "http://start.mysearchdial.c), Replaced,[f25f00f79dec0a2cf3dd309fbd486799]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchd), Replaced,[4a076a8d7118d95d2ca4cd02c24326da]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (ons.mymysearchdial.hmpgUrl", "http://start.mysear), Replaced,[e56cb5428306b38319b7b718679ed12f]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (ions.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0C), Replaced,[20313eb95c2dd85efcd4a8276c99e818]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (//start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEt), Replaced,[65ecbf38ccbd55e121afe1ee4fb6cf31]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (ons.mymysearchdial.hmpgUrl", "http://start.mysearchd), Replaced,[3d1438bf781177bf933d913e1ee70ff1]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (s.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=1129), Replaced,[d47dc92eb9d0a195f3dd349b0ef731cf]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1), Replaced,[361bdc1ba7e2092d01cf616edb2ab050]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (user_pref("extensions.mymysearchdial.hmpgUrl", "http://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");), Replaced,[6ce5698e107985b15f72ce01f0153cc4]
PUP.Optional.MySearchDial.A, C:\Users\apiper\AppData\Roaming\Mozilla\Firefox\Profiles\briv3t70.default\user.js, Good: (), Bad: (, 2Y1L1QzuyBtDyBtC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");
user_pref("extensions.mysearchdial.tlbrSrchUrl", "http://start.mysearchdial.com/?f=3&a=dsites0202&cd=2XzuyEt), Replaced,[c28f08ef83061c1a6d643d92b94cb24e]

Physical Sectors: 0
(No malicious items detected)


(end)

Logs from JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Professional x64
Ran by barnold on Thu 01/15/2015 at 14:55:23.95
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\util findright



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\barnnold\AppData\Roaming\systweak"
Successfully deleted: [Folder] "C:\Users\barnold\AppData\Roaming\microsoft\windows\start menu\programs\weather alerts"



~~~ FireFox

Successfully deleted: [File] C:\Users\barnold\AppData\Roaming\mozilla\firefox\profiles\g48mvoox.default\user.js
Successfully deleted: [File] C:\Users\barnold\AppData\Roaming\mozilla\firefox\profiles\g48mvoox.default\invalidprefs.js
Successfully deleted: [File] C:\Users\barnold\AppData\Roaming\mozilla\firefox\profiles\g48mvoox.default\searchplugins\ask-search.xml
Successfully deleted: [File] C:\Users\barnold\AppData\Roaming\mozilla\firefox\profiles\g48mvoox.default\searchplugins\askcom.xml
Successfully deleted: [File] C:\Users\barnold\AppData\Roaming\mozilla\firefox\profiles\g48mvoox.default\searchplugins\askcomsearch.xml
Successfully deleted the following from C:\Users\barnold\AppData\Roaming\mozilla\firefox\profiles\g48mvoox.default\prefs.js

user_pref("extensions.mymysearchdial.hmpgUrl", "hxxp://start.mysearchdial.com/tC0B0C0AzztAyB0FyCyCtC0CyEtN0BtAtDtC1N1R&cr=11295202&ir=");



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 01/15/2015 at 14:58:59.63
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logs from FRST:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-01-2015 01
Ran by barnold (administrator) on W7-INTREX-09 on 15-01-2015 15:00:51
Running from \\CONDUCTOR\RedirectedFolders\barnold\Desktop
Loaded Profiles: barnold (Available profiles: tech & ssmith & barnold & apiper & tech)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Remote Monitoring) C:\Program Files (x86)\Advanced Monitoring Agent GP\winagent.exe
(GFI Software Development Ltd.) C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\lnssatt.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(GFI Software Ltd.) C:\Program Files (x86)\Advanced Monitoring Agent GP\webprotection\WebMon.Agent.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Managed Antivirus) C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMTray.exe
() C:\Program Files (x86)\Advanced Monitoring Agent GP\systray\SysTray.exe
(ThreatTrack Security, Inc.) C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMSvc.exe
(Microsoft Corporation) C:\Windows\System32\proquota.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) \\CONDUCTOR\RedirectedFolders\barnold\Desktop\FRST64.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10810912 2010-05-07] (Realtek Semiconductor)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2013-04-30] (LogMeIn, Inc.)
