Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess Rootkit / Sirefef - Removed, need help fixing aftermath


  • This topic is locked This topic is locked
25 replies to this topic

#1 aprill85

aprill85

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 30 March 2015 - 01:13 PM

Hi there!

 

I have inherited a work PC that has been through a few hands. When I received it, I was unable to do Windows 7 updates nor was I able to download ANYTHING from the internet (there was NO antivirus on the PC).

 

I ran Combofix in safe mode and it found something called ZeroAccess Rootkit and said it removed it. I could then download from the internet, but there are several things that are still giving me problems like getting certain Windows updates to download and install; and also getting some programs services to start. 

 

I would really love to see if there is anything that y'all can do to help me get my PC back to a decent working condition. Thanks ahead for your time!!

 

Aprill


Edited by aprill85, 30 March 2015 - 01:14 PM.


BC AdBot (Login to Remove)

 


m

#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:44 PM

Posted 30 March 2015 - 03:07 PM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 aprill85

aprill85
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 30 March 2015 - 04:13 PM

Hello  Jürgen,

 

Thanks for the quick response!

 

Here are the logs from my scan:

 

FRST:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by Signage (administrator) on RECEPTIONIST on 30-03-2015 16:08:33
Running from C:\Users\signage\Desktop
Loaded Profiles: Signage (Available profiles: Administrator & Comtech & Signage)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Wave Systems Corp.) C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe
(UPEK Inc.) C:\Program Files\Common Files\SPBA\upeksvr.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.26.9\GoogleCrashHandler.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(Euro Plus d.o.o.) C:\Program Files\Common Files\EuroPlus Shared\LblServices.exe
() C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
() C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\Users\signage\AppData\Roaming\Dashlane\DashlanePlugin.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
() C:\Users\signage\AppData\Roaming\Dashlane\Dashlane.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtDCpl.exe [2691072 2009-08-26] (Realtek Semiconductor Corp.)
HKLM\...\Run: [PDVDDXSrv] => C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2009-06-24] (CyberLink Corp.)
HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
Winlogon\Notify\GoToAssist Express Customer: C:\Program Files\Citrix\GoToAssist Remote Support Customer\758\g2ax_winlogon.dll [X]
Winlogon\Notify\spba: C:\Program Files\Common Files\SPBA\homefus2.dll (UPEK Inc.)
HKU\S-1-5-21-3770295148-3722998716-3168685681-1189\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5529880 2015-03-13] (Piriform Ltd)
HKU\S-1-5-21-3770295148-3722998716-3168685681-1189\...\Run: [appnhost] => C:\Users\signage\AppData\Local\Mixesoft\AppNHost\appnhost.exe [453176 2014-08-08] (Mixesoft Project)
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
ShellIconOverlayIdentifiers: [EnabledUnlockedFDEIconOverlay] -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.)
ShellIconOverlayIdentifiers: [UninitializedFdeIconOverlay] -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll (Wave Systems Corp.)
BootExecute: autocheck autochk * sdnclean.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3770295148-3722998716-3168685681-1189\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3770295148-3722998716-3168685681-1189\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3770295148-3722998716-3168685681-1189\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.yahoo.com?fr=fp-comodo
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {7F32C84A-EE5C-45D7-911A-34B39F902A6B} URL = http://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189 -> DefaultScope {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = http://us.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
SearchScopes: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189 -> {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = http://us.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
BHO: Dashlane BHO -> {42D79B50-CC4A-4A8E-860F-BE674AF053A2} -> C:\Users\signage\AppData\Roaming\Dashlane\ie\Dashlanei.dll [2015-03-04] (Dashlane)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-27] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files\Windows Live\Companion\companioncore.dll [2010-11-10] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-27] (Oracle Corporation)
Toolbar: HKLM - Dashlane Toolbar - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Users\signage\AppData\Roaming\Dashlane\ie\KWIEBar.dll [2015-03-04] (Dashlane)
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc1.cab
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} -  No File []
Tcpip\Parameters: [DhcpNameServer] 192.168.1.100
 
FireFox:
========
FF Plugin: @java.com/DTPlugin,version=11.40.2 -> C:\Windows\system32\npdeployJava1.dll [2015-03-27] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-27] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-27] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - c:\Program Files\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension
 
