Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PTTD after infection with Trojan.poweliks, Trojan.generic, fakeMS...


  • This topic is locked This topic is locked
17 replies to this topic

#1 dlasko

dlasko

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Durham, NC
  • Local time:11:58 AM

Posted 19 January 2015 - 08:40 PM

PTTD: Post Traumatic Trojan Disorder
Several weeks ago, I got attacked after something slipped past resident McAfee. No popups, but my computer was running very slow, click on files would not open, running processes showed numerous host dll, internet restarts, and the cursor was always thinking and moving on its own. I ran several full scans (NOT in safe mode). MBAM found Trojan.generic, SAS found Trojan.fakeMS and clicker.FMS, Beta MBAR found Trojan.poweliks, McAfee nothing. My computer seems to be OK now, but I still think something is lurking with the refresh of paging while on the internet.

 

Just a few of many concerns: 

setbj in startup programs (disabled a year ago due to other event); don’t know how to delete it or if I should.

R3 - URLSearchHook: (no name) - {D8278076-BC68-4484-9233-6E7F1628B56C} - (no file)

Regedit: Windows software entry with numbers and then data Houdsodu!Rdbtshux; not sure if I should delete the main entry.

Microsoft office14 (hijackthis log), which I don’t have.

 

I followed the prep guide before posting. I hope the page is not out of date (2005).

Backup of data

McAfee shows firewall enabled

 

My computer:

Microsoft Windows 7 Home Premium

Version 6.1.7601 Service Pack 1 Build 7601

LENOVO IdeaCentre K330B x64-based PC

Intel® Core™ i3-2120 CPU @ 3.30GHz, 3300 Mhz, 2 Core(s), 4 Logical Processor(s)

LENOVO DPKT21A, 8/8/2011

SMBIOS Version               2.6

Installed Physical Memory (RAM) 6.00 GB

Total Physical Memory 5.85 GB

Available Physical Memory 1.98 GB

Total Virtual Memory 11.7 GB

Available Virtual Memory 6.51 GB

 

My DDS log:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 11.0.9600.17496  BrowserJavaVersion: 11.25.2

Run by Denise at 19:36:04 on 2015-01-19

Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5992.2271 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}

SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}

.

============== Running Processes ===============

.

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe

C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe

C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe

C:\windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe

C:\Windows\jmesoft\Service.exe

C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe

C:\windows\system32\mfevtps.exe

C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe

C:\windows\System32\svchost.exe -k HPZ12

C:\windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\windows\SysWOW64\rundll32.exe

C:\windows\system32\rundll32.exe

C:\Program Files\McAfee\MSC\McAPExe.exe

C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE

C:\windows\system32\SearchIndexer.exe

C:\windows\System32\alg.exe

C:\windows\system32\svchost.exe -k HPService

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\windows\System32\WUDFHost.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

C:\windows\system32\Dwm.exe

C:\windows\system32\taskhost.exe

C:\windows\Explorer.EXE

C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe

C:\Windows\jmesoft\hotkey.exe

C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe

C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe

C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe

C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe

C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe

C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

C:\Program Files (x86)\Common Files\AOL\1350170060\ee\aolsoftware.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe

C:\Program Files (x86)\Citrix\ICA Client\concentr.exe

C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe

C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\windows\System32\svchost.exe -k secsvcs

H:\Scanners\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\windows\system32\Macromed\Flash\FlashUtil64_16_0_0_257_ActiveX.exe

c:\PROGRA~2\mcafee\SITEAD~1\saui.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\windows\system32\svchost.exe -k SDRSVC

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe

C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe

C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

C:\windows\splwow64.exe

C:\windows\system32\vssvc.exe

C:\windows\System32\svchost.exe -k swprv

C:\windows\system32\wbem\wmiprvse.exe

C:\windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.wraltv.com/

mStart Page = about:blank

uURLSearchHooks: {D8278076-BC68-4484-9233-6E7F1628B56C} - <orphaned>

mWinlogon: Userinit = userinit.exe,

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>

BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll

BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll

BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll

EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll

EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll

uRun: [GarminExpressTrayApp] "C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe"

uRun: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRunOnce: [Adobe Speed Launcher] 1421241292

mRun: [jmekey] C:\windows\jmesoft\hotkey.exe

mRun: [jmesoft] C:\Windows\jmesoft\ServiceLoader.exe

mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"

mRun: [ModeSwitch] "C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe" /AutoRun

mRun: [Lenovo Dynamic Brightness System] C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe 1

mRun: [Lenovo Eye Distance System] C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe 1

mRun: [CLMLServer] "C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe"

mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Lenovo\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"

mRun: [UpdatePRCShortCut] "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System" UpdateWithCreateOnce "Software\Lenovo\OneKey App\OneKey Recovery"

mRun: [SetDefaultSCR] C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe

mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun: [HostManager] C:\Program Files (x86)\Common Files\AOL\1350170060\ee\AOLSoftware.exe

mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [mcpltui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup

mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\IMAGEB~1.LNK - C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: Add to Google Photos Screensa&ver - C:\windows\System32\GPhotos.scr/200

IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab

DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} - hxxp://ak.imgag.com/imgag/cp/install/Crusher.cab

DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.9.0.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {FAA26872-BB40-4AB2-8A6D-A49183581AAA} - hxxp://70.62.103.178:5002/user/TSBnwCam.CAB

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{799B6FBD-DAD4-4BAE-BC16-55CFB55783D0} : DHCPNameServer = 192.168.1.1

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - C:\Program Files (x86)\Microsoft\Outlook Web Access SMIME Client\mimectl.dll

SSODL: WebCheck - <orphaned>

x64-mStart Page = about:blank

x64-mWinlogon: Userinit = userinit.exe,

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-BHO: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll

x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL

x64-TB: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

x64-Run: [Lenovo EE Boot Optimizer] D.EXE

x64-Run: [IgfxTray] DOWS\SYSTEM32\IGFXTRAY.EXE

x64-Run: [HotKeysCmds] DOWS\SYSTEM32\HKCMD.EXE

x64-Run: [Persistence] DOWS\SYSTEM32\IGFXPERS.EXE

x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll

x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll

x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

x64-Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll

x64-Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Denise\AppData\Roaming\Mozilla\Firefox\Profiles\diglugkx.default\

FF - prefs.js: browser.search.selectedEngine - Secure Search

FF - prefs.js: browser.startup.homepage - www.wral.com

FF - prefs.js: keyword.URL - hxxps://search.yahoo.com/search?fr=mcafee&type=B111US714D20120322&p=

FF - plugin: c:\PROGRA~2\mcafee\msc\npMcSnFFPl.dll

FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101721.dll

FF - plugin: C:\Program Files (x86)\Canon\MyCamera Download Plugin\NPCIG.dll

FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\windows\SysWOW64\Adobe\Director\np32dsw_1205146.dll

FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll

.