HKLM\...\Run: [SBRegRebootCleaner] => C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBRC.exe [202648 2013-05-28] (ThreatTrack Security, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [20131121] => C:\Program Files\AVAST Software\Avast Business\setup\emupdate\95515d92-ae33-4bb3-85e3-9ead12fd5506.exe /check
HKLM-x32\...\Run: [AdvancedMonitoringSysTray] => C:\Program Files (x86)\Advanced Monitoring Agent GP\systray\Launcher.exe [291328 2014-04-16] ()
HKLM-x32\...\Run: [SBAMTray] => C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMTray.exe [3232152 2013-05-28] (Managed Antivirus)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-02-26] (Google Inc.)
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [EnableProfileQuota] 1
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [ProfileQuotaMessage] You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [MaxProfileSize] 120000
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [WarnUser] 1
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [WarnUserTimeout] 150
Startup: C:\Users\apiper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> \\W7-intrex-10\c$\Users\apiper\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyServer: [S-1-5-21-3568843429-1778139777-3686794816-1187] => http=127.0.0.1:49540;https=127.0.0.1:49540
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-3568843429-1778139777-3686794816-1187 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP25EP3-11662/webex/ieatgpc1.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.0.3

FireFox:
========
FF ProfilePath: C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3568843429-1778139777-3686794816-1187: @citrixonline.com/appdetectorplugin -> C:\Users\barnold\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\barnold\AppData\Roaming\mozilla\plugins\npatgpc.dll (Cisco WebEx LLC)
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-07-09]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-09-11]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2012-10-17]

Chrome: 
=======
CHR Profile: C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-06]
CHR Extension: (Google Drive) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-06]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-23]
CHR Extension: (YouTube) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-06]
CHR Extension: (Google Search) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-06]
CHR Extension: (Google Wallet) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-06]
CHR Extension: (Gmail) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-06]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Advanced Monitoring Agent; C:\Program Files (x86)\Advanced Monitoring Agent GP\winagent.exe [8373760 2014-11-03] (Remote Monitoring) [File not signed]
R2 gfi_lanss11_attservice; C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\lnssatt.exe [118640 2012-07-17] (GFI Software Development Ltd.)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376168 2014-11-03] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226152 2014-11-03] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2013-04-30] (LogMeIn, Inc.)
R2 MSSQL$QSRNVIVO9; c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\sqlservr.exe [42884448 2010-04-03] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2012-02-08] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2012-02-08] (Hewlett-Packard) [File not signed]
R2 SBAMSvc; C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMSvc.exe [3681016 2013-05-28] (ThreatTrack Security, Inc.)
