Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zbot / Zeus infection per CBL / No symptoms on PC


  • This topic is locked This topic is locked
11 replies to this topic

#1 Steve Rausch

Steve Rausch

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 28 January 2015 - 08:33 PM

HI,

 

We're a medium-sized company with about 100 PC's behind a Sonicwall firewall.  We were blacklisted earlier today by the CBL and told we that: "This IP address is infected with, or is NATting for a machine infected with the ZeuS trojan, also known as "Zbot" and "WSNPoem".  The domain "sync.mathtag.com" was specifically mentioned in the notice.  We looked at our internal DNS server logs for requests for this URL, and low and behold, my computer was one of the ones looking for this address.  I've downloaded and run a whole mess of removal tools, most of which were listed in the CBL notice.  My machine still seems to be asking for DNS resolution on this URL.  I am seeing no symptoms - everything seems to be running fine.  

 

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by SteveR (administrator) on STEVER-8L on 28-01-2015 17:24:06
Running from C:\Users\stever\Desktop
Loaded Profiles: SteveR (Available profiles: user & SteveR)
Platform: Windows 8.1 Pro with Media Center (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Bitdefender) C:\Program Files\Bitdefender\Endpoint\EndpointIntegration.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Bitdefender) C:\Program Files\Bitdefender\Endpoint\endpointservice.exe
(Bitdefender) C:\Program Files\Common Files\Bitdefender\Endpoint Agent\epag.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkClient.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Bitdefender) C:\Program Files\Bitdefender\Endpoint\updateservice.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\VESMgr.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe
(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Qualcomm Atheros) C:\Program Files (x86)\Bluetooth Suite\BtTray.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
(Bitdefender) C:\Program Files\Bitdefender\Endpoint\console.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Update\VAIOUpdt.exe
(Intel Corporation) C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Update\VUAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCSystemTray.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCService.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCAgent.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE
(Microsoft Corporation) C:\Windows\System32\mstsc.exe
(Famatech Corp.) C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe
(Microsoft Corporation) C:\Windows\System32\mstsc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1214608 2012-09-28] (Realtek Semiconductor)
HKLM\...\Run: [BtTray] => C:\Program Files (x86)\Bluetooth Suite\BtTray.exe [766080 2012-11-05] (Qualcomm Atheros)
HKLM\...\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [127616 2012-11-05] (Qualcomm Atheros Commnucations)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2013-04-30] (LogMeIn, Inc.)
HKLM\...\Run: [Windows Mobile Device Center] => C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2930488 2012-10-23] (Synaptics Incorporated)
HKLM-x32\...\Run: [ISBMgr.exe] => C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe [68776 2012-08-18] (Sony Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BDRegion] => c:\Program Files (x86)\Cyberlink\Shared files\brs.exe [180752 2012-10-23] (cyberlink)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.exe <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\webex\atcliun.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\webex\atcliun.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\webex\atcliun.exe <====== ATTENTION
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-420477555-274140124-2451894829-2302\...\Run: [GoToMeeting] => C:\Users\stever\AppData\Local\Citrix\GoToMeeting\1767\g2mstart.exe [40304 2014-09-30] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\S-1-5-21-420477555-274140124-2451894829-2302\...\Run: [GoogleChromeAutoLaunch_1D527EB14E3E2C5515499BC909300047] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [843592 2015-01-24] (Google Inc.)
HKU\S-1-5-21-420477555-274140124-2451894829-2302\...\Run: [WinHotKey] => C:\Program Files (x86)\WinHotKey\WinHotKey.exe
Startup: C:\Users\stever\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\stever\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trillian.lnk
ShortcutTarget: Trillian.lnk -> C:\Program Files (x86)\Trillian\trillian.exe (Cerulean Studios)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-420477555-274140124-2451894829-2302\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/privatepage/2#Welcome
HKU\S-1-5-21-420477555-274140124-2451894829-2302\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sony13.msn.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll (Adblock Plus)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll (Adblock Plus)
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=1100
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.248 192.168.1.247
 
FireFox:
========
FF ProfilePath: C:\Users\stever\AppData\Roaming\Mozilla\Firefox\Profiles\pmbypuph.default
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_296.dll ()
FF Plugin: @java.com/DTPlugin,version=10.9.2 -> C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.60.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.60.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-420477555-274140124-2451894829-2302: @citrixonline.com/appdetectorplugin -> C:\Users\stever\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Users\stever\AppData\Roaming\mozilla\plugins\npatgpc.dll (Cisco WebEx LLC)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/ig
CHR StartupUrls: Default -> "hxxp://www.netvibes.com/privatepage/2#Welcome"
CHR Profile: C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-02]
CHR Extension: (Google Drive) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-02]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-02]
CHR Extension: (YouTube) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-02]
CHR Extension: (Adblock Plus) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-08-26]
CHR Extension: (Google Search) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-02]
CHR Extension: (Cisco WebEx Extension) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2014-11-03]
CHR Extension: (Google Wallet) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-26]
CHR Extension: (Gmail) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-02]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [231040 2012-11-05] (Qualcomm Atheros Commnucations)
S2 CLKMSVC10_9EC60124; c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [243728 2012-09-28] (CyberLink)
R2 EndpointIntegration; C:\Program Files\Bitdefender\Endpoint\EndpointIntegration.exe [197136 2014-05-12] (Bitdefender)
R2 EndpointService; C:\Program Files\Bitdefender\Endpoint\EndpointService.exe [197136 2015-01-20] (Bitdefender)
R2 epag; C:\Program Files\Common Files\Bitdefender\Endpoint Agent\epag.exe [2228736 2015-01-20] (Bitdefender)
S2 ESRV_SVC; C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe [377768 2013-11-19] (Intel Corporation)
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.1\App Certification Kit\fussvc.exe [142336 2013-08-22] (Microsoft Corporation) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-09-29] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-09-29] (Intel Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [377704 2015-01-23] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226152 2015-01-23] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2013-04-30] (LogMeIn, Inc.)
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [62379184 2014-07-10] (Microsoft Corporation)
S3 NetworkSupport; C:\Program Files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkSupport.exe [625240 2013-09-28] (Sony Corporation)
R2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1900728 2013-06-05] (Microsoft Corporation)
S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [442536 2014-07-10] (Microsoft Corporation)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [119808 2013-08-22] (Microsoft Corporation) [File not signed]
R2 UpdateService; C:\Program Files\Bitdefender\Endpoint\UpdateService.exe [197136 2014-11-10] (Bitdefender)
R3 USER_ESRV_SVC; C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe [377768 2013-11-19] (Intel Corporation)
S3 VCFw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [964608 2012-09-28] (Sony Corporation) [File not signed]
S3 VsEtwService120; C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [87728 2013-10-04] (Microsoft Corporation)
R3 VUAgent; C:\Program Files\Sony\VAIO Update\VUAgent.exe [1642544 2014-02-27] (Sony Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [323584 2012-11-05] (Atheros) [File not signed]
S2 NPEService; "\\ex01\users\zVirusMgmt-IT\npe.exe" /service [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1306464 2015-01-20] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [677104 2015-01-20] (BitDefender)
S0 BDElam; C:\Windows\System32\drivers\bdelam.sys [23568 2013-09-08] (Bitdefender)
R1 Bdfndisf; C:\Program Files\Bitdefender\Endpoint\bdfndisf6.sys [98768 2013-11-19] (BitDefender LLC)
R1 Bdfwfpf; C:\Program Files\Bitdefender\Endpoint\bdfwfpf.sys [107080 2012-10-29] (BitDefender LLC)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [76952 2012-11-05] (Qualcomm Atheros)
S3 BTATH_VDP; C:\Windows\system32\drivers\btath_vdp.sys [427416 2012-11-05] (Qualcomm Atheros)
S3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [155912 2015-01-20] (BitDefender LLC)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-04-30] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S4 RsFx0153; C:\Windows\System32\DRIVERS\RsFx0153.sys [322736 2014-07-10] (Microsoft Corporation)
R3 SensorsSimulatorDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-05-30] (Microsoft Corporation)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [44344 2012-10-23] (Synaptics Incorporated)
R3 SOWS; C:\Windows\System32\drivers\sows.sys [24280 2012-06-10] (Sony Corporation)
R2 trufos; C:\Windows\System32\DRIVERS\trufos.sys [419616 2014-07-30] (BitDefender S.R.L.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-28 16:56 - 2015-01-28 16:56 - 00001373 _____ () C:\Users\stever\Desktop\checkup.txt
2015-01-28 16:45 - 2015-01-28 16:45 - 00040005 _____ () C:\Users\stever\Desktop\Addition.txt
2015-01-28 16:44 - 2015-01-28 17:24 - 00032319 _____ () C:\Users\stever\Desktop\FRST.txt
2015-01-28 16:43 - 2015-01-28 17:24 - 00000000 ____D () C:\FRST
2015-01-28 16:32 - 2015-01-28 16:28 - 02130432 _____ (Farbar) C:\Users\stever\Desktop\FRST64.exe
2015-01-28 16:32 - 2015-01-28 16:27 - 00448512 _____ (OldTimer Tools) C:\Users\stever\Desktop\TFC.exe
2015-01-28 16:32 - 2015-01-28 16:17 - 02194432 _____ () C:\Users\stever\Desktop\adwcleaner_4.109.exe
2015-01-28 15:52 - 2015-01-28 15:52 - 03640880 _____ () C:\Users\stever\Desktop\avg_remover_zbot.exe
2015-01-28 14:47 - 2015-01-28 11:19 - 00122976 _____ (Kaspersky Lab ZAO) C:\Users\stever\Desktop\zbotkiller.exe
2015-01-28 13:21 - 2015-01-28 13:21 - 12613116 _____ () C:\Users\stever\Downloads\sw_tz-215__eng_5.8.1.15 (1).sig
2015-01-09 10:14 - 2015-01-09 10:21 - 00000000 ____D () C:\Users\stever\AppData\Roaming\ShoreWare Client
2015-01-09 10:14 - 2015-01-09 10:14 - 00002266 _____ () C:\Users\Public\Desktop\ShoreTel Communicator.lnk
2015-01-09 10:14 - 2015-01-09 10:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShoreTel
2015-01-09 10:14 - 2015-01-09 10:14 - 00000000 ____D () C:\Program Files (x86)\Shoreline Communications
2015-01-09 10:12 - 2015-01-09 10:12 - 00000000 ____D () C:\Users\stever\AppData\Roaming\{13525330-B260-416A-AF51-72191E6D0F4B}
2015-01-09 10:11 - 2015-01-09 10:11 - 77494336 _____ (ShoreTel, Inc.) C:\Users\stever\Downloads\setup.exe
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-28 17:01 - 2014-08-28 14:12 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-28 17:00 - 2013-08-22 07:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-01-28 16:49 - 2013-07-02 07:56 - 00000926 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-28 16:44 - 2013-06-21 14:46 - 00003594 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-420477555-274140124-2451894829-2302
2015-01-28 16:43 - 2013-12-19 15:03 - 01491067 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-28 16:42 - 2014-07-24 08:20 - 00000000 ____D () C:\AdwCleaner
2015-01-28 16:40 - 2013-07-02 07:56 - 00000922 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-28 16:39 - 2014-01-28 08:42 - 00001020 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2015-01-28 16:39 - 2014-01-28 08:42 - 00001004 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-01-28 16:38 - 2014-07-24 13:22 - 00050390 _____ () C:\WINDOWS\PFRO.log
2015-01-28 16:38 - 2013-08-22 06:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-28 16:38 - 2013-06-21 14:36 - 00000136 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2015-01-28 16:37 - 2013-08-22 05:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI
2015-01-28 16:36 - 2014-03-25 09:23 - 00000588 _____ () C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-420477555-274140124-2451894829-2302.job
2015-01-28 15:33 - 2014-07-01 14:28 - 129880312 _____ (Microsoft Corporation) C:\Users\stever\Desktop\msert.exe
2015-01-28 15:24 - 2013-12-19 15:26 - 00000000 ____D () C:\Users\stever\AppData\Local\Deployment
2015-01-28 14:04 - 2013-11-13 23:36 - 00977292 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-28 14:03 - 2013-10-24 15:36 - 00000000 ____D () C:\Update
2015-01-28 13:58 - 2013-12-19 15:18 - 00004608 __RSH () C:\ProgramData\ntuser.pol
2015-01-28 13:58 - 2013-12-19 15:18 - 00004608 __RSH () C:\ProgramData\ntuser.pol
2015-01-28 13:54 - 2013-12-30 11:55 - 00000576 _____ () C:\Users\stever\AppData\Roaming\com.iliumsoft.ewallet.plist
2015-01-28 13:53 - 2013-07-01 11:37 - 00000000 ____D () C:\Users\stever\Desktop\TEMP
2015-01-28 12:39 - 2013-10-03 07:24 - 00013364 _____ () C:\Users\stever\advanced_ip_scanner_MAC.bin
2015-01-28 12:39 - 2013-10-03 07:24 - 00013364 _____ () C:\Users\stever\advanced_ip_scanner_MAC.bin
2015-01-28 11:27 - 2012-12-04 16:59 - 00000000 ____D () C:\Photos for Display
2015-01-28 11:19 - 2014-07-24 13:42 - 00009046 _____ () C:\WINDOWS\setupact.log
2015-01-28 07:55 - 2013-07-02 13:18 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-01-28 07:55 - 2013-07-02 13:18 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-01-28 02:29 - 2012-07-25 23:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-01-27 09:18 - 2013-06-21 14:40 - 00000000 ____D () C:\Users\stever\AppData\Local\Packages
2015-01-26 16:50 - 2013-07-02 07:57 - 00002203 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-25 18:15 - 2014-03-25 09:23 - 00003592 _____ () C:\WINDOWS\System32\Tasks\G2MUpdateTask-S-1-5-21-420477555-274140124-2451894829-2302
2015-01-24 12:01 - 2014-08-28 14:12 - 00003718 _____ () C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-01-23 21:24 - 2013-07-02 13:18 - 00000000 ____D () C:\Program Files (x86)\LogMeIn
2015-01-23 21:23 - 2013-07-02 13:18 - 00107392 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIRfsClientNP.dll
2015-01-23 21:23 - 2013-07-02 13:18 - 00092520 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIinit.dll
2015-01-23 21:23 - 2013-07-02 13:18 - 00035688 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIport.dll
2015-01-22 17:18 - 2013-07-01 09:06 - 00000000 ____D () C:\copyarea
2015-01-21 06:25 - 2013-08-22 07:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-01-20 03:48 - 2014-11-10 06:53 - 00262544 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avchv.sys
2015-01-20 03:48 - 2014-07-24 13:25 - 00155912 _____ (BitDefender LLC) C:\WINDOWS\system32\Drivers\gzflt.sys
2015-01-20 03:48 - 2013-12-02 11:58 - 00677104 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avckf.sys
2015-01-20 03:48 - 2013-12-02 11:56 - 01306464 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avc3.sys
2015-01-14 23:30 - 2012-12-19 18:25 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-01-05 13:24 - 2013-07-09 07:31 - 00000000 ____D () C:\Users\stever\AppData\Local\CrashDumps
 