Chrome: 
=======
CHR DefaultSearchKeyword: Default -> 97464CC15929B775C7CFB92DDAD797163E129878BB16340B6511EB95B34BAC37
CHR DefaultSearchURL: Default -> D12C182C9BD1772F2B1D79DFB062806FA75DA29F24AC01DBD0BD3F6AE47EB7FB
CHR Profile: C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-04]
CHR Extension: (Google Docs) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04]
CHR Extension: (Google Drive) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-04]
CHR Extension: (Gliffy Diagrams) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmicilclplefnflapjmnngmkkkkpfad [2015-02-04]
CHR Extension: (YouTube) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-04]
CHR Extension: (Google Search) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-04]
CHR Extension: (Rescroller) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\ddehdnnhjimbggeeenghijehnpakijod [2015-02-04]
CHR Extension: (Dashlane) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdjamakpfbbddfjaooikfcpapjohcfmg [2015-03-30]
CHR Extension: (Google Sheets) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-04]
CHR Extension: (Click&Clean) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghgabhipcejejjmhhchfonmamedcbeod [2015-03-10]
CHR Extension: (Google Keep - notes and lists) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmjkmjkepdijhoojdojkdfohbdgmmhki [2015-02-04]
CHR Extension: (WorkFlowy) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\koegeopamaoljbmhnfjbclbocehhgmkm [2015-02-04]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-12]
CHR Extension: (Until AM for Chrome) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjafmkicbmhcbapadecadciafbkecofl [2015-02-04]
CHR Extension: (Google Wallet) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-04]
CHR Extension: (Currently) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojhmphdkpgbibohbnpbfiefkgieacjmh [2015-02-04]
CHR Extension: (Gmail) - C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-04]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 atnthost; C:\ProgramData\WebEx\MyWebEx\319\atnthost.exe [16776 2011-07-11] (WebEx Communications, Inc.)
S4 CouponPrinterService; C:\Program Files\Coupons\CouponPrinterService.exe [154096 2014-12-03] (Coupons.com Inc.)
S4 GoToAssist Remote Support Customer; C:\Program Files\Citrix\GoToAssist Remote Support Customer\758\g2ax_service.exe [610888 2015-02-03] (Citrix Online, LLC)
R2 hasplms; C:\Windows\system32\hasplms.exe [4180576 2010-09-27] (SafeNet Inc.)
R2 LabelServices; C:\Program Files\Common Files\EuroPlus Shared\LblServices.exe [1590440 2009-12-18] (Euro Plus d.o.o.) [File not signed]
R2 MotoHelper; C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe [223088 2011-04-26] ()
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-01-18] (Hewlett-Packard) [File not signed]
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-01-18] (Hewlett-Packard) [File not signed]
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 SecureStorageService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Secure Storage Manager\SecureStorageService.exe [1477632 2010-11-03] (Wave Systems Corp.) [File not signed]
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1629696 2010-07-13] () [File not signed]
R2 TdmService; C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmService.exe [2336104 2010-10-16] (Wave Systems Corp.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 aksfridge; C:\Windows\System32\DRIVERS\aksfridge.sys [356864 2010-09-27] (SafeNet Inc.)
S3 akshasp; C:\Windows\System32\DRIVERS\akshasp.sys [238208 2010-09-27] (Aladdin Knowledge Systems Ltd.)
S3 akshhl; C:\Windows\System32\DRIVERS\akshhl.sys [46336 2010-09-27] (Aladdin Knowledge Systems Ltd.)
S3 aksusb; C:\Windows\System32\DRIVERS\aksusb.sys [16384 2010-09-27] (Aladdin Knowledge Systems Ltd.)
S3 Blfp; C:\Windows\System32\DRIVERS\basp.sys [84992 2009-05-11] (Broadcom Corporation)
R2 Hardlock; C:\Windows\system32\drivers\hardlock.sys [588800 2010-09-27] (SafeNet Inc.)
S3 HPFXBULKLEDM; C:\Windows\System32\drivers\hppcbulkio.sys [20504 2010-10-03] (Hewlett Packard)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [2748064 2009-11-16] (Realtek Semiconductor Corp.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