============= SERVICES / DRIVERS ===============

.

R0 fbfmon;fbfmon;C:\windows\System32\drivers\fbfmon.sys [2011-9-3 57952]

R0 mfehidk;McAfee Inc. mfehidk;C:\windows\System32\drivers\mfehidk.sys [2010-1-5 786296]

R0 mfewfpk;McAfee Inc. mfewfpk;C:\windows\System32\drivers\mfewfpk.sys [2012-3-22 348552]

R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2011-9-3 55280]

R0 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;C:\windows\System32\drivers\ddcdrv.sys [2011-9-3 20832]

R1 BPntDrv;BPntDrv;C:\windows\System32\drivers\BPntDrv.sys [2011-9-3 13408]

R1 ctxusbm;Citrix USB Monitor Driver;C:\windows\System32\drivers\ctxusbm.sys [2012-3-19 89536]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2014-7-22 172344]

R2 ADExchange;ArcSoft Exchange Service;C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe [2012-3-19 43072]

R2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [2010-8-30 96752]

R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2013-4-22 822504]

R2 DeviceMonitorService;DeviceMonitorService;C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe [2011-6-16 87368]

R2 Garmin Core Update Service;Garmin Core Update Service;C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [2014-7-23 438616]

R2 HomeNetSvc;McAfee Home Network;C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [2013-12-30 328928]

R2 HPSupportSolutionsFrameworkService;HP Support Solutions Framework Service;C:\Program Files (x86)\HP\Common\HPSupportSolutionsFrameworkService.exe [2014-12-11 89864]

R2 JME Keyboard;JME Keyboard Driver;C:\Windows\jmesoft\Service.exe [2011-9-3 32768]

R2 LenovoCOMSvc;LenovoCOMService;C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe [2011-9-3 49152]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe [2015-1-13 154320]

R2 McAPExe;McAfee AP Service;C:\Program Files\McAfee\MSC\McAPExe.exe [2013-12-30 178528]

R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [2013-12-30 328928]

R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [2013-12-30 328928]

R2 mcpltsvc;McAfee Platform Services;C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [2013-12-30 328928]

R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [2013-12-30 328928]

R2 mfecore;McAfee Anti-Malware Core;C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe [2013-12-30 1041192]

R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2012-3-22 219752]

R2 mfevtp;McAfee Validation Trust Protection Service;C:\windows\System32\mfevtps.exe [2012-3-22 189912]

R2 MotoHelper;MotoHelper Service;C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-12-6 214896]

R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2013-6-26 523944]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-9-3 2655768]

R3 cfwids;McAfee Inc. cfwids;C:\windows\System32\drivers\cfwids.sys [2012-3-22 72128]

R3 IntcDAud;Intel® Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2011-12-6 331264]

R3 LitModeCtrl;LitModeCtrl;C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe [2011-9-3 81920]

R3 mfeavfk;McAfee Inc. mfeavfk;C:\windows\System32\drivers\mfeavfk.sys [2012-3-22 313544]

R3 mfefirek;McAfee Inc. mfefirek;C:\windows\System32\drivers\mfefirek.sys [2012-3-22 523792]

R3 mfencbdc;McAfee Inc. mfencbdc;C:\windows\System32\drivers\mfencbdc.sys [2014-8-20 445512]

R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\windows\System32\drivers\nusb3hub.sys [2010-9-30 80384]

R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\windows\System32\drivers\nusb3xhc.sys [2010-9-30 180736]

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2011-9-3 247400]

R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\windows\System32\drivers\rtl8192ce.sys [2011-9-3 947304]

R3 Sftfs;Sftfs;C:\windows\System32\drivers\Sftfslh.sys [2013-6-26 767144]

R3 Sftplay;Sftplay;C:\windows\System32\drivers\Sftplaylh.sys [2013-6-26 273576]

R3 Sftredir;Sftredir;C:\windows\System32\drivers\Sftredirlh.sys [2013-6-26 28840]

R3 Sftvol;Sftvol;C:\windows\System32\drivers\Sftvollh.sys [2013-6-26 23208]

R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2013-6-26 207528]

S2 0292181421536686mcinstcleanup;McAfee Application Installer Cleanup (0292181421536686);C:\windows\TEMP\029218~1.EXE -cleanup -nolog --> C:\windows\TEMP\029218~1.EXE -cleanup -nolog [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]

S3 BTCFilterService;USB Networking Driver Filter Service;C:\windows\System32\drivers\motfilt.sys [2009-1-29 6144]

S3 HipShieldK;McAfee Inc. HipShieldK;C:\windows\System32\drivers\HipShieldK.sys [2014-4-22 197704]

S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\windows\System32\ieetwcollector.exe [2014-12-10 114688]

S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [2014-4-9 289256]

S3 mfencrk;McAfee Inc. mfencrk;C:\windows\System32\drivers\mfencrk.sys [2014-8-20 96592]

S3 motandroidusb;Mot ADB Interface Driver;C:\windows\System32\drivers\motoandroid.sys [2009-7-10 31744]

S3 motccgp;Motorola USB Composite Device Driver;C:\windows\System32\drivers\motccgp.sys [2011-4-4 21504]

S3 motccgpfl;MotCcgpFlService;C:\windows\System32\drivers\motccgpfl.sys [2009-1-29 9216]

S3 Motousbnet;Motorola USB Networking Driver Service;C:\windows\System32\drivers\Motousbnet.sys [2010-4-1 26624]