==================== Files in the root of some directories =======
 
2013-12-30 11:55 - 2015-01-28 13:54 - 0000576 _____ () C:\Users\stever\AppData\Roaming\com.iliumsoft.ewallet.plist
2014-07-11 09:19 - 2014-07-11 09:19 - 0000036 _____ () C:\Users\stever\AppData\Local\housecall.guid.cache
2014-07-23 12:07 - 2014-07-23 12:07 - 0063684 _____ () C:\ProgramData\1406139920.bdinstall.bin
2014-07-24 13:21 - 2014-07-24 13:21 - 0034785 _____ () C:\ProgramData\1406236703.bdinstall.bin
2014-07-25 07:46 - 2014-07-25 07:46 - 0279962 _____ () C:\ProgramData\1406237093.bdinstall.bin
2014-07-24 15:42 - 2014-07-24 15:42 - 0051976 _____ () C:\ProgramData\1406245320.bdinstall.bin
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 


BC AdBot (Login to Remove)

 


#2 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:01:19 AM

Posted 30 January 2015 - 12:06 AM

Hi Steve Rausch,

Welcome to BleepingComputer. My name is dbrisendine and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:
  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at BleepingComputer are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


    - Save ALL Tools to your Desktop-

    All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

    Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
    Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
    Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
    and the click the "Select Folder" button. Click OK to get out of the Options menu.
    IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
    select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

Let's get started....


The FRST.txt file seems incomplete. Can you attach both the FRST.txt and Addition.txt in a reply here? Thanks.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#3 Steve Rausch

Steve Rausch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 30 January 2015 - 04:40 PM

Thanks for the help! 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by SteveR (administrator) on STEVER-8L on 30-01-2015 13:42:20
Running from C:\Users\stever\Desktop
Loaded Profiles: user & SteveR (Available profiles: user & SteveR)
Platform: Windows 8.1 Pro with Media Center (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Bitdefender) C:\Program Files\Bitdefender\Endpoint\EndpointIntegration.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Bitdefender) C:\Program Files\Bitdefender\Endpoint\endpointservice.exe
(Bitdefender) C:\Program Files\Common Files\Bitdefender\Endpoint Agent\epag.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Bitdefender) C:\Program Files\Bitdefender\Endpoint\updateservice.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\VESMgr.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe
(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Update\VUAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCService.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCAgent.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\VESMgrSub.exe
(Bitdefender) C:\Program Files\Bitdefender\Endpoint\console.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkClient.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Qualcomm Atheros) C:\Program Files (x86)\Bluetooth Suite\BtTray.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
() C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Sony Corporation) C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(Cerulean Studios) C:\Program Files (x86)\Trillian\trillian.exe
(cyberlink) C:\Program Files (x86)\CyberLink\Shared files\brs.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Update\VAIOUpdt.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCSystemTray.exe
(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe
() C:\Program Files (x86)\Dude\dude.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\OUTLOOK.EXE
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\mstsc.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\mstsc.exe
(Infor) C:\Users\stever\AppData\Local\Apps\2.0\XN057YHM.Y6E\HMZH230H.TX8\sl8...ient_002c66e0bc74a4c9_0008.0003_d50feb7ddd032e42\WinStudio.exe
(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCAdmin.exe
(iolo technologies, LLC) C:\Program Files\Sony\VAIO Care\Iolo\ioloTools.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(Ilium Software, Inc.) C:\Program Files (x86)\Ilium Software\eWallet\eWallet.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\EXCEL.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\copyarea\spider.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1214608 2012-09-28] (Realtek Semiconductor)
HKLM\...\Run: [BtTray] => C:\Program Files (x86)\Bluetooth Suite\BtTray.exe [766080 2012-11-05] (Qualcomm Atheros)
HKLM\...\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [127616 2012-11-05] (Qualcomm Atheros Commnucations)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2013-04-30] (LogMeIn, Inc.)
HKLM\...\Run: [Windows Mobile Device Center] => C:\Windows\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2930488 2012-10-23] (Synaptics Incorporated)
HKLM-x32\...\Run: [ISBMgr.exe] => C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe [68776 2012-08-18] (Sony Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BDRegion] => c:\Program Files (x86)\Cyberlink\Shared files\brs.exe [180752 2012-10-23] (cyberlink)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.exe <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin\*\*\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\webex\atcliun.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\webex\atcliun.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\webex\atcliun.exe <====== ATTENTION
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoWelcomeScreen] 1
HKU\S-1-5-21-1125280459-1369406679-368704386-1001\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [516608 2013-08-22] (Microsoft Corporation)
HKU\S-1-5-21-420477555-274140124-2451894829-2302\...\Run: [GoogleChromeAutoLaunch_1D527EB14E3E2C5515499BC909300047] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [843592 2015-01-24] (Google Inc.)
HKU\S-1-5-21-420477555-274140124-2451894829-2302\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7404312 2015-01-20] (Piriform Ltd)
Startup: C:\Users\stever\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\stever\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trillian.lnk
ShortcutTarget: Trillian.lnk -> C:\Program Files (x86)\Trillian\trillian.exe (Cerulean Studios)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-1125280459-1369406679-368704386-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://sony13.msn.com
HKU\S-1-5-21-1125280459-1369406679-368704386-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sony13.msn.com
HKU\S-1-5-21-420477555-274140124-2451894829-2302\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netvibes.com/privatepage/2#Welcome
HKU\S-1-5-21-420477555-274140124-2451894829-2302\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sony13.msn.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com//activex/ractrl.cab?lmi=1100
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Hosts: 127.0.0.1 mathtag.com
Tcpip\Parameters: [DhcpNameServer] 192.168.1.248 192.168.1.247
 