R1 MpKslbbcfa47d; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E95AF80A-EF92-48CF-BFE8-7D84370F284F}\MpKslbbcfa47d.sys [39464 2015-03-30] (Microsoft Corporation)
R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc)
R3 catchme; \??\C:\Users\signage\AppData\Local\Temp\catchme.sys [X]
S3 cpuz134; \??\C:\Users\signage\AppData\Local\Temp\cpuz134\cpuz134_x32.sys [X]
S3 MFE_RR; \??\C:\Users\signage\AppData\Local\Temp\mfe_rr.sys [X]
U3 mbr; \??\C:\ComboFix\mbr.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-30 16:08 - 2015-03-30 16:08 - 00016927 _____ () C:\Users\signage\Desktop\FRST.txt
2015-03-30 15:15 - 2015-03-30 16:08 - 00000000 ____D () C:\FRST
2015-03-30 15:14 - 2015-03-30 15:14 - 01135104 _____ (Farbar) C:\Users\signage\Desktop\FRST.exe
2015-03-30 15:06 - 2015-03-30 15:06 - 00018083 _____ () C:\ComboFix.txt
2015-03-30 14:53 - 2015-03-30 14:53 - 00000546 _____ () C:\Windows\PFRO.log
2015-03-30 14:38 - 2015-03-30 14:38 - 00001112 _____ () C:\Users\signage\Desktop\ComboFix - Shortcut.lnk
2015-03-30 14:32 - 2015-03-30 14:53 - 00000224 _____ () C:\Windows\setupact.log
2015-03-30 14:32 - 2015-03-30 14:32 - 00000000 _____ () C:\Windows\setuperr.log
2015-03-30 14:29 - 2015-03-30 14:30 - 05617067 ____R (Swearware) C:\Users\signage\Downloads\ComboFix.exe
2015-03-30 12:00 - 2015-03-30 12:00 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\signage\Downloads\tdsskiller.exe
2015-03-30 11:49 - 2015-03-04 15:18 - 37745864 _____ (Garmin Ltd or its subsidiaries) C:\Users\signage\Desktop\GarminExpress.exe
2015-03-30 11:02 - 2015-03-30 11:03 - 00000000 ____D () C:\Users\signage\AppData\Local\TopoGrafix
2015-03-27 14:48 - 2015-03-27 14:48 - 00000000 ____D () C:\Users\signage\AppData\Roaming\Windows Live Writer
2015-03-27 14:48 - 2015-03-27 14:48 - 00000000 ____D () C:\Users\signage\AppData\Local\Windows Live Writer
2015-03-27 14:48 - 2015-03-27 14:48 - 00000000 ____D () C:\Users\signage\AppData\Local\{B9A77C9E-427A-4351-8E75-05568C9BFD84}
2015-03-27 14:47 - 2015-03-27 14:47 - 00002085 _____ () C:\Users\signage\Downloads\Question about 'unapplied payments'.eml
2015-03-27 12:28 - 2015-03-27 12:29 - 05344528 _____ (Piriform Ltd) C:\Users\signage\Downloads\ccsetup504.exe
2015-03-27 11:08 - 2015-03-27 11:04 - 00898472 _____ (Oracle Corporation) C:\Windows\system32\npdeployJava1.dll
2015-03-27 11:08 - 2015-03-27 11:04 - 00818088 _____ (Oracle Corporation) C:\Windows\system32\deployJava1.dll
2015-03-27 11:06 - 2015-03-27 11:06 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-03-27 11:05 - 2015-03-27 11:05 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-03-27 11:05 - 2015-03-27 11:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-03-27 11:04 - 2015-03-27 11:04 - 00000000 ____D () C:\ProgramData\Oracle
2015-03-27 10:33 - 2015-03-27 10:33 - 00561064 _____ (Oracle Corporation) C:\Users\signage\Downloads\chromeinstall-8u40.exe
2015-03-23 13:36 - 2015-03-23 13:36 - 00347816 _____ (Microsoft Corporation) C:\Users\signage\Downloads\MicrosoftFixit.wu.LB.1350566474219442.2.1.Run.exe
2015-03-23 13:16 - 2015-03-30 16:00 - 01853311 _____ () C:\Windows\WindowsUpdate.log
2015-03-23 12:43 - 2015-03-25 16:42 - 00000000 ____D () C:\Users\signage\Downloads\Microsoft Backgrounds
2015-03-23 12:40 - 2015-03-23 12:43 - 00000000 ____D () C:\Users\signage\Documents\'Fixes'
2015-03-23 12:30 - 2015-01-30 07:27 - 03342552 _____ (Terra Informatica Software, Inc.) C:\cmdhtml.dll
2015-03-23 12:28 - 2015-03-23 12:28 - 00000720 _____ () C:\Windows\system32\{7995330B-E01F-4645-B702-53481E7CB778}.cmdfile
2015-03-18 10:13 - 2015-03-18 10:13 - 00000000 ____D () C:\Users\signage\AppData\Local\Comodo
2015-03-18 10:11 - 2015-03-23 13:15 - 00000000 ____D () C:\ProgramData\Comodo
2015-03-16 15:09 - 2015-03-16 15:20 - 00014222 _____ () C:\Users\signage\Documents\Pay Period Breakdown.xlsx
2015-03-13 17:06 - 2015-03-13 17:06 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-03-13 17:06 - 2015-03-13 17:06 - 00000000 ____D () C:\Windows\system32\appraiser