S4 SQLAgent$QSRNVIVO9; c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\SQLAGENT.EXE [367456 2010-04-03] (Microsoft Corporation)
R2 WebMonAgent; C:\Program Files (x86)\Advanced Monitoring Agent GP\webprotection\WebMon.Agent.exe [1816920 2014-03-26] (GFI Software Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [41032 2013-05-23] (ThreatTrack Security)
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2012-02-13] (GFI Software)
R3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [31264 2013-09-04] (ThreatTrack Security)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-04-30] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
R3 wtismon; C:\Program Files (x86)\Advanced Monitoring Agent GP\webprotection\Interceptor\wtismon.sys [91824 2014-03-26] (GFI Software)
S3 radpms; system32\DRIVERS\radpms.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 14:55 - 2015-01-15 14:55 - 00000000 ____D () C:\Windows\ERUNT
2015-01-15 13:06 - 2015-01-15 13:06 - 00046080 _____ () C:\Users\barnold\Downloads\EHS Spending Analysis Y5 - December.xls
2015-01-15 13:05 - 2015-01-15 13:05 - 00071168 _____ () C:\Users\barnold\Downloads\NC PreK Spending Analysis - December.xls
2015-01-15 13:04 - 2015-01-15 13:04 - 00062464 _____ () C:\Users\barnold\Downloads\Spending Analysis-December.xls
2015-01-15 11:28 - 2015-01-15 11:28 - 00000779 _____ () C:\Users\barnold\Downloads\event.ics
2015-01-14 20:03 - 2015-01-14 20:03 - 02191360 _____ () C:\Users\barnold\Downloads\AdwCleaner.exe
2015-01-14 12:42 - 2015-01-15 15:00 - 00000000 ____D () C:\FRST
2015-01-13 17:31 - 2015-01-13 17:31 - 03714048 _____ () C:\Users\barnold\Downloads\grs14 (1).xls
2015-01-13 17:28 - 2015-01-13 17:28 - 03714048 _____ () C:\Users\barnold\Downloads\grs14.xls
2015-01-13 17:26 - 2015-01-13 17:26 - 00006730 _____ () C:\Users\barnold\Downloads\pop.xls
2015-01-13 16:28 - 2015-01-13 16:28 - 00000000 ____D () C:\Users\barnold\AppData\Roaming\TeamViewer
2015-01-13 16:23 - 2015-01-13 16:23 - 436854820 _____ () C:\Windows\MEMORY.DMP
2015-01-13 16:23 - 2015-01-13 16:23 - 00460344 _____ () C:\Windows\Minidump\011315-22542-01.dmp
2015-01-13 16:23 - 2015-01-13 16:23 - 00000000 ____D () C:\Windows\Minidump
2015-01-13 15:34 - 2015-01-13 15:34 - 00380416 _____ () C:\Users\barnold\Downloads\8k4dvvb3.exe
2015-01-07 11:46 - 2013-05-21 11:53 - 00000000 ____D () C:\Users\barnold\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-01-06 09:19 - 2015-01-06 09:19 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-01-05 11:13 - 2015-01-05 11:13 - 00000000 ____D () C:\Users\barnold\AppData\Local\Mendeley Ltd
2015-01-05 11:12 - 2015-01-05 11:12 - 22521632 _____ () C:\Users\barnold\Downloads\Mendeley-Desktop-1.12.4-win32.exe
2014-12-22 15:50 - 2014-12-22 15:50 - 00000000 ____D () C:\Program Files (x86)\TeamViewer

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 15:00 - 2014-11-25 15:16 - 00000000 ____D () C:\IT
2015-01-15 14:52 - 2014-12-02 13:16 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-15 14:43 - 2013-02-26 09:30 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-15 14:32 - 2014-02-22 03:27 - 00000000 ____D () C:\Program Files (x86)\Advanced Monitoring Agent GP
2015-01-15 14:15 - 2012-04-05 09:35 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-15 14:11 - 2014-11-04 11:03 - 00000592 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3568843429-1778139777-3686794816-1187.job
2015-01-15 14:03 - 2010-12-17 15:59 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3568843429-1778139777-3686794816-1154UA.job
2015-01-15 13:44 - 2009-07-14 00:13 - 00805640 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-15 13:32 - 2010-12-17 15:41 - 00000120 _____ () C:\Windows\system32\config\netlogon.ftl
2015-01-15 12:03 - 2009-07-13 23:45 - 00014960 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-15 12:03 - 2009-07-13 23:45 - 00014960 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-15 08:43 - 2013-02-26 09:30 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-15 08:39 - 2010-12-16 16:46 - 01431427 _____ () C:\Windows\WindowsUpdate.log
2015-01-15 06:12 - 2014-02-22 06:15 - 00000000 ____D () C:\Windows\Patches
2015-01-14 20:40 - 2014-12-02 13:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-14 20:40 - 2014-12-02 13:14 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-14 20:18 - 2014-01-22 04:10 - 00001004 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2015-01-14 20:18 - 2014-01-22 04:10 - 00000988 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-01-14 20:18 - 2010-12-17 15:39 - 00498000 _____ () C:\Windows\PFRO.log