FireFox:
========
FF ProfilePath: C:\Users\stever\AppData\Roaming\Mozilla\Firefox\Profiles\pmbypuph.default
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_16_0_0_296.dll ()
FF Plugin: @java.com/DTPlugin,version=10.9.2 -> C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.60.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.60.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-420477555-274140124-2451894829-2302: @citrixonline.com/appdetectorplugin -> C:\Users\stever\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Users\stever\AppData\Roaming\mozilla\plugins\npatgpc.dll (Cisco WebEx LLC)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/ig
CHR StartupUrls: Default -> "hxxp://www.netvibes.com/privatepage/2#Welcome"
CHR Profile: C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-02]
CHR Extension: (Google Drive) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-02]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-02]
CHR Extension: (YouTube) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-02]
CHR Extension: (Adblock Plus) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-08-26]
CHR Extension: (Google Search) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-02]
CHR Extension: (Cisco WebEx Extension) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2014-11-03]
CHR Extension: (Google Wallet) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-26]
CHR Extension: (Gmail) - C:\Users\stever\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-02]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [231040 2012-11-05] (Qualcomm Atheros Commnucations)
S2 CLKMSVC10_9EC60124; c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [243728 2012-09-28] (CyberLink)
R2 EndpointIntegration; C:\Program Files\Bitdefender\Endpoint\EndpointIntegration.exe [197136 2014-05-12] (Bitdefender)
R2 EndpointService; C:\Program Files\Bitdefender\Endpoint\EndpointService.exe [197136 2015-01-20] (Bitdefender)
R2 epag; C:\Program Files\Common Files\Bitdefender\Endpoint Agent\epag.exe [2228736 2015-01-20] (Bitdefender)
S2 ESRV_SVC; C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe [377768 2013-11-19] (Intel Corporation)
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.1\App Certification Kit\fussvc.exe [142336 2013-08-22] (Microsoft Corporation) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-09-29] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-09-29] (Intel Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [377704 2015-01-23] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226152 2015-01-23] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2013-04-30] (LogMeIn, Inc.)
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [62379184 2014-07-10] (Microsoft Corporation)
S3 NetworkSupport; C:\Program Files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkSupport.exe [625240 2013-09-28] (Sony Corporation)
R2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1900728 2013-06-05] (Microsoft Corporation)
S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [442536 2014-07-10] (Microsoft Corporation)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [119808 2013-08-22] (Microsoft Corporation) [File not signed]
R2 UpdateService; C:\Program Files\Bitdefender\Endpoint\UpdateService.exe [197136 2014-11-10] (Bitdefender)
R3 USER_ESRV_SVC; C:\Program Files\Sony\VAIO Care\ESRV\esrv_svc.exe [377768 2013-11-19] (Intel Corporation)
S3 VCFw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [964608 2012-09-28] (Sony Corporation) [File not signed]
S3 VsEtwService120; C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [87728 2013-10-04] (Microsoft Corporation)
R3 VUAgent; C:\Program Files\Sony\VAIO Update\VUAgent.exe [1642544 2014-02-27] (Sony Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [323584 2012-11-05] (Atheros) [File not signed]
S2 NPEService; "\\ex01\users\zVirusMgmt-IT\npe.exe" /service [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1306464 2015-01-20] (BitDefender)
R3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [677104 2015-01-20] (BitDefender)
S0 BDElam; C:\Windows\System32\drivers\bdelam.sys [23568 2013-09-08] (Bitdefender)
R1 Bdfndisf; C:\Program Files\Bitdefender\Endpoint\bdfndisf6.sys [98768 2013-11-19] (BitDefender LLC)
R1 Bdfwfpf; C:\Program Files\Bitdefender\Endpoint\bdfwfpf.sys [107080 2012-10-29] (BitDefender LLC)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [76952 2012-11-05] (Qualcomm Atheros)
S3 BTATH_VDP; C:\Windows\system32\drivers\btath_vdp.sys [427416 2012-11-05] (Qualcomm Atheros)
S3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
R0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [155912 2015-01-20] (BitDefender LLC)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-04-30] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S4 RsFx0153; C:\Windows\System32\DRIVERS\RsFx0153.sys [322736 2014-07-10] (Microsoft Corporation)
R3 SensorsSimulatorDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [227840 2014-05-30] (Microsoft Corporation)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [44344 2012-10-23] (Synaptics Incorporated)
R3 SOWS; C:\Windows\System32\drivers\sows.sys [24280 2012-06-10] (Sony Corporation)
R1 tmcomm; C:\Windows\system32\DRIVERS\tmcomm.sys [285208 2015-01-29] (Trend Micro Inc.)
R2 trufos; C:\Windows\System32\DRIVERS\trufos.sys [419616 2014-07-30] (BitDefender S.R.L.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
U3 ufdoypob; \??\C:\Users\stever\AppData\Local\Temp\ufdoypob.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-29 17:02 - 2015-01-29 17:02 - 01530182 _____ () C:\Users\stever\Downloads\sonicwall-TZ_215-5_9_0_6-3o.exp
2015-01-29 13:42 - 2015-01-29 13:42 - 05325208 _____ (Piriform Ltd) C:\Users\stever\Downloads\ccsetup502.exe
2015-01-29 13:42 - 2015-01-29 13:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-01-29 12:50 - 2015-01-29 12:50 - 00000938 _____ () C:\Users\stever\Downloads\tweaking.com_windows_repair_aio.zip
2015-01-29 12:38 - 2015-01-29 12:38 - 00338880 _____ () C:\STEVER-8L_2015.01.29-1231.04_733BE60C-0027-0005-00F3-00A563FB056E_24640.zip
2015-01-29 12:38 - 2015-01-29 12:38 - 00000334 _____ () C:\Users\stever\Downloads\Result.txt
2015-01-29 12:31 - 2015-01-29 12:38 - 00000000 ____D () C:\Users\stever\Downloads\TrendMicro AntiThreat Toolkit
2015-01-29 12:31 - 2015-01-29 12:31 - 00285208 _____ (Trend Micro Inc.) C:\WINDOWS\system32\Drivers\tmcomm.sys
2015-01-29 12:30 - 2015-01-29 12:30 - 25972952 _____ (Trend Micro Inc.) C:\Users\stever\Downloads\THREAT_CLEAN_64.exe
2015-01-29 12:23 - 2015-01-29 12:23 - 00525830 _____ () C:\Users\stever\Downloads\GMER scan.log
2015-01-29 11:56 - 2015-01-29 11:56 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\stever\Desktop\TDSSKiller.exe
2015-01-29 11:56 - 2015-01-29 11:56 - 04176437 _____ () C:\Users\stever\Downloads\tdsskiller.zip
2015-01-29 11:56 - 2015-01-29 11:56 - 00000000 ____D () C:\Users\stever\Downloads\tdsskiller
2015-01-29 11:27 - 2015-01-29 11:27 - 00380416 _____ () C:\Users\stever\Downloads\trqx5nmj.exe
2015-01-29 10:45 - 2015-01-29 10:45 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-01-29 10:44 - 2015-01-29 10:44 - 02347384 _____ (ESET) C:\Users\stever\Desktop\esetsmartinstaller_enu.exe
2015-01-29 10:27 - 2015-01-29 10:27 - 00000000 ____D () C:\Program Files\HitmanPro