2015-03-13 17:00 - 2014-10-17 20:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2015-03-13 17:00 - 2014-07-06 20:40 - 00103424 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2015-03-13 17:00 - 2014-07-06 20:39 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2015-03-13 17:00 - 2014-07-06 20:39 - 00023040 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2015-03-13 17:00 - 2014-07-06 20:37 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2015-03-13 16:52 - 2012-07-25 22:21 - 00196608 _____ (Microsoft Corporation) C:\Windows\system32\WUDFHost.exe
2015-03-13 16:52 - 2012-07-25 22:20 - 00613888 _____ (Microsoft Corporation) C:\Windows\system32\WUDFx.dll
2015-03-13 16:52 - 2012-07-25 22:20 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\WUDFPlatform.dll
2015-03-13 16:52 - 2012-07-25 22:20 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\WUDFSvc.dll
2015-03-13 16:52 - 2012-07-25 22:20 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\WUDFCoinstaller.dll
2015-03-13 16:52 - 2012-07-25 21:33 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WUDFPf.sys
2015-03-13 16:52 - 2012-07-25 21:32 - 00155136 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WUDFRd.sys
2015-03-13 16:52 - 2012-06-02 09:57 - 00000003 _____ () C:\Windows\system32\Drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
2015-03-13 16:51 - 2015-03-13 16:52 - 00000000 ____D () C:\Windows\TempF8A9BAE6-6687-FCA2-77AF-C56A91A33F22-Signatures
2015-03-13 16:43 - 2013-05-09 23:56 - 12625408 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-03-13 16:43 - 2013-05-09 23:56 - 11410432 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-03-13 12:13 - 2015-03-13 12:13 - 00000000 ____D () C:\Users\signage\AppData\Local\{9B2ED4C6-AC85-4A29-A6ED-9393FD612C0E}
2015-03-13 12:13 - 2015-03-13 12:13 - 00000000 ____D () C:\Users\signage\AppData\Local\{830B6A9F-1346-49FB-918E-82C815C33048}
2015-03-13 11:30 - 2015-03-13 11:30 - 00000000 ____D () C:\Users\signage\AppData\Roaming\AVG
2015-03-12 11:22 - 2015-03-13 14:10 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2015-03-12 11:22 - 2015-03-13 08:29 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-03-12 11:22 - 2015-03-12 11:22 - 00002137 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-03-12 11:22 - 2015-03-12 11:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-03-12 11:22 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2015-03-11 10:11 - 2015-03-11 10:11 - 00000000 ____D () C:\Users\signage\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dashlane
2015-03-11 10:11 - 2015-03-11 10:11 - 00000000 ____D () C:\Program Files\Dashlane
2015-03-11 10:09 - 2015-03-11 10:11 - 00000000 ____D () C:\Users\signage\AppData\Roaming\Dashlane
2015-03-10 08:24 - 2015-03-10 08:24 - 00000000 ____D () C:\Users\signage\AppData\Local\Mixesoft
2015-03-09 16:30 - 2015-03-09 16:30 - 00000000 ____D () C:\Users\signage\Tracing
2015-03-09 16:30 - 2015-03-09 16:30 - 00000000 ____D () C:\Users\signage\AppData\Local\Skype
2015-03-09 16:29 - 2015-03-13 12:38 - 00000000 ____D () C:\ProgramData\Skype
2015-03-09 16:29 - 2015-03-13 11:47 - 00000000 ____D () C:\Users\signage\AppData\Roaming\Skype
2015-03-06 17:17 - 2015-03-06 17:17 - 00000000 ____D () C:\Users\signage\AppData\Roaming\OpenCandy
2015-03-06 15:25 - 2015-03-06 15:51 - 00000000 ____D () C:\Users\signage\AppData\Local\CDXZipStream
2015-03-04 16:12 - 2015-03-04 16:11 - 00021673 _____ () C:\Users\signage\Documents\First, Last, Email.xlsx
2015-03-04 11:19 - 2015-03-04 11:31 - 00000000 ____D () C:\7ffe0de8b4de1d7500ad723424e8df4a
2015-03-04 10:54 - 2015-03-04 11:04 - 00000000 ____D () C:\f5db250cbf795c115b5781b8fcb0
2015-03-04 09:59 - 2015-03-30 14:16 - 00000000 ____D () C:\ProgramData\Garmin
2015-03-04 09:54 - 2015-03-30 14:19 - 00000000 ____D () C:\ProgramData\Package Cache
2015-03-03 18:03 - 2015-03-06 16:26 - 00043605 _____ () C:\Users\signage\Documents\First, Last, Add, Phone, Email.xlsx
2015-03-03 12:12 - 2015-03-03 12:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2015-03-03 12:11 - 2015-03-03 12:12 - 00000000 ____D () C:\Program Files\QuickTime
2015-03-03 12:11 - 2015-03-03 12:11 - 00000000 ____D () C:\ProgramData\Apple Computer
2015-03-03 10:44 - 2015-03-03 10:48 - 00000000 ____D () C:\Test Shared File
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-30 15:46 - 2012-02-02 08:59 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-30 15:45 - 2012-07-30 15:28 - 00000910 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3770295148-3722998716-3168685681-1172UA.job