S3 motusbdevice;Motorola USB Dev Driver;C:\windows\System32\drivers\motusbdevice.sys [2011-11-8 11776]

S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-1-24 1255736]

S3 wsvd;wsvd;C:\windows\System32\drivers\wsvd.sys [2009-7-21 121840]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\windows\System32\drivers\yk62x64.sys [2009-6-10 389120]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2015-01-19 20:15:29        --------   dc----w-               C:\Users\Denise\AppData\Local\MigWiz

2015-01-16 10:26:06        75888    ----a-w-                C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C394C6D4-0614-473F-BBBB-1A8B0F762DCF}\offreg.dll

2015-01-16 09:40:35        11870360             ----a-w-                C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{C394C6D4-0614-473F-BBBB-1A8B0F762DCF}\mpengine.dll

2015-01-15 04:44:29        11870360             ----a-w-                C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2014-12-21 23:07:52        --------   d-----w-                C:\Users\Denise\AppData\Local\Hewlett-Packard

2014-12-21 22:24:24        --------   d-----w-                C:\Users\Denise\AppData\Local\{5EE7B061-B72A-4C00-B4D5-92CE8AEDC742}

.

==================== Find3M  ====================

.

2015-01-18 06:14:56        129752  ----a-w-                C:\windows\System32\drivers\MBAMSwissArmy.sys

2015-01-14 07:40:06        71344    ----a-w-                C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2015-01-14 07:40:06        701616  ----a-w-                C:\windows\SysWow64\FlashPlayerApp.exe

2015-01-12 05:35:34        96472    ----a-w-                C:\windows\System32\drivers\mbamchameleon.sys

2015-01-08 14:55:52        298120  ------w- C:\windows\System32\MpSigStub.exe

2014-12-19 03:06:55        210432  ----a-w-                C:\windows\System32\profsvc.dll

2014-12-19 01:46:45        141312  ----a-w-                C:\windows\System32\drivers\mrxdav.sys

2014-12-13 05:09:01        144384  ----a-w-                C:\windows\System32\ieUnatt.exe

2014-12-13 03:33:44        115712  ----a-w-                C:\windows\SysWow64\ieUnatt.exe

2014-12-12 05:35:10        5553592                ----a-w-                C:\windows\System32\ntoskrnl.exe

2014-12-12 05:31:49        503808  ----a-w-                C:\windows\System32\srcore.dll

2014-12-12 05:31:49        50176    ----a-w-                C:\windows\System32\srclient.dll

2014-12-12 05:31:22        296960  ----a-w-                C:\windows\System32\rstrui.exe

2014-12-12 05:11:44        3971512                ----a-w-                C:\windows\SysWow64\ntkrnlpa.exe

2014-12-12 05:11:43        3916728                ----a-w-                C:\windows\SysWow64\ntoskrnl.exe

2014-12-12 05:07:44        43008    ----a-w-                C:\windows\SysWow64\srclient.dll

2014-12-11 17:47:12        52736    ----a-w-                C:\windows\System32\TSWbPrxy.exe

2014-12-06 04:17:27        303616  ----a-w-                C:\windows\System32\nlasvc.dll

2014-12-06 03:50:19        52224    ----a-w-                C:\windows\SysWow64\nlaapi.dll

2014-12-06 03:50:18        156672  ----a-w-                C:\windows\SysWow64\ncsi.dll

2014-11-22 03:06:23        2724864                ----a-w-                C:\windows\System32\mshtml.tlb

2014-11-22 03:06:11        4096       ----a-w-                C:\windows\System32\ieetwcollectorres.dll

2014-11-22 02:50:39        66560    ----a-w-                C:\windows\System32\iesetup.dll

2014-11-22 02:50:10        580096  ----a-w-                C:\windows\System32\vbscript.dll

2014-11-22 02:49:54        48640    ----a-w-                C:\windows\System32\ieetwproxystub.dll

2014-11-22 02:48:20        88064    ----a-w-                C:\windows\System32\MshtmlDac.dll

2014-11-22 02:35:29        114688  ----a-w-                C:\windows\System32\ieetwcollector.exe

2014-11-22 02:34:51        814080  ----a-w-                C:\windows\System32\jscript9diag.dll

2014-11-22 02:34:07        6039552                ----a-w-                C:\windows\System32\jscript9.dll

2014-11-22 02:26:31        968704  ----a-w-                C:\windows\System32\MsSpellCheckingFacility.exe

2014-11-22 02:20:44        2724864                ----a-w-                C:\windows\SysWow64\mshtml.tlb

2014-11-22 02:14:16        77824    ----a-w-                C:\windows\System32\JavaScriptCollectionAgent.dll

2014-11-22 02:07:43        501248  ----a-w-                C:\windows\SysWow64\vbscript.dll

2014-11-22 02:07:17        62464    ----a-w-                C:\windows\SysWow64\iesetup.dll

2014-11-22 02:06:32        47616    ----a-w-                C:\windows\SysWow64\ieetwproxystub.dll

2014-11-22 02:05:02        64000    ----a-w-                C:\windows\SysWow64\MshtmlDac.dll

2014-11-22 01:54:30        620032  ----a-w-                C:\windows\SysWow64\jscript9diag.dll

2014-11-22 01:47:10        1359360                ----a-w-                C:\windows\System32\mshtmlmedia.dll

2014-11-22 01:46:58        2125312                ----a-w-                C:\windows\System32\inetcpl.cpl

2014-11-22 01:40:04        60416    ----a-w-                C:\windows\SysWow64\JavaScriptCollectionAgent.dll

2014-11-22 01:29:26        4299264                ----a-w-                C:\windows\SysWow64\jscript9.dll

2014-11-22 01:28:21        2358272                ----a-w-                C:\windows\System32\wininet.dll

2014-11-22 01:22:49        2052096                ----a-w-                C:\windows\SysWow64\inetcpl.cpl

2014-11-22 01:21:57        1155072                ----a-w-                C:\windows\SysWow64\mshtmlmedia.dll

2014-11-22 01:00:20        1888256                ----a-w-                C:\windows\SysWow64\wininet.dll