2015-01-14 20:18 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-14 20:18 - 2009-07-13 23:51 - 00031890 _____ () C:\Windows\setupact.log
2015-01-14 16:24 - 2011-01-05 11:50 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-01-14 16:03 - 2010-12-17 15:59 - 00000868 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3568843429-1778139777-3686794816-1154Core.job
2015-01-14 10:15 - 2012-04-05 09:35 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-14 10:15 - 2012-04-05 09:35 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-14 10:15 - 2011-06-27 08:16 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-14 07:56 - 2014-06-17 15:35 - 00000000 ____D () C:\Users\ekeefe
2015-01-14 07:56 - 2014-05-07 16:28 - 00000000 ____D () C:\Users\tech.domain
2015-01-14 07:56 - 2012-09-20 08:24 - 00000000 ____D () C:\Users\apiper
2015-01-14 07:56 - 2012-04-27 10:56 - 00000000 ____D () C:\Users\emartinez
2015-01-14 07:56 - 2010-12-17 15:44 - 00000000 ____D () C:\Users\ssmith
2015-01-14 07:56 - 2010-12-16 16:46 - 00000000 ____D () C:\Users\tech
2015-01-13 16:28 - 2011-02-08 16:32 - 00005210 __RSH () C:\Users\barnold\ntuser.pol
2015-01-13 16:28 - 2011-02-08 14:26 - 00000000 ____D () C:\Users\barnold
2015-01-13 16:10 - 2011-02-08 14:26 - 00001394 ___SH () C:\Users\barnold\ntuser.ini
2015-01-12 13:18 - 2009-07-14 00:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-01-07 11:41 - 2014-02-25 16:39 - 00000000 ____D () C:\Users\barnold\AppData\Roaming\Managed Antivirus
2015-01-02 05:25 - 2014-11-04 11:03 - 00003624 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3568843429-1778139777-3686794816-1187
2014-12-22 15:50 - 2014-06-03 15:47 - 00001102 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9 Host.lnk

Some content of TEMP:
====================
C:\Users\tech\AppData\Local\Temp\ose00000.exe
C:\Users\barnold\AppData\Local\Temp\6_Offer_16.exe
C:\Users\barnold\AppData\Local\Temp\ApnStub.exe
C:\Users\barnold\AppData\Local\Temp\G2MInstallerExtractor.exe
C:\Users\barnold\AppData\Local\Temp\install_flashplayer11x32axau_gtba_chra_dy_aih[1].exe
C:\Users\barnold\AppData\Local\Temp\install_flashplayer11x32axau_gtba_chra_dy_aih[1]_1.exe
C:\Users\barnold\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_au_aih[1].exe
C:\Users\barnold\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_au_aih[1]_1.exe
C:\Users\barnold\AppData\Local\Temp\install_flashplayer11x32ax_gtba_chra_dy_au_aih[1]_2.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u32-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-6u39-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\barnold\AppData\Local\Temp\setup.exe
C:\Users\barnold\AppData\Local\Temp\System.Data.SQLite.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 07:49

==================== End Of Log ============================

Thanks!


Edited by alpha202ej, 15 January 2015 - 03:07 PM.


#8 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:56 AM

Posted 15 January 2015 - 03:11 PM

Hey, :)

Step 1: FRST Fix
  • Please open Notepad.exe. Make sure that you don't use any other software than Notepad.exe!
  • Copy and Paste the content of the codebox below into the empty textfile:

    ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
    ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
    ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
    ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
    HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    ProxyServer: [S-1-5-21-3568843429-1778139777-3686794816-1187] => http=127.0.0.1:49540;https=127.0.0.1:49540
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    EmptyTemp:
  • Then click on File >> Save as
    • File Name: Fixlist.txt
    • From the Save as type drop down list, choose All Files
  • It is very important that you save this textfile on your Desktop!
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe (Note: If FRST advises there is a new updated version to be downloaded, allow this.)and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
Step 2: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.
Step 3: ESET

Please run a free online scan with the ESET Online Scanner:

IMPORTANT: You MUST use Internet Explorer for this step!