2015-03-30 15:40 - 2015-02-03 16:47 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1d03ffb336d4bb.job
2015-03-30 15:22 - 2012-04-13 11:14 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-30 15:20 - 2009-07-13 23:34 - 00025424 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-30 15:20 - 2009-07-13 23:34 - 00025424 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-30 15:06 - 2015-02-04 12:30 - 00000000 ____D () C:\Qoobox
2015-03-30 15:04 - 2009-07-13 21:04 - 00000215 _____ () C:\Windows\system.ini
2015-03-30 15:00 - 2011-03-04 01:25 - 00911204 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-30 14:53 - 2012-02-02 08:59 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-30 14:53 - 2011-04-19 14:22 - 00000152 _____ () C:\Windows\system32\config\netlogon.ftl
2015-03-30 14:53 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-30 10:00 - 2015-02-04 10:26 - 00000000 ____D () C:\Users\signage\Documents\Brochures
2015-03-30 08:54 - 2015-02-03 17:46 - 00000000 ____D () C:\Users\signage\AppData\Local\Microsoft Help
2015-03-29 21:47 - 2012-07-30 15:28 - 00000858 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3770295148-3722998716-3168685681-1172Core.job
2015-03-27 14:47 - 2015-02-06 13:58 - 00000000 ____D () C:\Users\signage\AppData\Local\Windows Live
2015-03-27 13:51 - 2015-02-10 14:51 - 00000000 ____D () C:\Users\signage\AppData\Local\CrashDumps
2015-03-27 13:49 - 2015-02-04 13:00 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-27 11:08 - 2011-03-04 01:29 - 00000000 ____D () C:\Program Files\Java
2015-03-24 17:00 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF
2015-03-23 12:21 - 2015-02-03 17:46 - 00000000 ____D () C:\Users\signage
2015-03-23 12:20 - 2015-02-03 17:12 - 00000000 ____D () C:\Users\Administrator
2015-03-23 12:20 - 2011-04-19 14:24 - 00000000 ____D () C:\Users\comtech
2015-03-23 12:20 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\wfp
2015-03-23 12:20 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\security
2015-03-23 12:19 - 2015-02-04 13:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-03-23 12:19 - 2015-02-04 10:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-03-23 12:19 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\registration
2015-03-23 11:56 - 2015-02-05 15:39 - 00000000 ____D () C:\Users\signage\AppData\Local\Adobe
2015-03-23 08:31 - 2015-02-04 10:27 - 00000000 ____D () C:\Users\signage\Documents\Rudy's Folders from Signage PC
2015-03-18 09:53 - 2015-02-11 10:30 - 00000000 ____D () C:\Program Files\AVG
2015-03-18 09:53 - 2015-02-06 16:02 - 00000000 ____D () C:\ProgramData\Avg
2015-03-18 09:53 - 2015-02-06 15:19 - 00000000 ____D () C:\Users\signage\AppData\Local\AvgSetupLog
2015-03-13 18:12 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\rescache
2015-03-13 17:26 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-03-13 17:10 - 2015-02-04 09:38 - 00121720 _____ () C:\Users\signage\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-13 17:09 - 2009-07-13 23:33 - 00453296 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-13 17:08 - 2011-03-04 01:24 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-03-13 17:06 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\AppCompat
2015-03-13 16:58 - 2011-07-08 10:30 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-13 16:58 - 2011-06-15 10:30 - 00002057 _____ () C:\Windows\epplauncher.mif
2015-03-13 16:52 - 2012-04-25 03:01 - 00002119 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2015-03-13 16:52 - 2011-06-15 10:28 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2015-03-13 16:45 - 2011-03-04 01:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-03-13 11:47 - 2011-06-07 14:23 - 00000000 ___HD () C:\ProgramData\{D7BDD92E-2857-43B3-95FD-9912B5C1BF88}
2015-03-13 11:31 - 2015-02-03 17:46 - 00000000 ____D () C:\Users\signage\AppData\Local\VirtualStore
2015-03-13 11:27 - 2015-02-06 15:19 - 00000000 ____D () C:\Users\signage\AppData\Local\Avg
2015-03-09 16:44 - 2012-04-13 11:14 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-03-09 16:44 - 2011-10-01 13:53 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-03-06 15:51 - 2011-06-15 09:51 - 00000000 ____D () C:\Windows\system32\appmgmt
 