2014-11-21 11:14:22        63704    ----a-w-                C:\windows\System32\drivers\mwac.sys

2014-11-21 11:14:08        25816    ----a-w-                C:\windows\System32\drivers\mbam.sys

2014-11-19 09:31:16        1217192                ----a-w-                C:\windows\SysWow64\FM20.DLL

2014-11-11 03:09:06        1424384                ----a-w-                C:\windows\System32\WindowsCodecs.dll

2014-11-11 03:08:52        241152  ----a-w-                C:\windows\System32\pku2u.dll

2014-11-11 03:08:48        728064  ----a-w-                C:\windows\System32\kerberos.dll

2014-11-11 02:44:45        1230336                ----a-w-                C:\windows\SysWow64\WindowsCodecs.dll

2014-11-11 02:44:32        186880  ----a-w-                C:\windows\SysWow64\pku2u.dll

2014-11-11 02:44:25        550912  ----a-w-                C:\windows\SysWow64\kerberos.dll

2014-11-11 01:46:26        119296  ----a-w-                C:\windows\System32\drivers\tdx.sys

2014-11-08 03:16:08        2048       ----a-w-                C:\windows\System32\tzres.dll

2014-11-08 02:45:09        2048       ----a-w-                C:\windows\SysWow64\tzres.dll

2014-10-30 02:03:43        165888  ----a-w-                C:\windows\System32\charmap.exe

2014-10-30 01:45:43        155136  ----a-w-                C:\windows\SysWow64\charmap.exe

2014-10-28 01:17:59        98216    ----a-w-                C:\windows\SysWow64\WindowsAccessBridge-32.dll

2014-10-25 01:57:59        77824    ----a-w-                C:\windows\System32\packager.dll

2014-10-25 01:32:37        67584    ----a-w-                C:\windows\SysWow64\packager.dll

.

============= FINISH: 19:36:37.45 ===============



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:58 PM

Posted 20 January 2015 - 08:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#3 dlasko

dlasko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Durham, NC
  • Local time:11:58 AM