2015-01-29 10:25 - 2015-01-29 10:25 - 11225840 _____ (SurfRight B.V.) C:\Users\stever\Downloads\HitmanPro_x64.exe
2015-01-29 10:22 - 2015-01-29 10:22 - 00283932 _____ () C:\Users\stever\Downloads\ESETPoweliksCleaner.exe_20150129.102237.6896.log
2015-01-29 10:22 - 2015-01-29 10:22 - 00190152 _____ (ESET) C:\Users\stever\Downloads\ESETPoweliksCleaner.exe
2015-01-29 09:48 - 2015-01-29 09:48 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2015-01-29 09:48 - 2015-01-29 09:48 - 00000000 ____D () C:\ProgramData\Kaspersky Lab
2015-01-29 09:45 - 2015-01-29 09:47 - 171232920 _____ () C:\Users\stever\Downloads\setup_11.0.3.8.x01_2015_01_29_19_38.exe
2015-01-29 09:42 - 2015-01-29 09:42 - 00881520 _____ (NoVirusThanks Company Srl ) C:\Users\stever\Downloads\zbot_remover_setup.exe
2015-01-29 09:42 - 2015-01-29 09:42 - 00881520 _____ (NoVirusThanks Company Srl ) C:\Users\stever\Desktop\zbot_remover_setup.exe
2015-01-28 16:56 - 2015-01-28 16:56 - 00001373 _____ () C:\Users\stever\Desktop\checkup.txt
2015-01-28 16:45 - 2015-01-28 17:24 - 00038640 _____ () C:\Users\stever\Desktop\Addition.txt
2015-01-28 16:44 - 2015-01-30 13:42 - 00033839 _____ () C:\Users\stever\Desktop\FRST.txt
2015-01-28 16:43 - 2015-01-30 13:42 - 00000000 ____D () C:\FRST
2015-01-28 16:32 - 2015-01-30 13:02 - 02194432 _____ () C:\Users\stever\Desktop\adwcleaner_4.109.exe
2015-01-28 16:32 - 2015-01-28 16:28 - 02130432 _____ (Farbar) C:\Users\stever\Desktop\FRST64.exe
2015-01-28 16:32 - 2015-01-28 16:27 - 00448512 _____ (OldTimer Tools) C:\Users\stever\Desktop\TFC.exe
2015-01-28 15:52 - 2015-01-28 15:52 - 03640880 _____ () C:\Users\stever\Desktop\avg_remover_zbot.exe
2015-01-28 14:47 - 2015-01-28 11:19 - 00122976 _____ (Kaspersky Lab ZAO) C:\Users\stever\Desktop\zbotkiller.exe
2015-01-28 13:21 - 2015-01-28 13:21 - 12613116 _____ () C:\Users\stever\Downloads\sw_tz-215__eng_5.8.1.15 (1).sig
2015-01-09 10:14 - 2015-01-09 10:21 - 00000000 ____D () C:\Users\stever\AppData\Roaming\ShoreWare Client
2015-01-09 10:14 - 2015-01-09 10:14 - 00002266 _____ () C:\Users\Public\Desktop\ShoreTel Communicator.lnk
2015-01-09 10:14 - 2015-01-09 10:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ShoreTel
2015-01-09 10:14 - 2015-01-09 10:14 - 00000000 ____D () C:\Program Files (x86)\Shoreline Communications
2015-01-09 10:12 - 2015-01-09 10:12 - 00000000 ____D () C:\Users\stever\AppData\Roaming\{13525330-B260-416A-AF51-72191E6D0F4B}
2015-01-09 10:11 - 2015-01-09 10:11 - 77494336 _____ (ShoreTel, Inc.) C:\Users\stever\Downloads\setup.exe
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-30 13:37 - 2013-06-21 14:36 - 00000136 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2015-01-30 13:02 - 2013-08-22 07:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-01-30 13:02 - 2013-07-01 11:37 - 00000000 ____D () C:\Users\stever\Desktop\TEMP
2015-01-30 13:01 - 2014-08-28 14:12 - 00000830 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-01-30 12:49 - 2013-07-02 07:56 - 00000926 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-30 10:14 - 2014-01-06 13:51 - 00000000 ____D () C:\ProgramData\WebEx
2015-01-30 10:14 - 2014-01-06 13:51 - 00000000 ____D () C:\ProgramData\WebEx
2015-01-30 10:08 - 2014-01-20 12:03 - 00229672 _____ (Cisco WebEx LLC) C:\WINDOWS\SysWOW64\atsckernel.exe
2015-01-30 10:08 - 2014-01-20 12:03 - 00118568 _____ (Cisco WebEx LLC) C:\WINDOWS\SysWOW64\atashost.exe
2015-01-30 09:19 - 2013-12-19 15:26 - 00000000 ____D () C:\Users\stever\AppData\Local\Deployment
2015-01-29 20:13 - 2013-12-19 15:03 - 01714276 _____ () C:\WINDOWS\WindowsUpdate.log
2015-01-29 18:49 - 2013-07-02 07:56 - 00000922 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-29 16:17 - 2013-07-02 13:18 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-01-29 16:17 - 2013-07-02 13:18 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-01-29 13:45 - 2013-07-09 07:31 - 00000000 ____D () C:\Users\stever\AppData\Local\CrashDumps
2015-01-29 13:42 - 2014-07-22 17:12 - 00000000 ____D () C:\Program Files\CCleaner
2015-01-29 13:14 - 2013-06-21 14:46 - 00003596 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-420477555-274140124-2451894829-2302
2015-01-29 12:41 - 2013-06-21 14:40 - 00000000 ____D () C:\Users\stever\AppData\Local\VirtualStore
2015-01-29 12:39 - 2014-01-30 12:17 - 00000000 ____D () C:\ProgramData\Package Cache
2015-01-29 12:39 - 2014-01-30 12:17 - 00000000 ____D () C:\ProgramData\Package Cache
2015-01-29 09:18 - 2013-07-16 07:30 - 00000000 ____D () C:\Users\stever\AppData\Local\Citrix
2015-01-29 09:06 - 2013-06-21 14:40 - 00000000 ____D () C:\Users\stever\AppData\Local\Packages
2015-01-28 16:42 - 2014-07-24 08:20 - 00000000 ____D () C:\AdwCleaner
2015-01-28 16:39 - 2014-01-28 08:42 - 00001020 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2015-01-28 16:39 - 2014-01-28 08:42 - 00001004 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-01-28 16:38 - 2013-08-22 06:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-01-28 16:37 - 2013-08-22 05:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI
2015-01-28 15:33 - 2014-07-01 14:28 - 129880312 _____ (Microsoft Corporation) C:\Users\stever\Desktop\msert.exe
2015-01-28 14:04 - 2013-11-13 23:36 - 00977292 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-01-28 14:03 - 2013-10-24 15:36 - 00000000 ____D () C:\Update
2015-01-28 13:58 - 2013-12-19 15:18 - 00004608 __RSH () C:\ProgramData\ntuser.pol
2015-01-28 13:58 - 2013-12-19 15:18 - 00004608 __RSH () C:\ProgramData\ntuser.pol
2015-01-28 13:54 - 2013-12-30 11:55 - 00000576 _____ () C:\Users\stever\AppData\Roaming\com.iliumsoft.ewallet.plist
2015-01-28 12:39 - 2013-10-03 07:24 - 00013364 _____ () C:\Users\stever\advanced_ip_scanner_MAC.bin
2015-01-28 12:39 - 2013-10-03 07:24 - 00013364 _____ () C:\Users\stever\advanced_ip_scanner_MAC.bin
2015-01-28 11:27 - 2012-12-04 16:59 - 00000000 ____D () C:\Photos for Display
2015-01-28 02:29 - 2012-07-25 23:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-01-26 16:50 - 2013-07-02 07:57 - 00002203 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-24 12:01 - 2014-08-28 14:12 - 00003718 _____ () C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2015-01-23 21:24 - 2013-07-02 13:18 - 00000000 ____D () C:\Program Files (x86)\LogMeIn
2015-01-23 21:23 - 2013-07-02 13:18 - 00107392 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIRfsClientNP.dll
2015-01-23 21:23 - 2013-07-02 13:18 - 00092520 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIinit.dll
2015-01-23 21:23 - 2013-07-02 13:18 - 00035688 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIport.dll
2015-01-22 17:18 - 2013-07-01 09:06 - 00000000 ____D () C:\copyarea
2015-01-21 06:25 - 2013-08-22 07:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-01-20 03:48 - 2014-11-10 06:53 - 00262544 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avchv.sys
2015-01-20 03:48 - 2014-07-24 13:25 - 00155912 _____ (BitDefender LLC) C:\WINDOWS\system32\Drivers\gzflt.sys
2015-01-20 03:48 - 2013-12-02 11:58 - 00677104 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avckf.sys
2015-01-20 03:48 - 2013-12-02 11:56 - 01306464 _____ (BitDefender) C:\WINDOWS\system32\Drivers\avc3.sys
2015-01-14 23:30 - 2012-12-19 18:25 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
 