==================== Files in the root of some directories =======
 
2012-04-14 13:10 - 2010-05-12 12:02 - 0024772 _____ () C:\ProgramData\HPSSDEF.CSS
2012-04-14 13:10 - 2013-05-30 13:42 - 0026415 _____ () C:\ProgramData\HPSSOSS.HTM
2012-04-14 13:10 - 2010-05-12 12:02 - 0002944 _____ () C:\ProgramData\HPSSSIG.GIF
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-25 00:43
 
==================== End Of Log ============================
 
 
 
Addition:
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-03-2015
Ran by Signage at 2015-03-30 16:09:06
Running from C:\Users\signage\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
32 Bit HP CIO Components Installer (Version: 7.1.4 - Hewlett-Packard) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Photoshop 7.0 (HKLM\...\Adobe Photoshop 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Apple Application Support (HKLM\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AppNHost 1.0.5.1 (HKLM\...\{A8CB86C7-CD4C-4C4F-AF6A-33D1CAC63562}) (Version: 1.0.5.1 - Mixesoft Project)
Bing Rewards Client Installer (Version: 16.0.345.0 - Microsoft Corporation) Hidden
BioAPI Framework (Version: 1.0.2 - Dell Inc.) Hidden
Broadcom NetXtreme-I Netlink Driver and Management Installer (HKLM\...\{2E98C5B7-D64C-4D7E-BFC3-A7D078569F28}) (Version: 12.25.02 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 5.04 - Piriform)
Citrix Online Launcher (HKLM\...\{1EFF9E6C-76E1-43F9-81FB-BC8C037B0902}) (Version: 1.0.258 - Citrix)
Citrix Online Launcher (HKLM\...\{F17C3DC2-2ACA-4B0E-BDBF-ACE61B14E7CD}) (Version: 1.0.183 - Citrix)
Coupon Printer for Windows (HKLM\...\Coupon Printer for Windows5.0.1.4) (Version: 5.0.1.4 - Coupons.com Incorporated)
CT-S300 x32 v157 (HKLM\...\{D71D57E0-11FB-4D6F-9930-95214AF70DBB}) (Version: 2.00.0000 - Your Company Name)
Custom (Version: 12.34.56.789 - Wave Systems Corp.) Hidden
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Dashlane (HKU\S-1-5-21-3770295148-3722998716-3168685681-1189\...\Dashlane) (Version: 3.2.5.80399 - Dashlane SAS)
Dell Backup and Recovery Manager (HKLM\...\{4688EB75-28E2-4731-9BCB-55E624F7CD45}) (Version: 1.3 - Dell Inc.)
Dell Data Protection | Access (HKLM\...\{A7D91856-258D-4C87-8041-B170851CE432}) (Version: 2.0.00000.154 - Dell Inc.)
Dell Data Protection | Access (Version: 01.00.00.154 - Wave Systems Corp) Hidden
Dell Data Protection | Access | Drivers (HKLM\...\{4E4E65EE-C456-45AC-B5AD-C62C3A325BD0}) (Version: 1.00.011 - Dell Inc.)
Dell Data Protection | Access | Middleware (HKLM\...\{841CBDD5-4BB5-403E-AEE3-2FADC3890BE8}) (Version: 1.00.005 - Dell Inc.)
Dell Edoc Viewer (HKLM\...\{3138EAD3-700B-4A10-B617-B3F8096EE30D}) (Version: 1.0.0 - Dell Inc)
DellAccess (Version: 01.00.00.078 - Wave Systems Corp.) Hidden
EMBASSY Security Center (Version: 04.02.00.072 - Wave Systems Corp.) Hidden
Gemalto (Version: 01.01.01.0000 - Wave Systems Corp) Hidden
Google Chrome (HKLM\...\Google Chrome) (Version: 41.0.2272.101 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
GoToAssist Customer 2.2.0.758 (HKLM\...\GoToAssist Express Customer) (Version: 2.2.0.758 - Citrix Online)
InsightPoint 3.2.5.2 (HKLM\...\{F8653484-2E43-4E7D-8013-B0B6CD1C853F}_is1) (Version: 3.2.5.2 - Icytec Group, LLC)
Intel® Graphics Media Accelerator Driver (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2182 - Intel Corporation)