Posted 20 January 2015 - 06:49 PM

Thank you for your help nasdaq. I am ready to battle Trojans.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by Denise (administrator) on DENISE-HOME on 20-01-2015 18:21:35
Running from C:\Users\Denise\Desktop\Farbar
Loaded Profiles: Denise (Available profiles: Denise)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(ArcSoft, Inc.) C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
() C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
(Nero AG) C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\Common\HPSupportSolutionsFrameworkService.exe
() C:\Windows\jmesoft\Service.exe
(Lenovo) C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
() C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(McAfee, Inc.) C:\Program Files\McAfee\MSC\McAPExe.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
() C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
() C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe
(Lenovo) C:\Windows\jmesoft\hotkey.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Lenovo) C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe
(CyberLink) C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe
(Lenovo) C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(AOL Inc.) C:\Program Files (x86)\Common Files\AOL\1350170060\ee\aolsoftware.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(McAfee, Inc.) C:\Program Files\McAfee\MSM\McSmtFwk.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\Platform\McUICnt.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_16_0_0_257_ActiveX.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11543656 2010-10-26] (Realtek Semiconductor)
HKLM\...\Run: [Lenovo EE Boot Optimizer] => D.EXE
HKLM\...\Run: [IgfxTray] => DOWS\SYSTEM32\IGFXTRAY.EXE
HKLM\...\Run: [HotKeysCmds] => DOWS\SYSTEM32\HKCMD.EXE
HKLM\...\Run: [Persistence] => DOWS\SYSTEM32\IGFXPERS.EXE
HKLM-x32\...\Run: [jmekey] => C:\windows\jmesoft\hotkey.exe [118784 2011-03-21] (Lenovo)
HKLM-x32\...\Run: [jmesoft] => C:\Windows\jmesoft\ServiceLoader.exe [28672 2011-03-15] ()
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-04-26] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [ModeSwitch] => C:\Program Files\Lenovo\Power Dial\LitModeSwitch.exe [163840 2010-09-26] (Lenovo)
HKLM-x32\...\Run: [Lenovo Dynamic Brightness System] => C:\Program Files\Lenovo\Lenovo Brightness System\Lenovo Dynamic Brightness System.exe [285696 2010-10-08] (Lenovo)
HKLM-x32\...\Run: [Lenovo Eye Distance System] => C:\Program Files\Lenovo\Lenovo Eye Distance System\Lenovo Eye Distance System.exe [265216 2010-09-09] (Lenovo)
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe [103720 2009-12-04] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [222504 2009-05-20] (CyberLink Corp.)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [SetDefaultSCR] => C:\Program Files (x86)\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe [102400 2009-12-30] (Lenovo)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [37232 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640376 2008-06-11] (Adobe Systems Inc.)
HKLM-x32\...\Run: [mcui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [HostManager] => C:\Program Files (x86)\Common Files\AOL\1350170060\ee\AOLSoftware.exe [41800 2010-03-08] (AOL Inc.)
HKLM-x32\...\Run: [hpqSRMon] => C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe [150528 2008-07-22] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [309184 2012-03-28] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [688984 2014-07-23] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7780120 2014-12-20] (SUPERAntiSpyware)
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\...\RunOnce: [Adobe Speed Launcher] => 1421736006
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\...\MountPoints2: {17ea06a2-9bc6-11e4-b966-00038a000015} - F:\LaunchU3.exe -a
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\...\MountPoints2: {4557aee0-28c5-11e4-b15e-00038a000015} - E:\MI.exe
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\...\MountPoints2: {6d5550be-32a0-11e2-b106-00038a000015} - F:\LaunchU3.exe -a
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\...\MountPoints2: {e5a529c7-bf2f-11e1-ad66-c89cdc5cdb83} - G:\setup.exe -a
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ImageBrowser EX Agent.lnk
ShortcutTarget: ImageBrowser EX Agent.lnk -> C:\Program Files (x86)\Canon\ImageBrowser EX\MFManager.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wraltv.com/
URLSearchHook: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} - No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> DefaultScope {87E8E234-4F2F-4503-8D1E-DAF28E692A78} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US714D20120322&p={SearchTerms}
SearchScopes: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> {87E8E234-4F2F-4503-8D1E-DAF28E692A78} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US714D20120322&p={SearchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.150\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Toolbar: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> No Name - {4F524A2D-5637-006A-76A7-7A786E7484D7} - No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: HKLM-x32 {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {BD8667B7-38D8-4C77-B580-18C3E146372C} http://ak.imgag.com/imgag/cp/install/Crusher.cab
DPF: HKLM-x32 {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.9.0.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {FAA26872-BB40-4AB2-8A6D-A49183581AAA} http://70.62.103.178:5002/user/TSBnwCam.CAB
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler-x32: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - C:\Program Files (x86)\Microsoft\Outlook Web Access SMIME Client\mimectl.dll (Microsoft Corporation)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Denise\AppData\Roaming\Mozilla\Firefox\Profiles\diglugkx.default
FF DefaultSearchEngine: Secure Search
FF SearchEngineOrder.1: Secure Search
FF SelectedSearchEngine: Secure Search
FF Homepage: www.wral.com
FF Keyword.URL: https://search.yahoo.com/search?fr=mcafee&type=B111US714D20120322&p=
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_16_0_0_257.dll ()
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1205146.dll (Adobe Systems, Inc.)
FF Plugin-x32: @canon.com/MycameraPlugin -> C:\Program Files (x86)\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3867049485-1100815424-4231782069-1001: amazon.com/AmazonMP3DownloaderPlugin -> C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101721.dll (Amazon.com, Inc.)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\McSiteAdvisor.xml
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor [2012-03-22]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012-11-22]
FF HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi
FF Extension: McAfee Security Scan Plus - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014-04-04]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-01-13]
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx [2015-01-13]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
R2 ADExchange; C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe [43072 2012-03-19] (ArcSoft, Inc.)
R2 CEEBC40A-FDED-4C59-B354-939132350B01; C:\Program Files (x86)\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [96752 2010-08-30] ()
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2012-01-26] (Macrovision Europe Ltd.) [File not signed]
R2 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [438616 2014-07-23] (Garmin Ltd or its subsidiaries)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [249344 2009-09-20] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-09-20] (Hewlett-Packard Co.) [File not signed]
R2 HPSLPSVC; C:\Users\Denise\AppData\Local\Temp\7zS00F7\hpslpsvc64.dll [1039360 2011-11-14] (Hewlett-Packard Co.) [File not signed]
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89864 2014-12-11] (Hewlett-Packard Company)
R2 JME Keyboard; C:\Windows\jmesoft\Service.exe [32768 2011-03-15] () [File not signed]
R2 LenovoCOMSvc; C:\Program Files\Lenovo\Power Dial\LenovoCOMSvc.exe [49152 2009-09-30] (Lenovo) [File not signed]
R3 LitModeCtrl; C:\Program Files\Lenovo\Power Dial\LitModeCtrl.exe [81920 2010-09-09] (Lenovo) [File not signed]
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [154320 2014-12-03] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe [289256 2014-04-09] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [603424 2014-09-04] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-08-20] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
R2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [214896 2011-12-06] ()
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 0292181421536686mcinstcleanup; C:\windows\TEMP\029218~1.EXE -cleanup -nolog [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
S3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-01-20] (Malwarebytes Corporation)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [445512 2014-08-20] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [96592 2014-08-20] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R0 WinI2C-DDC; C:\Windows\System32\drivers\DDCDrv.sys [20832 2008-04-08] (Nicomsoft Ltd.)
R0 WinI2C-DDC; C:\Windows\SysWOW64\drivers\DDCDrv.sys [15712 2010-03-22] (Nicomsoft Ltd.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 18:21 - 2015-01-20 18:21 - 00000000 ____D () C:\FRST
2015-01-20 18:17 - 2015-01-20 18:21 - 00000000 ____D () C:\Users\Denise\Desktop\Farbar
2015-01-20 15:12 - 2015-01-20 15:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2015-01-19 21:46 - 2015-01-19 21:46 - 04187592 _____ (Kaspersky Lab ZAO) C:\Users\Denise\Desktop\tdsskiller.exe
2015-01-19 19:36 - 2015-01-19 19:36 - 00034784 _____ () C:\Users\Denise\Desktop\dds.txt
2015-01-19 19:36 - 2015-01-19 19:36 - 00012360 _____ () C:\Users\Denise\Desktop\attach.txt
2015-01-19 19:25 - 2015-01-19 19:25 - 00688992 ____R (Swearware) C:\Users\Denise\Desktop\dds.com
2015-01-19 15:15 - 2015-01-19 15:16 - 00000000 ___DC () C:\Users\Denise\AppData\Local\MigWiz
2015-01-16 21:06 - 2015-01-16 21:55 - 00021647 _____ () C:\Users\Denise\Desktop\hijackthis.log
2015-01-16 21:06 - 2015-01-16 21:06 - 00003132 _____ () C:\windows\System32\Tasks\{87293F24-3CDD-4107-A1BE-46B624C49CE2}
2015-01-16 20:58 - 2015-01-16 20:58 - 00388608 _____ (Trend Micro Inc.) C:\Users\Denise\Desktop\HijackThis.exe
2015-01-13 14:49 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\profsvc.dll
2015-01-13 14:49 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2015-01-13 14:49 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2015-01-13 14:49 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2015-01-13 14:49 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2015-01-13 14:49 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2015-01-13 14:49 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2015-01-13 14:49 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2015-01-13 14:49 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2015-01-13 14:49 - 2014-12-11 12:47 - 00052736 _____ (Microsoft Corporation) C:\windows\system32\TSWbPrxy.exe
2015-01-13 14:49 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\windows\system32\nlasvc.dll
2015-01-13 14:49 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncsi.dll
2015-01-13 14:49 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\windows\SysWOW64\nlaapi.dll
2015-01-11 21:02 - 2015-01-11 21:02 - 00000000 ____D () C:\Users\Public\Documents\Presley
2015-01-11 15:29 - 2015-01-11 15:29 - 00007628 _____ () C:\Users\Denise\AppData\Local\Resmon.ResmonCfg
2015-01-10 23:46 - 2015-01-10 23:46 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-01-10 01:26 - 2015-01-18 20:26 - 00001309 _____ () C:\Users\Denise\Desktop\Viewbug - Shortcut.lnk
2015-01-10 01:06 - 2015-01-10 01:07 - 00000000 ____D () C:\Users\Public\Documents\Sale items
2015-01-09 23:08 - 2015-01-09 23:08 - 00003340 _____ () C:\Users\Denise\Desktop\Scanners - Shortcut.lnk
2015-01-09 22:34 - 2015-01-09 23:39 - 00000000 ____D () C:\Users\Public\Documents\Car Insurance
2015-01-09 22:08 - 2015-01-09 22:08 - 00000000 ____D () C:\Users\Public\Documents\Taxes
2015-01-09 21:55 - 2015-01-11 21:19 - 00000000 ____D () C:\Users\Public\Documents\Recipes
2015-01-09 21:53 - 2015-01-09 23:08 - 00000000 ____D () C:\Users\Public\Documents\Computer
2014-12-21 18:20 - 2014-12-21 18:20 - 00001760 _____ () C:\Users\Denise\Desktop\My Scans - Shortcut.lnk
2014-12-21 18:07 - 2014-12-21 18:07 - 00000000 ____D () C:\Users\Denise\AppData\Local\Hewlett-Packard
2014-12-21 18:05 - 2014-12-21 18:05 - 00000000 ____D () C:\Program Files (x86)\Hewlett-Packard
2014-12-21 17:24 - 2014-12-21 17:24 - 00000000 ____D () C:\Users\Denise\AppData\Local\{5EE7B061-B72A-4C00-B4D5-92CE8AEDC742}