==================== Files in the root of some directories =======
 
2013-12-30 11:55 - 2015-01-28 13:54 - 0000576 _____ () C:\Users\stever\AppData\Roaming\com.iliumsoft.ewallet.plist
2014-07-11 09:19 - 2014-07-11 09:19 - 0000036 _____ () C:\Users\stever\AppData\Local\housecall.guid.cache
2014-07-23 12:07 - 2014-07-23 12:07 - 0063684 _____ () C:\ProgramData\1406139920.bdinstall.bin
2014-07-24 13:21 - 2014-07-24 13:21 - 0034785 _____ () C:\ProgramData\1406236703.bdinstall.bin
2014-07-25 07:46 - 2014-07-25 07:46 - 0279962 _____ () C:\ProgramData\1406237093.bdinstall.bin
2014-07-24 15:42 - 2014-07-24 15:42 - 0051976 _____ () C:\ProgramData\1406245320.bdinstall.bin
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-29 03:49
 
==================== End Of Log ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-01-2015
Ran by SteveR at 2015-01-30 13:43:05
Running from C:\Users\stever\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Endpoint Security by Bitdefender Antimalware (Enabled - Up to date) {9A0813D8-CED6-F86B-072E-28D2AF25A83D}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Endpoint Security by Bitdefender Antimalware (Enabled - Up to date) {2169F23C-E8EC-F7E5-3D9E-13A0D4A2E280}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Endpoint Security by Bitdefender Firewall (Enabled) {A23392FD-84B9-F933-2C71-81E751F6EF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version:  - )
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.296 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.05)  MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.05 - Adobe Systems Incorporated)
Advanced IP Scanner 2.3 (HKLM-x32\...\{A02F51A7-1982-4B69-8BD3-7D2B86179752}) (Version: 2.3.2161 - Famatech)
Amazon Kindle (HKU\S-1-5-21-420477555-274140124-2451894829-2302\...\Amazon Kindle) (Version:  - Amazon)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Behaviors SDK (XAML) for Visual Studio (x32 Version: 12.0.41002.1 - Microsoft Corporation) Hidden
Blend for Visual Studio 2013 (x32 Version: 12.0.41002.1 - Microsoft Corporation) Hidden
Blend for Visual Studio 2013 ENU resources (x32 Version: 12.0.41002.1 - Microsoft Corporation) Hidden
Bonjour (HKLM\...\{B91110FB-33B4-468B-90C2-4D5E8AE3FAE1}) (Version: 2.0.2.0 - Apple Inc.)
Bonjour Print Services (HKLM\...\{0DA20600-6130-443B-9D4B-F30520315FA6}) (Version: 2.0.2.0 - Apple Inc.)
Build Tools - amd64 (Version: 12.0.21005 - Microsoft Corporation) Hidden
Build Tools - x86 (x32 Version: 12.0.21005 - Microsoft Corporation) Hidden
Build Tools Language Resources - amd64 (Version: 12.0.21005 - Microsoft Corporation) Hidden
Build Tools Language Resources - x86 (x32 Version: 12.0.21005 - Microsoft Corporation) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.02 - Piriform)
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM-x32\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version:  3.0 - CutePDF.com)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.0.2126 - CyberLink Corp.)
CyberLink PowerDVD (HKLM-x32\...\InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}) (Version: 9.0.5728.52 - CyberLink Corp.)
DVD Architect Studio 5.0 (HKLM-x32\...\{42C509F1-C451-11E1-AEC9-F04DA23A5C58}) (Version: 5.0.161 - Sony)
Endpoint (Version: 5.3.12 - Bitdefender) Hidden
Endpoint Security by Bitdefender (HKLM\...\Endpoint Security) (Version: 5.3.12.470 - Bitdefender)
eWallet 8.0.1 for Windows PCs (HKLM-x32\...\Ilium Software eWallet_is1) (Version: 8.0.1 - Ilium Software)
FDUx86 (x32 Version: 1.0.0 - Sony Corporation) Hidden
GDR 4033 for SQL Server 2008 R2 (KB2977320) (64-bit) (HKLM\...\KB2977320) (Version: 10.52.4033.0 - Microsoft Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 40.0.2214.93 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3316 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.5.3.1004 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
Java 7 Update 60 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217060FF}) (Version: 7.0.600 - Oracle)
JavaScript Tooling (Version: 12.0.21005 - Microsoft Corporation) Hidden
KUx86 (x32 Version: 1.0.0 - Sony Corporation) Hidden
LogMeIn (HKLM-x32\...\{CB7AF84A-1B7F-4C6B-8A58-EB7CDE48C23A}) (Version: 4.1.3268 - LogMeIn, Inc.)
Microsoft .NET Framework 4.5 SDK (HKLM-x32\...\{4AE57014-05C4-4864-A13D-86517A7E1BA4}) (Version: 4.5.50710 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 SDK (HKLM-x32\...\{19A5926D-66E1-46FC-854D-163AA10A52D3}) (Version: 4.5.51641 - Microsoft Corporation)
Microsoft Help Viewer 2.1 (HKLM-x32\...\Microsoft Help Viewer 2.1) (Version: 2.1.21005 - Microsoft Corporation)
Microsoft Office Home and Business 2013 - en-us (HKLM\...\HomeBusinessRetail - en-us) (Version: 15.0.4505.1510 - Microsoft Corporation)
Microsoft SkyDrive (HKU\S-1-5-21-420477555-274140124-2451894829-2302\...\SkyDriveSetup.exe) (Version: 16.4.6012.0828 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 (64-bit) (HKLM\...\Microsoft SQL Server 2008 R2) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Native Client (HKLM\...\{E8F7904A-4780-4F3F-B153-21BE32857120}) (Version: 10.52.4033.0 - Microsoft Corporation)
Microsoft SQL Server 2008 R2 Setup (English) (HKLM\...\{1D4A3734-9328-440F-960C-42B4CE481EB4}) (Version: 10.52.4033.0 - Microsoft Corporation)
Microsoft SQL Server 2008 Setup Support Files  (HKLM\...\{B40EE88B-400A-4266-A17B-E3DE64E94431}) (Version: 10.1.2731.0 - Microsoft Corporation)
Microsoft SQL Server Browser (HKLM-x32\...\{BF9BF038-FE03-429D-9B26-2FA0FD756052}) (Version: 10.52.4000.0 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 SP1 x64 ENU (HKLM\...\{78909610-D229-459C-A936-25D92283D3FD}) (Version: 4.0.8876.1 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{288D79EE-A2D1-42AF-9597-B0ADCC23A8ED}) (Version: 10.52.4000.0 - Microsoft Corporation)
Microsoft Visio Premium 2010 (HKLM\...\Office14.VISIOR) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.31119 - Microsoft Corporation)
Microsoft Visual Studio Express 2013 for Windows - ENU (HKLM-x32\...\{78095723-ced1-49b3-b0ac-8598452ef0ec}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Windows Software Development Kit (6000.0.0) (HKLM\...\SDKSetup_6.0.6000.0) (Version: 6.0.6000.0 - Microsoft Corporation)
Mozilla Firefox 31.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 30.0 - Mozilla)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4505.1510 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4505.1510 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4505.1510 - Microsoft Corporation) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.214 - Qualcomm Atheros Communications)
QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6695 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.8400.28121 - Realtek Semiconductor Corp.)
Restore (x32 Version: 1.0.0 - Sony Corporation) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (HKLM\...\{91140000-0057-0000-1000-0000000FF1CE}_Office14.VISIOR_{3C578F10-F74F-4655-B2A6-9F88A6C415E8}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 64-Bit Edition (Version:  - Microsoft) Hidden
Service Pack 2 for SQL Server 2008 R2 (KB2630458) (64-bit) (HKLM\...\KB2630458) (Version: 10.52.4000.0 - Microsoft Corporation)
ShoreTel Communicator (HKLM-x32\...\{E6AA544E-51A1-4B89-9F54-E6321DC66AFB}) (Version: 19.43.4002.0 - ShoreTel, Inc.)
SL 8.03.11 Client (HKU\S-1-5-21-420477555-274140124-2451894829-2302\...\c9271269192c7bfa) (Version: 8.3.0.4 - Infor)
SQL Server 2008 R2 SP2 Common Files (Version: 10.52.4000.0 - Microsoft Corporation) Hidden
SQL Server 2008 R2 SP2 Database Engine Services (Version: 10.52.4000.0 - Microsoft Corporation) Hidden
SQL Server 2008 R2 SP2 Database Engine Shared (Version: 10.52.4000.0 - Microsoft Corporation) Hidden
Sql Server Customer Experience Improvement Program (Version: 10.50.1600.1 - Microsoft Corporation) Hidden
SSLx64 (Version: 1.0.0 - Sony Corporation ) Hidden
SSLx86 (x32 Version: 1.0.0 - Sony Corporation ) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.16.2 - Synaptics Incorporated)
Team Explorer for Microsoft Visual Studio 2013 (x32 Version: 12.0.21005 - Microsoft Corporation) Hidden
The Dude (HKLM-x32\...\Dude) (Version:  - )
Trillian (HKLM-x32\...\Trillian) (Version:  - Cerulean Studios, LLC)
VAIO Care (HKLM\...\{EF649526-0134-46A8-8DF3-D7F9309E48DB}) (Version: 8.4.2.12046 - Sony Corporation)
VAIO Control Center (HKLM-x32\...\{8E797841-A110-41FD-B17A-3ABC0641187A}) (Version: 6.1.0.10300 - Sony Corporation)
VAIO CPU Fan Diagnostic (HKLM-x32\...\{BCE6E3D7-B565-4E1B-AC77-F780666A35FB}) (Version: 1.1.0.09200 - Sony Corporation)
VAIO Data Restore Tool (HKLM-x32\...\{57B955CE-B5D3-495D-AF1B-FAEE0540BFEF}) (Version: 1.10.0.07270 - Sony Corporation)
VAIO Easy Connect (x32 Version: 8.2.0.14170 - Sony Corporation) Hidden
VAIO Gate (HKLM-x32\...\{14AC95A2-7675-4988-A5BD-3F5B943AED08}) (Version: 3.0.1.02270 - Sony Corporation)
VAIO Gate Default (HKLM-x32\...\{B7546697-2A80-4256-A24B-1C33163F535B}) (Version: 3.1.0.10240 - Sony Corporation)
VAIO Gesture Control (HKLM-x32\...\{692955F2-DE9F-4078-8FAA-858D6F3A1776}) (Version: 2.1.0.10220 - Sony Corporation)
VAIO Gesture Control (x32 Version: 2.1.0.10220 - Sony Corporation) Hidden
VAIO Hardware Diagnostics Plugin for VAIO Care (HKLM-x32\...\{EC153498-00E1-4C9C-89BE-81527C6750BE}) (Version: 4.7.0.11070 - Sony Corporation)
VAIO Health Report (HKLM-x32\...\VAIO Health Report1.0) (Version: 1.0 - Sony Electronics)
VAIO Image Optimizer (HKLM-x32\...\InstallShield_{5597C927-029A-46A7-A0C0-8DABD9891A50}) (Version: 3.0.00.08170 - Sony Corporation)
VAIO Image Optimizer (x32 Version: 3.0.00.08170 - Sony Corporation) Hidden
VAIO Improvement (HKLM-x32\...\{3A26D9BD-0F73-432D-B522-2BA18138F7EF}) (Version: 2.1.0.10220 - Sony Corporation)
VAIO Manual (HKLM-x32\...\{C6E893E7-E5EA-4CD5-917C-5443E753FCBD}) (Version: 3.0.0.08100 - Sony Corporation)
VAIO Media Server Settings (HKLM\...\{62A172B2-550E-499D-9A82-5190D18390AA}) (Version: 1.0.1.10170 - Sony Corporation)
VAIO Transfer Support (HKLM-x32\...\{5DDAFB4B-C52E-468A-9E23-3B0CEEB671BF}) (Version: 1.9.0.11060 - Sony Corporation)
VAIO Update (HKLM-x32\...\{9FF95DA2-7DA1-4228-93B7-DED7EC02B6B2}) (Version: 7.0.0.14270 - Sony Corporation)
VCCMMx64 (Version: 1.0.0 - Sony Corporation) Hidden
VCCMMx86 (x32 Version: 1.0.0 - Sony Corporation) Hidden
VCCx64 (Version: 1.0.0 - Sony Corporation) Hidden
VCCx86 (x32 Version: 1.0.0 - Sony Corporation) Hidden
VGClientX64 (Version: 1.0.0 - Sony Corporation) Hidden
VHD (x32 Version: 1.0.0 - Sony Corporation) Hidden
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VIx64 (Version: 1.0.0 - Sony Corporation) Hidden
VIx86 (x32 Version: 1.0.0 - Sony Corporation) Hidden
VMLx86 (x32 Version: 1.0.0 - Sony Corporation) Hidden
VPMx64 (Version: 1.0.0 - Sony Corporation ) Hidden
VSSTx64 (Version: 1.0.0 - Sony Corporation ) Hidden
VSSTx86 (x32 Version: 1.0.0 - Sony Corporation) Hidden
VU5x64 (Version: 1.0.0 - Sony Corporation ) Hidden
VU5x64 (Version: 1.1.0 - Sony Corporation ) Hidden
VU5x86 (x32 Version: 1.0.0 - Sony Corporation ) Hidden
VU5x86 (x32 Version: 1.1.0 - Sony Corporation ) Hidden
VUx64 (Version: 1.0.0 - Sony Corporation ) Hidden
VUx86 (x32 Version: 1.0.0 - Sony Corporation ) Hidden
VWSTx86 (x32 Version: 1.0.0 - Sony Corporation) Hidden
Windows Mobile Device Center (HKLM\...\{626672CD-BFCF-49A9-AEFE-AB0FED3BFC5B}) (Version: 6.1.6965.0 - Microsoft Corporation)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-420477555-274140124-2451894829-2302_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\stever\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-420477555-274140124-2451894829-2302_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\stever\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-420477555-274140124-2451894829-2302_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\stever\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-420477555-274140124-2451894829-2302_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\stever\AppData\Local\Microsoft\SkyDrive\16.4.6012.0828\amd64\FileSyncApi64.dll (Microsoft Corporation)
 