  • Visit the ESET Online Scanner Web Page
  • Select the blue Run ESET Online Scanner button:
    ESET1_zps23a5e840.png
  • Tick the box next to YES, I accept the Terms of Use and click Start
    ESET_EULA2_zps9451f1c3.png
  • When asked, allow the ActiveX control to install.
  • Select Enable detection of potentially unwanted applications and select Advanced Settings:
    ESET2_zpsc701c045.png
  • Make sure to check the options Remove found threats and Enable Anti-Stealth technology are checked:
    ESET4_zps0afafd0d.png
  • Click Start. (This scan can take several hours, so please be patient):
    ESET3_zpsccd1657d.png
  • Once the scan is completed, select List of found threats:
    ESET5_zpsd27be299.png
  • Select Export to text file... and save the file as ESETlog.txt on your Desktop:
    ESET6_zpsc17d154e.png
  • Click the Back button.
  • Click the Finish button:
    ESET9_zps51587217.png
  • Use Notepad to open the saved log file (on your Desktop- ESET.txt)[/b]
  • Copy and paste that log as a reply to this topic.
Step 4: Question

How is your PC running?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#9 alpha202ej

alpha202ej
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 15 January 2015 - 08:20 PM

Hi,

 

1. Fixlist.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-01-2015 01
Ran by barnold at 2015-01-15 15:25:21 Run:1
Running from \\CONDUCTOR\RedirectedFolders\jsotolongo\Desktop
Loaded Profile: barnold (Available profiles: tech & tech & barnold & apiper & tech)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyServer: [S-1-5-21-3568843429-1778139777-3686794816-1187] => http=127.0.0.1:49540;https=127.0.0.1:49540
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
EmptyTemp:
*****************

"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => Key deleted successfully.
HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => Key deleted successfully.
HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => Key deleted successfully.
HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4" => Key deleted successfully.
HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => Key not found. 
"HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
EmptyTemp: => Removed 3.4 GB temporary data.


The system needed a reboot. 

==== End of Fixlog 15:26:37 ====

2. FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-01-2015 01
Ran by barnold (administrator) on W7-INTREX-09 on 15-01-2015 15:40:47
Running from \\CONDUCTOR\RedirectedFolders\barnold\Desktop
Loaded Profiles: barnold (Available profiles: tech & ssmith & barnold & apiper & tech)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Remote Monitoring) C:\Program Files (x86)\Advanced Monitoring Agent GP\winagent.exe
(GFI Software Development Ltd.) C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\lnssatt.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(GFI Software Ltd.) C:\Program Files (x86)\Advanced Monitoring Agent GP\webprotection\WebMon.Agent.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(ThreatTrack Security, Inc.) C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Desktop.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(Managed Antivirus) C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMTray.exe
() C:\Program Files (x86)\Advanced Monitoring Agent GP\systray\SysTray.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Windows\System32\proquota.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_16_0_0_257_ActiveX.exe
() C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
() C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) \\CONDUCTOR\RedirectedFolders\barnold\Desktop\FRST64.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10810912 2010-05-07] (Realtek Semiconductor)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2013-04-30] (LogMeIn, Inc.)
HKLM\...\Run: [SBRegRebootCleaner] => C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBRC.exe [202648 2013-05-28] (ThreatTrack Security, Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [20131121] => C:\Program Files\AVAST Software\Avast Business\setup\emupdate\95515d92-ae33-4bb3-85e3-9ead12fd5506.exe /check
HKLM-x32\...\Run: [AdvancedMonitoringSysTray] => C:\Program Files (x86)\Advanced Monitoring Agent GP\systray\Launcher.exe [291328 2014-04-16] ()
HKLM-x32\...\Run: [SBAMTray] => C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMTray.exe [3232152 2013-05-28] (Managed Antivirus)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-02-26] (Google Inc.)