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 18:04 - 2011-09-03 12:44 - 01310987 _____ () C:\windows\WindowsUpdate.log
2015-01-20 17:40 - 2014-05-23 23:37 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job
2015-01-20 01:40 - 2013-05-26 23:01 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
2015-01-20 01:40 - 2012-11-29 18:26 - 00000000 ____D () C:\Temp
2015-01-20 01:40 - 2011-09-03 13:04 - 00818601 _____ () C:\windows\system32\fastboot.set
2015-01-20 01:29 - 2009-07-13 23:45 - 00020688 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-20 01:29 - 2009-07-13 23:45 - 00020688 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-20 01:22 - 2014-02-19 23:36 - 00000439 _____ () C:\windows\system32\Drivers\etc\hosts.ics
2015-01-20 01:21 - 2014-12-13 23:10 - 00002574 _____ () C:\windows\setupact.log
2015-01-20 01:21 - 2010-11-20 22:47 - 00327772 _____ () C:\windows\PFRO.log
2015-01-20 01:21 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-01-20 01:04 - 2014-07-01 00:34 - 00129752 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-20 00:37 - 2009-07-14 00:13 - 00783464 _____ () C:\windows\system32\PerfStringBackup.INI
2015-01-19 17:48 - 2012-05-08 20:23 - 08982016 ___SH () C:\Users\Denise\Desktop\Thumbs.db
2015-01-14 03:03 - 2013-08-15 02:02 - 00000000 ____D () C:\windows\system32\MRT
2015-01-14 03:00 - 2012-12-23 17:47 - 113365784 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2015-01-14 02:40 - 2014-05-23 23:37 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater
2015-01-14 02:40 - 2012-06-04 22:47 - 00701616 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-01-14 02:40 - 2012-06-04 22:47 - 00071344 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-12 00:46 - 2014-12-12 18:28 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-12 00:35 - 2014-07-01 00:33 - 00096472 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2015-01-11 23:12 - 2012-07-04 16:45 - 00464896 ___SH () C:\Users\Denise\Downloads\Thumbs.db
2015-01-11 21:18 - 2012-09-14 22:12 - 00000000 ____D () C:\Users\Denise\Documents\Dee
2015-01-11 21:18 - 2012-09-14 22:12 - 00000000 ____D () C:\Users\Denise\Documents\Brooke
2015-01-11 21:15 - 2012-09-29 20:59 - 00000000 ____D () C:\Users\Denise\Documents\Divorce
2015-01-11 21:12 - 2012-09-14 23:16 - 00000000 ____D () C:\Users\Denise\Documents\NIEHS
2015-01-11 21:10 - 2010-05-02 14:28 - 00120320 ___SH () C:\Users\Denise\Documents\Thumbs.db
2015-01-10 20:51 - 2012-09-14 22:12 - 00000000 ____D () C:\Users\Denise\Documents\Family
2015-01-10 20:02 - 2012-09-14 22:12 - 00000000 ____D () C:\Users\Denise\Documents\My Scans
2015-01-10 01:12 - 2013-02-11 20:12 - 00005855 _____ () C:\Users\Denise\Desktop\My funeral CD - Shortcut.lnk
2015-01-09 23:45 - 2014-03-02 17:57 - 00000000 ____D () C:\Users\Denise\AppData\Roaming\ArcSoft
2015-01-09 23:45 - 2014-03-02 17:56 - 00000000 ____D () C:\ProgramData\ArcSoft
2015-01-09 22:23 - 2012-01-26 09:17 - 00000000 ____D () C:\Users\Denise\Documents\HRBlock
2015-01-09 21:54 - 2012-09-14 22:12 - 00000000 ____D () C:\Users\Denise\Documents\Beau
2015-01-08 09:55 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2015-01-06 19:55 - 2011-09-03 13:04 - 00000000 ____D () C:\Program Files (x86)\Google
2015-01-06 19:54 - 2012-01-23 10:56 - 00000000 ____D () C:\Users\Denise\AppData\Local\Google
2015-01-06 19:50 - 2012-07-04 12:32 - 00000000 ____D () C:\Users\Denise\AppData\Local\{2A857AA5-C6A3-4649-83C7-EF98F8854BA9}
2014-12-28 15:48 - 2009-07-13 22:20 - 00000000 ____D () C:\windows\system32\NDF
2014-12-24 23:49 - 2014-09-01 21:08 - 00000000 ____D () C:\Users\Denise\AppData\Local\Adobe
2014-12-24 02:27 - 2009-07-13 23:45 - 00350680 _____ () C:\windows\system32\FNTCACHE.DAT
2014-12-21 18:07 - 2012-01-23 10:39 - 00093816 _____ () C:\Users\Denise\AppData\Local\GDIPFONTCACHEV1.DAT