==================== Restore Points  =========================
 
14-01-2015 23:30:12 Installed VAIO Control Center
22-01-2015 04:09:36 Scheduled Checkpoint
29-01-2015 09:18:46 Removed Adblock Plus for IE (32-bit and 64-bit)
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 05:25 - 2015-01-30 13:12 - 00000893 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 mathtag.com
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {00FA1264-1497-402F-BDF8-2FF98355780D} - System32\Tasks\USER_ESRV_SVC => Wscript.exe //B //NoLogo "C:\Program Files\Sony\VAIO Care\ESRV\task.vbs"
Task: {02CDCBDC-DA60-44EE-B841-D323FFBDA017} - System32\Tasks\Sony Corporation\VAIO Control Center\NetworkSetting\NetworkSetting Logon Start => C:\Program Files (x86)\Sony\VAIO Control Center\NetworkSetting\NetworkClient
Task: {0744101F-9F74-4724-8353-FFBD21C1BECB} - System32\Tasks\Sony Corporation\VAIO Care\CheckSystemInfo => C:\Program Files\Sony\VAIO Care\VCSystemTray.exe [2014-12-03] (Sony Corporation)
Task: {127E05A3-C301-40E8-845D-A4111CAE34D1} - System32\Tasks\Sony Corporation\VAIO Care\ActiveStatusCollect => C:\Program Files\Sony\VAIO Care\VCSystemTray.exe [2014-12-03] (Sony Corporation)
Task: {14C6F768-B925-4BB8-9E4E-25806CF3FAA5} - System32\Tasks\Sony Corporation\VAIO Care\VCOneClick => C:\Program Files\Sony\VAIO Care\VCSystemTray.exe [2014-12-03] (Sony Corporation)
Task: {2E01FDAC-033D-4620-B998-CC686A86F240} - System32\Tasks\Sony Corporation\VAIO Care\VCRLog => C:\Program Files\Sony\VAIO Care\VCSystemTray.exe [2014-12-03] (Sony Corporation)
Task: {3AA5DAB6-25CD-46D8-80AC-FC9EAE5E38C1} - System32\Tasks\Sony Corporation\VAIO Control Center\VAIOControlCenterSystem => C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe [2014-11-17] (Sony Corporation)
Task: {3AC52F84-41CD-41F1-A2FE-1D7C1BF76088} - System32\Tasks\CLVDLauncher => C:\Program Files (x86)\CyberLink\Power2Go8\CLVDLauncher.exe [2012-07-23] (CyberLink Corp.)
Task: {3B03EE33-AE34-4ED2-9E9B-F74FB1BF0B1E} - System32\Tasks\Sony Corporation\VAIO Control Center\VAIOControlCenterUser => C:\Program Files (x86)\Sony\VAIO Control Center\vim.exe [2014-11-17] (Sony Corporation)
Task: {3B614DDB-5AA4-4A31-B96B-2F1AAE800DED} - System32\Tasks\Sony Corporation\VAIO Improvement\VAIOImprovementUploader => C:\Program Files\Sony\VAIO Improvement\viuploader.exe [2012-10-22] (Sony Corporation)
Task: {43C8A654-3283-48E3-9FA2-4E5AEF3FE9ED} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {4515DEDE-EE2E-4A8E-A65E-31BF9A022B3C} - System32\Tasks\Sony Corporation\VAIO Update\VAIO Update Self Repair => C:\Program Files\Sony\VAIO Update\VUSR.exe [2014-02-28] (Sony Corporation)
Task: {49B07657-9796-451B-8323-2C4CE8F97D90} - System32\Tasks\Sony Corporation\VAIO Care\VCSelfHeal => C:\Program Files\Sony\VAIO Care\VCSystemTray.exe [2014-12-03] (Sony Corporation)
Task: {52771274-D965-491E-AAB5-B9573E895E80} - System32\Tasks\Sony Corporation\VAIO Care\VAIO Care => C:\Program Files\Sony\VAIO Care\VCSystemTray.exe [2014-12-03] (Sony Corporation)
Task: {53294F1E-E41F-42B4-B9A5-14875459CC29} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-01-24] (Adobe Systems Incorporated)
Task: {550886E0-1D67-45E5-96BE-6A2FFD752506} - System32\Tasks\Sony Corporation\VAIO Gesture Control\VCGULogonTask => C:\Program Files (x86)\Sony\VAIO Camera Gesture Utility\VCGU.exe [2012-10-23] (Sony Corporation)
Task: {603E7E8A-F829-4719-81B2-3B5F571E6E88} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {6A1B603D-76F9-4E8A-8373-FBE885080757} - System32\Tasks\Sony Corporation\VAIO Gate\VAIO Gate => C:\Program Files\Sony\VAIO Gate\VAIO Gate.exe [2013-02-21] (Sony Corporation)
Task: {7A354B07-3073-46D3-B233-537A1D3EB4B5} - System32\Tasks\VAIO Health Report => C:\Program Files (x86)\Sony\VAIO Health Report\VAIOHealthReport.exe [2013-06-20] (Sony Electronics)
Task: {8613D6A4-C57C-48B3-821C-6D0CD985FEA4} - System32\Tasks\Microsoft Office 15 Sync Maintenance for {94ebc65f-976e-4d57-bce8-439788a8ccf3} STEVER-8L.AppServer.local => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2013-06-27] (Microsoft Corporation)
Task: {9BD0FA22-D86B-4A05-8E1F-34AF840BB47A} - System32\Tasks\Microsoft\Windows\SyncCenter\S-1-5-21-420477555-274140124-2451894829-2302\{750FDF10-2A26-11D1-A3EA-080036587F03}\Offline Files Sync Schedule 1 => C:\Windows\system32\mobsync.exe [2013-08-22] (Microsoft Corporation)
Task: {9C2A31BC-6108-4137-870F-4027CD143A9F} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-01-20] (Piriform Ltd)
Task: {BAC56820-D2E5-42D7-8E07-E088E6AC9EC4} - System32\Tasks\Sony Corporation\VAIO Care\VCMetrics => C:\Program Files\Sony\VAIO Care\VCSystemTray.exe [2014-12-03] (Sony Corporation)
Task: {BADD9513-EC04-407E-8493-44D3306FECBC} - System32\Tasks\Sony Corporation\VAIO Control Center\Level4Month => C:\Program Files (x86)\Sony\VAIO Control Center\WBCBatteryCare.exe [2012-09-06] (Sony Corporation)
Task: {C3D06491-C3B3-4711-9939-5F8BCFC932D6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-02] (Google Inc.)
Task: {C5483E96-89CA-496B-B716-C580AC982367} - System32\Tasks\Sony Corporation\VHDInformationCheck => C:\Program Files (x86)\Sony\VAIO Recovery\plugins\InformationCheck.exe [2012-11-07] (Sony Corporation)
Task: {C5CC3F24-DABA-4CFF-B1A8-4D472981C647} - System32\Tasks\Sony Corporation\VAIO Update\VAIO Update => C:\Program Files\Sony\VAIO Update\VAIOUpdt.exe [2014-02-27] (Sony Corporation)
Task: {C7EC7DBA-9FD2-4235-920B-CB8C1CC1FF32} - System32\Tasks\Sony Corporation\VAIO Care\GetPOTInfo => C:\Program Files\Sony\VAIO Care\VCSystemTray.exe [2014-12-03] (Sony Corporation)
Task: {D062BDCD-4C40-44BD-A153-EC996944FE08} - System32\Tasks\Synaptics TouchPad Enhancements => \Program Files\Synaptics\SynTP\SynTPEnh.exe [2012-10-23] (Synaptics Incorporated)
Task: {D4DF4BF6-C573-4102-B997-7258FC2667B0} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}
Task: {D637472F-2C0F-4463-ADBD-9A7E2156FBC2} - System32\Tasks\Sony Corporation\VAIO Care\UploadPOT => C:\Program Files\Sony\VAIO Care\VCSystemTray.exe [2014-12-03] (Sony Corporation)
Task: {D9826120-0E8D-414E-902E-2FD03AB2ED7A} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}
Task: {E00C73C4-5B40-4969-99C7-D8E724AF6336} - System32\Tasks\Sony Corporation\VAIO Care\DeployCRMflag => C:\Program Files\Sony\VAIO Care\DeployCRMflag.exe [2014-01-16] (Sony Corporation)
Task: {E23533DF-2793-455D-91C4-FC6292FB0FD7} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-02] (Google Inc.)
Task: {EE000B9F-EAAF-4EF6-8341-754EBD8A5C90} - System32\Tasks\Sony Corporation\VAIO Care\VCCheckIolo => C:\Program Files\Sony\VAIO Care\VCSystemTray.exe [2014-12-03] (Sony Corporation)
Task: {F275383C-3F04-46B0-86E8-7BD191A32740} - System32\Tasks\Sony Corporation\VAIO Care\UpdateSolution => C:\Program Files\Sony\VAIO Care\Solution.Updater.exe [2014-12-03] (Sony Corporation)
Task: {F2AAA18A-D7FB-42C1-9C4A-0E33929DAC01} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-06-05] (Microsoft Corporation)
Task: {F9DCACE1-A1BD-4308-9944-EA2BD4C8E00C} - System32\Tasks\Sony Corporation\VAIO Control Center\Level4Daily => C:\Program Files (x86)\Sony\VAIO Control Center\WBCBatteryCare.exe [2012-09-06] (Sony Corporation)
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Synaptics TouchPad Enhancements.job => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
 