Java 8 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Messenger Companion (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office 2010 (HKLM\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Standard 2007 (HKLM\...\STANDARDR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
MotoHelper 2.0.51 Driver 5.1.0 (HKLM\...\MotoHelper) (Version: 2.0.51 - Motorola)
MotoHelper MergeModules (Version: 1.2.0 - Motorola) Hidden
Motorola Mobile Drivers Installation 5.1.0 (Version: 5.1.0 - Motorola Inc.) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NTRU TCG Software Stack (Version: 2.1.34 - Security Innovation) Hidden
PC-CCID (Version: 2.0.0 - Gemalto) Hidden
PowerDVD DX (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 8.3.5424 - CyberLink Corp.)
Preboot Manager (Version: 03.02.00.066 - Wave Systems Corp.) Hidden
Private Information Manager (Version: 07.00.00.026 - Wave Systems Corp.) Hidden
QuickBooks Remote Access (HKLM\...\MyWebExPC) (Version:  - WebEx Communications, Inc)
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5876 - Realtek Semiconductor Corp.)
Roxio Creator DE 10.3 (HKLM\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.3 - Roxio)
Serif DrawPlus X5 (HKLM\...\{2C10B17E-2043-4E7F-9021-A5B65CC4D387}) (Version: 12.0.4.027 - Serif (Europe) Ltd)
Serif PanoramaPlus X4 (HKLM\...\{35EDE682-4AE5-47D6-B44F-103F859951DC}) (Version: 4.0.1.008 - Serif (Europe) Ltd)
SPBA 5.9 (Version: 5.9.4.6686 - UPEK Inc.) Hidden
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Trusted Drive Manager (Version: 4.0.0.512 - Wave Systems Corp.) Hidden
Update 4.0.3 for Microsoft .NET Framework 4 Client Profile (KB2600211) (HKLM\...\{3C3901C5-3455-3E0A-A214-0B093A5070A6}.KB2600211) (Version: 1 - Microsoft Corporation)
Update 4.0.3 for Microsoft .NET Framework 4 Extended (KB2600211) (HKLM\...\{0A0CADCF-78DA-33C4-A350-CD51849B9702}.KB2600211) (Version: 1 - Microsoft Corporation)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-0012-0000-0000-0000000FF1CE}_STANDARDR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Upek Touchchip Fingerprint Reader (Version: 1.2.004 - Dell Inc.) Hidden
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Wave Infrastructure Installer (Version: 07.02.40.0008 - Wave Systems Corp) Hidden
Wave Support Software Installer (Version: 05.12.00.012 - Wave Systems Corp) Hidden
Windows Driver Package - Dell Inc. PBADRV System  (09/11/2009 1.0.1.6) (HKLM\...\9512AA21B791B05A54E27065C45BBC417AB282DF) (Version: 09/11/2009 1.0.1.6 - Dell Inc.)
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Small Business Server 2011 Standard ClientAgent (HKLM\...\{3032BC7D-E713-452D-AAF7-F5ED073226C8}) (Version: 6.1.7900.1 - Microsoft Corporation)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{586A6352-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{586A6353-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{586A6354-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{586A6355-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{586A6356-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{586A6357-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{586A6359-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}\InprocServer32 -> C:\Windows\system32\tabctl32.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\InprocServer32 -> C:\Windows\system32\tabctl32.ocx (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3770295148-3722998716-3168685681-1189_Classes\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\InprocServer32 -> C:\Windows\system32\mscomct2.ocx (Microsoft Corporation)
 