==================== Files in the root of some directories =======
2013-05-18 15:20 - 2013-05-18 15:28 - 0000023 _____ () C:\Users\Denise\AppData\Roaming\mbam.context.scan
2012-09-19 18:09 - 2014-05-03 11:41 - 0008704 _____ () C:\Users\Denise\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-11 15:29 - 2015-01-11 15:29 - 0007628 _____ () C:\Users\Denise\AppData\Local\Resmon.ResmonCfg
2011-09-03 13:04 - 2011-09-03 13:04 - 1914000 _____ (Adobe Systems Incorporated) C:\ProgramData\flashax10.exe
2012-11-22 22:05 - 2012-11-22 22:17 - 0001268 _____ () C:\ProgramData\hpzinstall.log

Files to move or delete:
====================
C:\ProgramData\flashax10.exe
C:\Users\Denise\AIO_CDA_Net_Full_Win_WW_130_140.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 01:14

==================== End Of Log ============================

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:58 PM

Posted 21 January 2015 - 08:18 AM


Did you install this boot Optimizer?

If you know what it is and are sure that it's save remove it from the fixtxt file before saving it.

HKLM\...\Run: [Lenovo EE Boot Optimizer] => D.EXE


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM\...\Run: [Lenovo EE Boot Optimizer] => D.EXE
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} - No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
Toolbar: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Toolbar: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> No Name - {4F524A2D-5637-006A-76A7-7A786E7484D7} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
S2 0292181421536686mcinstcleanup; C:\windows\TEMP\029218~1.EXE -cleanup -nolog [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Reset the browsers that have been compromised.

Reset Chrome...
Click on "Customize and control Google Chrome":
 
p22003758.gif
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

How is the computer running now?

#5 dlasko

dlasko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Durham, NC
  • Local time:11:58 AM

Posted 21 January 2015 - 11:02 PM

My computer was new when I bought it and the Lenovo EE boot optimizer was one of the programs. I will keep it for now and remove it from the fixlist.txt list before running Fix.

 

Why would HKey_current_user\software\long string of letters and numbers found under Registry Editor not be listed in the fixlist? When I click on it is has several files with one being O’ld with Data Houdsodu!Rdbtshux. Is it safe to delete the main entry under software in Registry Editor that has the long string of letter and numbers?

 

I do not have chrome browser. I am not sure why a file for it shows in the fixlist.

 

setbj in startup programs (disabled a year ago due to other event); I don’t know what it is. Is it safe to delete?

 

I ran FRST and clicked Fix only once. Computer rebooted perfectly and quickly. I reset browser IE but did not check box for delete personal settings. I reset FF, which I don’t use. No paging refresh on IE now. Awesome!!! Please let me know what to do with Houdsodu!Rdbtshux and setbj.

 

Content of fixlist:
*****************
start

CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} - No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
Toolbar: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Toolbar: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Toolbar: HKU\S-1-5-21-3867049485-1100815424-4231782069-1001 -> No Name - {4F524A2D-5637-006A-76A7-7A786E7484D7} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path
S2 0292181421536686mcinstcleanup; C:\windows\TEMP\029218~1.EXE -cleanup -nolog [X]

End
*****************

Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\Software\Microsoft\Internet Explorer\URLSearchHooks\\{D8278076-BC68-4484-9233-6E7F1628B56C} => value deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
"HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => Key not found.
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
HKU\S-1-5-21-3867049485-1100815424-4231782069-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4F524A2D-5637-006A-76A7-7A786E7484D7} => value deleted successfully.
HKCR\CLSID\{4F524A2D-5637-006A-76A7-7A786E7484D7} => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh" => Key deleted successfully.
0292181421536686mcinstcleanup => Service deleted successfully.

The system needed a reboot.

==== End of Fixlog 19:59:16 ====

 

 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:58 PM

Posted 22 January 2015 - 09:25 AM

Why would HKey_current_user\software\long string of letters and numbers found under Registry Editor not be listed in the fixlist?

Because I do not see it on your FRST log.

It could be just a remnant entry that was letf over after an infection.

Lets look also in the Registry.

Please run the Farbar Recovery Scan Tool. Enter Houdsodu!Rdbtshux in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

===
 

I do not have chrome browser. I am not sure why a file for it shows in the fixlist.

These were added by McAfee. They will be needed if and when ever you install Chrome.
===
 

setbj in startup programs (disabled a year ago due to other event); I dont know what it is. Is it safe to delete?


This is possibly reported in the Addition.txt that was created when you ran the Farbar tool.
See my instructions.
Post the file and will take it from there.

===

#7 dlasko

dlasko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Durham, NC
  • Local time:11:58 AM

Posted 22 January 2015 - 07:46 PM

I ran the Farbar Recovery Scan Tool. I entered Houdsodu!Rdbtshux in the Search Box.

Farbar Recovery Scan Tool (x64) Version: 19-01-2015
Ran by Denise at 2015-01-22 19:16:56
Running from C:\Users\Denise\Desktop\Farbar
Boot Mode: Normal

================== Search Registry: "Houdsodu!Rdbtshux" ===========

[HKEY_USERS\S-1-5-21-3867049485-1100815424-4231782069-1001\Software\A096476921640305F9984F760DF86F71]
"O`ld"="Houdsodu!Rdbtshux"

====== End Of Search ======

setbj was in the Addition.txt file and I attached the file. I wasn't sure if you wanted me to post directly or attach, so I attached per original instruction.

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: setbj => "C:\Windows\System32\rundll32.exe" "C:\Users\Denise\AppData\Roaming\setbj.dll",List_SetItem
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:58 PM

Posted 23 January 2015 - 10:24 AM

Play it safe. Run this .reg file to remove the remnaint item from the registry.


Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[-HKEY_USERS\S-1-5-21-3867049485-1100815424-4231782069-1001\Software\A096476921640305F9984F760DF86F71]


Restart the when completed.