==================== Loaded Modules (whitelisted) =============
 
2013-07-02 12:58 - 2012-10-04 18:49 - 00087152 _____ () C:\WINDOWS\System32\cpwmon64.dll
2014-07-24 13:41 - 2014-07-24 13:18 - 00265080 _____ () C:\Program Files\Bitdefender\Endpoint\txmlutil.dll
2011-11-14 19:17 - 2011-11-14 19:17 - 00153680 _____ () C:\Program Files\Bitdefender\Endpoint\bdfwcore.dll
2014-07-24 14:49 - 2014-07-24 14:49 - 00780592 _____ () C:\Program Files\Bitdefender\Endpoint\Signatures\OTEngines\otengines_00037_001\ashttpbr.mdl
2014-07-24 14:49 - 2014-07-24 14:49 - 00568400 _____ () C:\Program Files\Bitdefender\Endpoint\Signatures\OTEngines\otengines_00037_001\ashttpdsp.mdl
2014-07-24 14:49 - 2014-07-24 14:49 - 02599584 _____ () C:\Program Files\Bitdefender\Endpoint\Signatures\OTEngines\otengines_00037_001\ashttpph.mdl
2014-07-24 14:49 - 2014-07-24 14:49 - 01322896 _____ () C:\Program Files\Bitdefender\Endpoint\Signatures\OTEngines\otengines_00037_001\ashttprbl.mdl
2014-07-24 13:42 - 2014-05-08 16:03 - 00266592 _____ () C:\Program Files\Common Files\Bitdefender\Endpoint Agent\zlib.dll
2013-06-21 14:44 - 2013-06-05 23:53 - 00377000 _____ () C:\Program Files\Microsoft Office 15\ClientX64\c2rui.dll
2013-06-21 14:44 - 2013-06-05 23:54 - 00518824 _____ () C:\Program Files\Microsoft Office 15\ClientX64\c2r64.dll
2013-06-21 14:44 - 2013-06-05 23:53 - 00612008 _____ () C:\Program Files\Microsoft Office 15\ClientX64\StreamServer.dll
2013-06-26 10:41 - 2013-06-27 08:21 - 08864936 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2013-10-03 23:42 - 2013-10-03 23:42 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-11-05 19:28 - 2012-11-05 19:28 - 00384128 _____ () C:\Program Files (x86)\Bluetooth Suite\ContactsApi.dll
2012-11-05 19:26 - 2012-11-05 19:26 - 00011264 _____ () C:\Program Files (x86)\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2012-11-05 19:28 - 2012-11-05 19:28 - 00012928 _____ () C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
2010-04-06 05:35 - 2010-04-06 05:35 - 04142080 _____ () C:\Program Files (x86)\Dude\dude.exe
2014-10-16 07:17 - 2014-10-16 07:17 - 00030720 _____ () C:\Users\stever\AppData\Local\Apps\2.0\XN057YHM.Y6E\HMZH230H.TX8\sl8...ient_002c66e0bc74a4c9_0008.0003_d50feb7ddd032e42\WinStudioRuntime.XmlSerializers.dll
2014-10-16 07:17 - 2014-10-16 07:17 - 00015872 _____ () C:\Users\stever\AppData\Local\Apps\2.0\XN057YHM.Y6E\HMZH230H.TX8\sl8...ient_002c66e0bc74a4c9_0008.0003_d50feb7ddd032e42\MGScriptMgr.XmlSerializers.dll
2014-10-16 07:17 - 2014-10-16 07:17 - 00430080 _____ () C:\Users\stever\AppData\Local\Apps\2.0\XN057YHM.Y6E\HMZH230H.TX8\sl8...ient_002c66e0bc74a4c9_0008.0003_d50feb7ddd032e42\IDOProtocol.XmlSerializers.dll
2012-12-19 18:35 - 2012-09-29 08:21 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2013-06-26 10:28 - 2013-06-27 08:10 - 00313000 _____ () C:\Program Files\Microsoft Office 15\root\office15\AppVIsvStream32.dll
2013-06-26 10:28 - 2013-06-27 08:10 - 00358056 _____ () C:\Program Files\Microsoft Office 15\root\office15\c2r32.dll
2013-06-12 23:00 - 2013-06-12 23:00 - 00059904 _____ () C:\Program Files (x86)\Trillian\zlib1.dll
2013-06-12 23:00 - 2013-06-12 23:00 - 00187392 _____ () C:\Program Files (x86)\Trillian\libpng15.dll
2013-06-12 23:00 - 2013-06-12 23:00 - 00065536 _____ () C:\Program Files (x86)\Trillian\libungif.dll
2013-06-12 23:00 - 2013-06-12 23:00 - 00006656 _____ () c:\program files (x86)\trillian\languages\en\trillian.dll
2013-06-12 23:00 - 2013-06-12 23:00 - 00003584 _____ () c:\program files (x86)\trillian\languages\en\toolkit.dll
2013-06-12 23:00 - 2013-06-12 23:00 - 00006656 _____ () c:\program files (x86)\trillian\languages\en\events.dll
2013-06-12 23:00 - 2013-06-12 23:00 - 00010752 _____ () c:\program files (x86)\trillian\languages\en\buddy.dll
2013-06-12 23:00 - 2013-06-12 23:00 - 00007168 _____ () c:\program files (x86)\trillian\languages\en\talk.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00335360 _____ () C:\Program Files (x86)\Dude\libcairo-2.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00108544 _____ () C:\Program Files (x86)\Dude\libexpat-1.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00140288 _____ () C:\Program Files (x86)\Dude\libfontconfig-1.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00233984 _____ () C:\Program Files (x86)\Dude\libnetsnmp-15.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00178176 _____ () C:\Program Files (x86)\Dude\librsvg-2-2.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00372224 _____ () C:\Program Files (x86)\Dude\libfreetype-6.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00163840 _____ () C:\Program Files (x86)\Dude\libpixman-1-0.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00153600 _____ () C:\Program Files (x86)\Dude\libpng12-0.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00236032 _____ () C:\Program Files (x86)\Dude\libgio-2.0-0.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00119808 _____ () C:\Program Files (x86)\Dude\libjpeg-62.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00165376 _____ () C:\Program Files (x86)\Dude\libcroco-0.6-3.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00039936 _____ () C:\Program Files (x86)\Dude\libpangocairo-1.0-0.dll
2010-04-06 05:34 - 2010-04-06 05:34 - 00281088 _____ () C:\Program Files (x86)\Dude\libxml2-2.dll
2013-06-26 10:31 - 2013-06-27 08:18 - 01014440 _____ () C:\Program Files\Microsoft Office 15\Root\Office15\ADDINS\UmOutlookAddin.dll
2013-06-26 10:43 - 2013-06-27 08:25 - 00321088 _____ () C:\Program Files\Microsoft Office 15\root\office15\msfad.dll
2015-01-26 16:50 - 2015-01-24 22:08 - 09170760 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.93\pdf.dll
2015-01-26 16:50 - 2015-01-24 22:08 - 01117512 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.93\libglesv2.dll
2015-01-26 16:50 - 2015-01-24 22:08 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.93\libegl.dll
2013-11-19 10:21 - 2013-11-19 10:21 - 00347136 _____ () C:\Program Files\Sony\VAIO Care\Iolo\vosges.dll
2014-11-24 13:05 - 2014-11-24 13:05 - 00880640 _____ () C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\Updater\43fd3dec94bf2a788b29b42744c4696f\Updater.ni.dll
2014-11-24 13:05 - 2014-11-24 13:05 - 00640000 _____ () C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\RestSharp\e0ecb0f5c11ce662c5ae86c3c8713b5c\RestSharp.ni.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\Users\stever\Desktop\adwcleaner_4.109.exe:BDU
AlternateDataStreams: C:\Users\stever\Desktop\avg_remover_zbot.exe:BDU
AlternateDataStreams: C:\Users\stever\Desktop\esetsmartinstaller_enu.exe:BDU
AlternateDataStreams: C:\Users\stever\Desktop\msert.exe:BDU
AlternateDataStreams: C:\Users\stever\Desktop\zbot_remover_setup.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\ccsetup502.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\Cisco_WebEx_Add-On.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\ESETPoweliksCleaner.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\eWallet-Win-Install.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\HitmanPro_x64.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\mbam-setup-2.0.3.1025.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\setup_11.0.3.8.x01_2015_01_29_19_38.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\THREAT_CLEAN_64.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\trqx5nmj.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\zbot_remover_setup.exe:BDU
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\atashost => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRkrn => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRSVC => ""="Service"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-1125280459-1369406679-368704386-500 - Administrator - Disabled)
Guest (S-1-5-21-1125280459-1369406679-368704386-501 - Limited - Disabled)
user (S-1-5-21-1125280459-1369406679-368704386-1001 - Administrator - Enabled) => C:\Users\user
 
==================== Faulty Device Manager Devices =============
 
Name: Microsoft Visual Studio Location Simulator Sensor
Description: Microsoft Visual Studio Location Simulator Sensor
Class Guid: {5175d334-c371-4806-b3ba-71fd53c9258d}
Manufacturer: Microsoft Corporation
Service: SensorsSimulatorDriver
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation. 
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/30/2015 01:43:09 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:42:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:42:29 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:42:00 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:28:09 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:17:19 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:16:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:02:38 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 00:55:35 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 00:42:00 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
 
System errors:
=============
Error: (01/30/2015 05:42:27 AM) (Source: DCOM) (EventID: 10010) (User: APPSERVER)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}
 
Error: (01/30/2015 05:41:57 AM) (Source: DCOM) (EventID: 10010) (User: APPSERVER)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}
 
Error: (01/29/2015 00:16:01 PM) (Source: DCOM) (EventID: 10010) (User: APPSERVER)
Description: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}
 
Error: (01/29/2015 10:48:19 AM) (Source: DCOM) (EventID: 10006) (User: APPSERVER)
Description: 2147944122HP_PD1_D8{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (01/29/2015 09:27:47 AM) (Source: DCOM) (EventID: 10006) (User: APPSERVER)
Description: 2147944122dellopt380-7d{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (01/29/2015 09:27:47 AM) (Source: DCOM) (EventID: 10006) (User: APPSERVER)
Description: 2147944122JUSTINS-7D{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (01/29/2015 09:23:32 AM) (Source: DCOM) (EventID: 10006) (User: APPSERVER)
Description: 2147944122Geek1{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (01/29/2015 09:23:32 AM) (Source: DCOM) (EventID: 10006) (User: APPSERVER)
Description: 2147944122DT-0131-W8{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (01/29/2015 09:23:32 AM) (Source: DCOM) (EventID: 10006) (User: APPSERVER)
Description: 2147944122ADMINHP-7M{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
Error: (01/29/2015 09:23:32 AM) (Source: DCOM) (EventID: 10006) (User: APPSERVER)
Description: 2147944122WAREHOUSEPC{8BC3F05E-D86B-11D0-A075-00C04FB68820}
 
 
Microsoft Office Sessions:
=========================
Error: (01/30/2015 01:43:09 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:42:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:42:29 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:42:00 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:28:09 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:17:19 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:16:15 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 01:02:38 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 00:55:35 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
Error: (01/30/2015 00:42:00 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: GetLargeResourceRecord: opt 65002 optlen 8 wrong
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-07-15 15:45:10.303
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-15 14:04:20.893
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-15 13:51:16.553
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-15 13:33:01.989
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-15 13:15:55.446
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-15 13:05:41.476
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-15 12:26:08.465
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-15 11:30:31.342
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-15 10:05:24.560
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-07-15 09:52:00.599
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3230M CPU @ 2.60GHz
Percentage of memory in use: 57%
Total physical RAM: 8071.27 MB
Available physical RAM: 3437.34 MB
Total Pagefile: 9351.27 MB
Available Pagefile: 5350.49 MB
Total Virtual: 131072 MB
Available Virtual: 131071.83 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:899.23 GB) (Free:845.68 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 85D3B683)
 
Partition: GPT Partition Type.
 