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [EnableProfileQuota] 1
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [ProfileQuotaMessage] You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [MaxProfileSize] 120000
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [WarnUser] 1
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\...\Policies\system: [WarnUserTimeout] 150
Startup: C:\Users\apiper\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> \\W7-intrex-10\c$\Users\apiper\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\Software\Microsoft\Internet Explorer\Main,Start Page = http://companyweb
HKU\S-1-5-21-3568843429-1778139777-3686794816-1187\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKU\S-1-5-21-3568843429-1778139777-3686794816-1187 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP25EP3-11662/webex/ieatgpc1.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.0.3

FireFox:
========
FF ProfilePath: C:\Users\barnold\AppData\Roaming\Mozilla\Firefox\Profiles\g48mvoox.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3568843429-1778139777-3686794816-1187: @citrixonline.com/appdetectorplugin -> C:\Users\barnold\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\barnold\AppData\Roaming\mozilla\plugins\npatgpc.dll (Cisco WebEx LLC)
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-07-09]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-09-11]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2012-10-17]

Chrome: 
=======
CHR Profile: C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-06]
CHR Extension: (Google Drive) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-06]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-23]
CHR Extension: (YouTube) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-06]
CHR Extension: (Google Search) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-06]
CHR Extension: (Google Wallet) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-06]
CHR Extension: (Gmail) - C:\Users\barnold\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-06]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Advanced Monitoring Agent; C:\Program Files (x86)\Advanced Monitoring Agent GP\winagent.exe [8373760 2014-11-03] (Remote Monitoring) [File not signed]
R2 gfi_lanss11_attservice; C:\Program Files (x86)\Advanced Monitoring Agent GP\patchman\lnssatt.exe [118640 2012-07-17] (GFI Software Development Ltd.)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376168 2014-11-03] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226152 2014-11-03] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2013-04-30] (LogMeIn, Inc.)
R2 MSSQL$QSRNVIVO9; c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\sqlservr.exe [42884448 2010-04-03] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2012-02-08] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2012-02-08] (Hewlett-Packard) [File not signed]
R2 SBAMSvc; C:\Program Files (x86)\Advanced Monitoring Agent GP\managedav\SBAMSvc.exe [3681016 2013-05-28] (ThreatTrack Security, Inc.)
S4 SQLAgent$QSRNVIVO9; c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.QSRNVIVO9\MSSQL\Binn\SQLAGENT.EXE [367456 2010-04-03] (Microsoft Corporation)
R2 WebMonAgent; C:\Program Files (x86)\Advanced Monitoring Agent GP\webprotection\WebMon.Agent.exe [1816920 2014-03-26] (GFI Software Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [41032 2013-05-23] (ThreatTrack Security)
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2012-02-13] (GFI Software)
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [31264 2013-09-04] (ThreatTrack Security)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-04-30] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
R3 wtismon; C:\Program Files (x86)\Advanced Monitoring Agent GP\webprotection\Interceptor\wtismon.sys [91824 2014-03-26] (GFI Software)
S3 radpms; system32\DRIVERS\radpms.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 15:39 - 2015-01-15 15:39 - 00000000 ___HD () C:\Windows\AxInstSV
2015-01-15 15:39 - 2015-01-15 15:39 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-01-15 14:55 - 2015-01-15 14:55 - 00000000 ____D () C:\Windows\ERUNT
2015-01-15 13:06 - 2015-01-15 13:06 - 00046080 _____ () C:\Users\barnold\Downloads\EHS Spending Analysis Y5 - December.xls