You can delete the fixme.reg file when done.


===
 

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: setbj => "C:\Windows\System32\rundll32.exe" "C:\Users\Denise\AppData\Roaming\setbj.dll",List_SetItem


This startup item is disabled in MSCONFIG. To remove it completely you must enable it

How to here:
http://netsquirrel.com/msconfig/msconfig_win7.html

Then open my Computer and navigate to the Windows\System32\Tasks folder and delete the task associated with it.

Restart the computer normally.

How is the computer now?

#9 dlasko

dlasko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Durham, NC
  • Local time:11:58 AM

Posted 23 January 2015 - 03:19 PM

To make sure I have it correct: 

Should I copy HKey_users... line AND the text Windows Registry Editor Version 5.00 into notepad?
 

setbj
I enabled setbj in startup programs. I then navigated to Windows\System32\Tasks folder but the file/task for setbj was not in there. I checked all folders within. The only file odd and NOT found in a folder but is one of the main entries was {87293F24-3CDD-4107-A1BE-46B624C49CE2}. I then rebooted thinking that once I did, the setbj task file would appear in Windows\System32\Tasks folder. After reboot a dialogue box showed up on the desktop:

RunDLL

There was a problem starting c:\users\Denise\AppData\roaming\setbj.dll. The specified module could not be found. I then navigated to Windows\System32\Tasks folder and setbj was still not in it.


Edited by dlasko, 23 January 2015 - 06:34 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:58 PM

Posted 24 January 2015 - 08:42 AM

To make sure I have it correct:
Should I copy HKey_users... line AND the text Windows Registry Editor Version 5.00 into notepad?


Yes! and leave a blank line after it.
Copy everything as is.
===

Lets look for setbj and 87293F24-3CDD-4107-A1BE-46B624C49CE2 in the registry.

Please run the Farbar Recovery Scan Tool. Enter setbj;87293F24-3CDD-4107-A1BE-46B624C49CE2 in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#11 dlasko

dlasko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Durham, NC
  • Local time:11:58 AM

Posted 24 January 2015 - 01:18 PM

I copied the text as instructed to notepad. I saved it as fixme.reg to the desktop. I merged the file. I restarted the computer. I deleted the fixme.reg file.

I am happy to report that HKey_current_user\software\long string of letters and numbers found under Registry Editor is no longer there and neither is Houdsodu!Rdbtshux. Awesome!

setbj:
I ran the Farbar Recovery Scan Tool. I entered setbj;87293F24-3CDD-4107-A1BE-46B624C49CE2 in the Search Box.

Farbar Recovery Scan Tool (x64) Version: 24-01-2015 01
Ran by Denise at 2015-01-24 12:27:40
Running from C:\Users\Denise\Desktop\Farbar
Boot Mode: Normal

================== Search Registry: "setbj;87293F24-3CDD-4107-A1BE-46B624C49CE2" ===========


===================== Search result for "setbj" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\setbj]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\setbj]
"command"=""C:\Windows\System32\rundll32.exe" "C:\Users\Denise\AppData\Roaming\setbj.dll",List_SetItem"

[HKEY_USERS\S-1-5-21-3867049485-1100815424-4231782069-1001\Software\Microsoft\Windows\CurrentVersion]
"setbj"="ODUuMTcuMTMyLjU0OwAA"


===================== Search result for "87293F24-3CDD-4107-A1BE-46B624C49CE2" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{33D08E0C-03D1-468E-A866-342204536C81}]
"Path"="\{87293F24-3CDD-4107-A1BE-46B624C49CE2}"

====== End Of Search ======

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:58 PM

Posted 24 January 2015 - 02:02 PM

Now create a new fixme.reg file with this data.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\setbj]
[HKEY_USERS\S-1-5-21-3867049485-1100815424-4231782069-1001\Software\Microsoft\Windows\CurrentVersion]
"setbj"=-ODUuMTcuMTMyLjU0OwAA"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{33D08E0C-03D1-468E-A866-342204536C81}]


Run the .reg file and when done delete it.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#13 dlasko

dlasko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Durham, NC
  • Local time:11:58 AM

Posted 24 January 2015 - 02:17 PM

I disabled the setbj process in startup programs yesterday after the RUNdll error. Should I enable it first before running the new fixme.reg file?
Should I download the Security Check now before running new fixme.reg file and then run Security Check after reboot?

I decided to download Security Check first but did not complete because McAfee dialogue box popped up and reports Potentially Dangerous Download Detected! I have the option to download anyway or block download.

Edited by dlasko, 24 January 2015 - 02:59 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:58 PM

Posted 24 January 2015 - 03:55 PM

I disabled the setbj process in startup programs yesterday after the RUNdll error. Should I enable it first before running the new fixme.reg file?

No I do not think so. It's being called from the Registry at startup.

Make sure you restart the computer when done.

===

Accept the Security Check tool it's safe.

#15 dlasko

dlasko
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Durham, NC
  • Local time:11:58 AM

Posted 24 January 2015 - 05:07 PM

I copied the text as instructed to notepad. I saved it as fixme.reg to the desktop. I merged the file. I restarted the computer. I deleted the fixme.reg file.

Msconfig:
I am happy to report that setbj is NOT in my list of startup programs now. Awesome!

I navigated to Windows\System32\Tasks folder and the 87293F24-3CDD-4107-A1BE-46B624C49CE2 was still in there. "Path"="\{87293F24-3CDD-4107-A1BE-46B624C49CE2}" was not included in the fixme.reg file and probably should not be. Perhaps the file is not a problem?

My IE home page did get reset to about:blank in the new fixme.reg process, but no problem connecting to the internet.

I tried to download Security Check program with the link provided in instruction to "Download Security Check by screen317 from here". I chose download anyway after warning from McAfee. McAfee would not let me download. I then tried to download app from www.bleepingcomputer.com/download/securitycheck and McAfee came back with a Trojan has been found and has been quarantined. McAfee will not let me download the program. The only way I will be able to download Security Check will be if I disable McAfee. McAfee couldn't block the Trojan attack that led me to seek help, but they block programs that are safe?

Edited by dlasko, 25 January 2015 - 02:19 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users