==================== End Of Log ============================


#4 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:01:19 AM

Posted 31 January 2015 - 12:55 AM

Actually, your logs look very clean.  One question; did TDSSkiller find anything or have you not run it yet?  (Don't do so now just answer the question for the time being.)
 
 


Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.

Attached Files


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#5 Steve Rausch

Steve Rausch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 02 February 2015 - 12:56 PM

Hi,

 

System rebooted after FRST fix ran, and the reboot had trouble.  Win8 indicated it was having trouble (something about drivers), gathered data, then successfully rebooted.

 

FRST fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
Ran by SteveR at 2015-02-02 09:41:50 Run:2
Running from C:\Users\stever\Desktop
Loaded Profiles: user & SteveR (Available profiles: user & SteveR)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
(Infor) C:\Users\stever\AppData\Local\Apps\2.0\XN057YHM.Y6E\HMZH230H.TX8\sl8...ient_002c66e0bc74a4c9_0008.0003_d50feb7ddd032e42\WinStudio.exe
(Microsoft Corporation) C:\copyarea\spider.exe
HKU\S-1-5-21-420477555-274140124-2451894829-2302\...\Run: [GoogleChromeAutoLaunch_1D527EB14E3E2C5515499BC909300047] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [843592 2015-01-24] (Google Inc.)
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
S2 NPEService; "\\ex01\users\zVirusMgmt-IT\npe.exe" /service [X]
S4 LMIRfsClientNP; No ImagePath
U3 ufdoypob; \??\C:\Users\stever\AppData\Local\Temp\ufdoypob.sys [X]
Task: {00FA1264-1497-402F-BDF8-2FF98355780D} - System32\Tasks\USER_ESRV_SVC => Wscript.exe //B //NoLogo "C:\Program Files\Sony\VAIO Care\ESRV\task.vbs"
AlternateDataStreams: C:\Users\stever\Desktop\adwcleaner_4.109.exe:BDU
AlternateDataStreams: C:\Users\stever\Desktop\avg_remover_zbot.exe:BDU
AlternateDataStreams: C:\Users\stever\Desktop\esetsmartinstaller_enu.exe:BDU
AlternateDataStreams: C:\Users\stever\Desktop\msert.exe:BDU
AlternateDataStreams: C:\Users\stever\Desktop\zbot_remover_setup.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\ccsetup502.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\Cisco_WebEx_Add-On.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\ESETPoweliksCleaner.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\eWallet-Win-Install.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\HitmanPro_x64.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\mbam-setup-2.0.3.1025.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\setup_11.0.3.8.x01_2015_01_29_19_38.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\THREAT_CLEAN_64.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\trqx5nmj.exe:BDU
AlternateDataStreams: C:\Users\stever\Downloads\zbot_remover_setup.exe:BDU
C:\Users\stever\AppData\Local\Apps\2.0\XN057YHM.Y6E\HMZH230H.TX8\sl8...ient_002c66e0bc74a4c9_0008.0003_d50feb7ddd032e42\WinStudio.exe
C:\copyarea\spider.exe
EmptyTemp:
Reboot:
end

*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
C:\Users\stever\AppData\Local\Apps\2.0\XN057YHM.Y6E\HMZH230H.TX8\sl8...ient_002c66e0bc74a4c9_0008.0003_d50feb7ddd032e42\WinStudio.exe => No running process found
C:\copyarea\spider.exe => No running process found
HKU\S-1-5-21-420477555-274140124-2451894829-2302\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_1D527EB14E3E2C5515499BC909300047 => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
NPEService => Service deleted successfully.
LMIRfsClientNP => Service deleted successfully.
ufdoypob => Service deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{00FA1264-1497-402F-BDF8-2FF98355780D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{00FA1264-1497-402F-BDF8-2FF98355780D}" => Key deleted successfully.
C:\Windows\System32\Tasks\USER_ESRV_SVC => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\USER_ESRV_SVC" => Key deleted successfully.
C:\Users\stever\Desktop\adwcleaner_4.109.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Desktop\avg_remover_zbot.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Desktop\esetsmartinstaller_enu.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Desktop\msert.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Desktop\zbot_remover_setup.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Downloads\ccsetup502.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Downloads\Cisco_WebEx_Add-On.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Downloads\ESETPoweliksCleaner.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Downloads\eWallet-Win-Install.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Downloads\HitmanPro_x64.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Downloads\mbam-setup-2.0.3.1025.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Downloads\setup_11.0.3.8.x01_2015_01_29_19_38.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Downloads\THREAT_CLEAN_64.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Downloads\trqx5nmj.exe => ":BDU" ADS removed successfully.
C:\Users\stever\Downloads\zbot_remover_setup.exe => ":BDU" ADS removed successfully.
C:\Users\stever\AppData\Local\Apps\2.0\XN057YHM.Y6E\HMZH230H.TX8\sl8...ient_002c66e0bc74a4c9_0008.0003_d50feb7ddd032e42\WinStudio.exe => Moved successfully.
C:\copyarea\spider.exe => Moved successfully.
EmptyTemp: => Removed 459.5 MB temporary data.

The system needed a reboot.

==== End of Fixlog 09:46:05 ====



#6 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:01:19 AM

Posted 03 February 2015 - 02:00 AM

Are you still getting the reports of the system "Zbot / Zues" now?

 

 

 

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwScan.jpg?
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#7 Steve Rausch

Steve Rausch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 04 February 2015 - 12:11 AM

Hi,

 

I am still seeing my machine making DNS requests for sites associated with the Zeus infection per the CBI; pixel.mathtag.com as an example.  I have no idea where this traffic is coming from. 

 

 

ADWCleaner log looks empty;

 

# AdwCleaner v4.109 - Report created 03/02/2015 at 13:05:17
# Updated 24/01/2015 by Xplode
# Database : 2015-02-03.1 [Live]
# Operating System : Windows 8.1 Pro with Media Center  (64 bits)
# Username : SteveR - STEVER-8L
# Running from : C:\Users\stever\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Mozilla Firefox v31.0 (x86 en-US)
 
 
-\\ Google Chrome v40.0.2214.94
 
 
*************************
 
AdwCleaner[R0].txt - [2870 octets] - [24/07/2014 08:21:28]
AdwCleaner[R1].txt - [2598 octets] - [28/01/2015 16:32:39]
AdwCleaner[R2].txt - [973 octets] - [28/01/2015 16:41:29]
AdwCleaner[R3].txt - [1026 octets] - [03/02/2015 13:01:43]
AdwCleaner[R4].txt - [888 octets] - [03/02/2015 13:05:17]
AdwCleaner[S0].txt - [2634 octets] - [28/01/2015 16:36:51]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R4].txt - [1007 octets] ##########
 


#8 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:01:19 AM

Posted 05 February 2015 - 02:37 AM

Are you using a custom Hosts file on this system / network? If not, please run the following Fixlist and report back the results please.

 

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpslenkmnr9.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.

Attached Files


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#9 Steve Rausch

Steve Rausch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 11 February 2015 - 12:26 PM

Sorry I've been absent.  I'm not seeing any more DNS requests to the suspect URLS.  Really appreciate the help. 

 

Question - is the flushdns via FRST the same thing I would do via the command line?  That seems to have done the trick.  Do we have any idea what could have caused these symptoms?

 

Steve

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-02-2015 01
Ran by SteveR at 2015-02-05 09:06:27 Run:3
Running from C:\Users\stever\Desktop
Loaded Profiles: SteveR (Available profiles: user & SteveR)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
cmd: ipconfig /flushdns
Hosts:
Reboot:
end

*****************

Restore point was successfully created.
Processes closed successfully.

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.

The system needed a reboot.

==== End of Fixlog 09:06:53 ====



#10 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:01:19 AM

Posted 13 February 2015 - 12:30 AM

The ipconfig /flushdns in the Fixlist is the same you can run manually from a CMD window.
 
If you are satisfied with the system, then let's clean the tools off the system.


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.
  • Download Delfix from here to your desktop and double click it to start the program
  • Ensure Remove disinfection tools is ticked
    Also tick:
  • Activate UAC
  • Create registry backup
  • Purge system restore
  • Reset system settings
  • DelFixSelectall_zps0f04cec4.png
  • Click Run
  • The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.
You can delete any log files left on your desktop as these are no longer needed.
_____________________________________________________________________

Please come back and paste the DelFix.txt log when you can. After that, if you have no more questions, you are good to go. Surf safe, my friend!!

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#11 Steve Rausch

Steve Rausch
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:19 AM

Posted 13 February 2015 - 02:27 PM

Thanks for your help!

 

Delfix log:

# DelFix v10.8 - Logfile created 13/02/2015 at 11:29:58
# Updated 29/07/2014 by Xplode
# Username : SteveR - STEVER-8L
# Operating System : Windows 8.1 Pro with Media Center  (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\stever\Desktop\FRST-OlderVersion
Deleted : C:\TDSSKiller.3.0.0.40_22.07.2014_17.48.11_log.txt
Deleted : C:\TDSSKiller.3.0.0.40_22.07.2014_18.56.52_log.txt
Deleted : C:\TDSSKiller.3.0.0.44_29.01.2015_11.56.48_log.txt
Deleted : C:\Users\stever\Desktop\Addition.txt
Deleted : C:\Users\stever\Desktop\AdwCleaner.exe
Deleted : C:\Users\stever\Desktop\esetsmartinstaller_enu.exe
Deleted : C:\Users\stever\Desktop\Fixlog.txt
Deleted : C:\Users\stever\Desktop\FRST.txt
Deleted : C:\Users\stever\Desktop\FRST64.exe
Deleted : C:\Users\stever\Desktop\TDSSKiller.exe
Deleted : C:\Users\stever\Desktop\TFC.exe
Deleted : C:\Users\stever\Downloads\Result.txt
Deleted : C:\Users\stever\Downloads\tdsskiller.zip
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #62 [Removed Adblock Plus for IE (32-bit and 64-bit) | 01/29/2015 17:18:46]
Deleted : RP #65 [Removed VAIO Care. | 02/02/2015 18:36:26]
Deleted : RP #66 [Restore Point Created by FRST | 02/05/2015 17:06:28]
Deleted : RP #67 [Installed VAIO Control Center | 02/11/2015 22:12:33]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########



#12 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:01:19 AM

Posted 14 February 2015 - 01:21 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users