2015-01-15 13:05 - 2015-01-15 13:05 - 00071168 _____ () C:\Users\barnold\Downloads\NC PreK Spending Analysis - December.xls
2015-01-15 13:04 - 2015-01-15 13:04 - 00062464 _____ () C:\Users\barnold\Downloads\Spending Analysis-December.xls
2015-01-15 11:28 - 2015-01-15 11:28 - 00000779 _____ () C:\Users\barnold\Downloads\event.ics
2015-01-14 20:03 - 2015-01-14 20:03 - 02191360 _____ () C:\Users\barnold\Downloads\AdwCleaner.exe
2015-01-14 12:42 - 2015-01-15 15:40 - 00000000 ____D () C:\FRST
2015-01-13 17:31 - 2015-01-13 17:31 - 03714048 _____ () C:\Users\barnold\Downloads\grs14 (1).xls
2015-01-13 17:28 - 2015-01-13 17:28 - 03714048 _____ () C:\Users\barnold\Downloads\grs14.xls
2015-01-13 17:26 - 2015-01-13 17:26 - 00006730 _____ () C:\Users\barnold\Downloads\pop.xls
2015-01-13 16:28 - 2015-01-13 16:28 - 00000000 ____D () C:\Users\barnold\AppData\Roaming\TeamViewer
2015-01-13 16:23 - 2015-01-13 16:23 - 436854820 _____ () C:\Windows\MEMORY.DMP
2015-01-13 16:23 - 2015-01-13 16:23 - 00460344 _____ () C:\Windows\Minidump\011315-22542-01.dmp
2015-01-13 16:23 - 2015-01-13 16:23 - 00000000 ____D () C:\Windows\Minidump
2015-01-13 15:34 - 2015-01-13 15:34 - 00380416 _____ () C:\Users\barnold\Downloads\8k4dvvb3.exe
2015-01-07 11:46 - 2013-05-21 11:53 - 00000000 ____D () C:\Users\barnold\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-01-06 09:19 - 2015-01-06 09:19 - 00003886 _____ () C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2015-01-05 11:13 - 2015-01-05 11:13 - 00000000 ____D () C:\Users\barnold\AppData\Local\Mendeley Ltd
2015-01-05 11:12 - 2015-01-05 11:12 - 22521632 _____ () C:\Users\barnold\Downloads\Mendeley-Desktop-1.12.4-win32.exe
2014-12-22 15:50 - 2014-12-22 15:50 - 00000000 ____D () C:\Program Files (x86)\TeamViewer

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 15:38 - 2009-07-13 23:45 - 00014960 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-15 15:38 - 2009-07-13 23:45 - 00014960 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-15 15:35 - 2014-02-22 03:27 - 00000000 ____D () C:\Program Files (x86)\Advanced Monitoring Agent GP
2015-01-15 15:35 - 2013-02-26 09:30 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-15 15:35 - 2010-12-17 15:41 - 00000120 _____ () C:\Windows\system32\config\netlogon.ftl
2015-01-15 15:29 - 2014-01-22 04:10 - 00001004 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2015-01-15 15:29 - 2014-01-22 04:10 - 00000988 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-01-15 15:29 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-15 15:29 - 2009-07-13 23:51 - 00031946 _____ () C:\Windows\setupact.log
2015-01-15 15:28 - 2011-02-08 14:26 - 00001394 ___SH () C:\Users\barnold\ntuser.ini
2015-01-15 15:28 - 2011-01-05 11:50 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-01-15 15:28 - 2010-12-16 16:46 - 01440436 _____ () C:\Windows\WindowsUpdate.log
2015-01-15 15:15 - 2012-04-05 09:35 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-15 15:11 - 2014-11-04 11:03 - 00000592 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3568843429-1778139777-3686794816-1187.job
2015-01-15 15:03 - 2010-12-17 15:59 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3568843429-1778139777-3686794816-1154UA.job
2015-01-15 15:00 - 2014-11-25 15:16 - 00000000 ____D () C:\IT
2015-01-15 14:52 - 2014-12-02 13:16 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-15 14:43 - 2013-02-26 09:30 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-15 13:44 - 2009-07-14 00:13 - 00805640 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-15 06:12 - 2014-02-22 06:15 - 00000000 ____D () C:\Windows\Patches
2015-01-14 20:40 - 2014-12-02 13:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-14 20:40 - 2014-12-02 13:14 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-14 20:18 - 2010-12-17 15:39 - 00498000 _____ () C:\Windows\PFRO.log
2015-01-14 16:03 - 2010-12-17 15:59 - 00000868 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3568843429-1778139777-3686794816-1154Core.job
2015-01-14 10:15 - 2012-04-05 09:35 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-14 10:15 - 2012-04-05 09:35 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-14 10:15 - 2011-06-27 08:16 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-14 07:56 - 2014-06-17 15:35 - 00000000 ____D () C:\Users\ekeefe
2015-01-14 07:56 - 2014-05-07 16:28 - 00000000 ____D () C:\Users\tech.domain
2015-01-14 07:56 - 2012-09-20 08:24 - 00000000 ____D () C:\Users\apiper
2015-01-14 07:56 - 2012-04-27 10:56 - 00000000 ____D () C:\Users\emartinnez
2015-01-14 07:56 - 2010-12-17 15:44 - 00000000 ____D () C:\Users\ssmith
2015-01-14 07:56 - 2010-12-16 16:46 - 00000000 ____D () C:\Users\tech
2015-01-13 16:28 - 2011-02-08 16:32 - 00005210 __RSH () C:\Users\barnold\ntuser.pol
2015-01-13 16:28 - 2011-02-08 14:26 - 00000000 ____D () C:\Users\barnold
2015-01-12 13:18 - 2009-07-14 00:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-01-07 11:41 - 2014-02-25 16:39 - 00000000 ____D () C:\Users\barnold\AppData\Roaming\Managed Antivirus
2015-01-02 05:25 - 2014-11-04 11:03 - 00003624 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3568843429-1778139777-3686794816-1187
2014-12-22 15:50 - 2014-06-03 15:47 - 00001102 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9 Host.lnk

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 07:49

==================== End Of Log ============================

3. ESET didn't find anything and I wasn't given an option to pull a log.

 

4. How is your computer running? No complaints with the computer's performance. I did have an issue recently where it blue screened during shutdown on a reboot. Other than that and the profile limitation, it has been performing as expected.

 

Thanks!



#10 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:56 AM

Posted 16 January 2015 - 08:03 AM

Hello,
in my opinion your PC is clean. :) If you would like to donate some money to me that I can buy some beer, then click on the button paypal.gif. I'd really appreciate it, my friend. :)


We need to remove the tools we've used during cleaning your machine.
  • Download Delfix from here and run it (If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the Delfix icon and select Run as Administrator).
  • Ensure Remove disinfection tools is ticked
    Also tick:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click Run
The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

 

Exercise common sense

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to look before you leap. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully and look at the file extensions to make sure that you know what you're getting. Using peer-to-peer file sharing programs or downloading cracks and keygens is something else to avoid - the files you will be downloading are infected in the vast majority of cases, and the benefits simply aren't worth the risk to your computer.

Keep up on Windows updates

Along with keeping all of the security programs that you choose to use updated, it is also important to keep up on system updates from Microsoft, as these patch critical security vulnerabilities and help to keep you safe. Typically the windows update icon will appear in your taskbar when new updates are available, whenever you see it you should open the menu up and install the updates that are available. Although it may be an annoyance, that little bit of extra time it takes to stay updated is very well worth it instead of getting infected from an exploit and having to clean your PC again.

Slow computer?

If your computer begins to slow down again in the future for no particular reason, your first step should not be to come back to the malware forum. As your computer ages and is used, its parts wear, files and programs accumulate, and its performance speed can decrease. To restore your computer's performance to its best possible level, follow the steps in this guide written by tech expert Artellos.

Keep Safe! :thumbsup:

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#11 alpha202ej

alpha202ej
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 16 January 2015 - 04:22 PM

Donation = Done (enjoy!)

 

Quick question for you. If you had to take a guess, what could it be causing it?

 

Thanks again!

Eric



#12 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:56 AM

Posted 16 January 2015 - 04:51 PM

Hey,
many, many thanks for the donation. Look at what MBAM found ... I think the threats which MBAM found may have caused your problems. :)

Any further questions before I close this topic as solved?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#13 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:56 AM

Posted 20 January 2015 - 11:37 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users