==================== Restore Points  =========================
 
18-03-2015 10:14:08 Installing COMODO Antivirus
18-03-2015 10:15:46 Device Driver Package Install: COMODO Network Service
23-03-2015 12:15:20 Restore Operation
23-03-2015 12:46:08 Installing COMODO Antivirus
23-03-2015 12:47:59 Device Driver Package Install: COMODO Network Service
23-03-2015 13:06:28 Removed GeekBuddy.
23-03-2015 13:10:43 Removed COMODO Antivirus
30-03-2015 11:06:44 Garmin Express
30-03-2015 11:49:44 Garmin Express
30-03-2015 14:15:29 Garmin Express
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:04 - 2015-03-30 14:50 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {13E90DBF-54E8-44C4-961D-0F790DC641FC} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-03-09] (Adobe Systems Incorporated)
Task: {3231A360-FB1A-4184-96D9-0354E9CBDF7F} - System32\Tasks\GoogleUpdateTaskMachineUA1d03ffb336d4bb => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-15] (Google Inc.)
Task: {5608C28B-0D7C-4200-9F25-552606170AD3} - System32\Tasks\GarminUpdaterTask => C:\Program Files\Garmin\Express Self Updater\ExpressSelfUpdater.exe
Task: {65C5B7AC-4E82-4379-A45F-E18B928747E4} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3770295148-3722998716-3168685681-1172Core => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-30] (Google Inc.)
Task: {84635954-D0B2-42EE-BC66-D533353E4EF1} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-15] (Google Inc.)
Task: {AAE7982B-D841-4639-B618-171BA8849AA7} - System32\Tasks\Adobe Reader and Acrobat Manager => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-03] (Adobe Systems Incorporated)
Task: {B197B597-AFF1-4F60-B4DE-32AF1114DDA3} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3770295148-3722998716-3168685681-1172UA => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-30] (Google Inc.)
Task: {B4FC8691-28CC-49D8-B76A-4B16959AA44E} - System32\Tasks\MotoHelper Update => C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-04-26] ()
Task: {C96F0BA0-0693-4B6B-8E5B-70F107E1DF28} - System32\Tasks\MotoHelper Routing => C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-04-26] ()
Task: {CF798012-32D9-48B7-8843-67CFEAA852D4} - System32\Tasks\MotoHelper MUM => C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-04-26] ()
Task: {DFFBC385-0456-414A-915E-14B57B09CD33} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-03-13] (Piriform Ltd)
Task: {E5EF8057-90BB-4340-8983-A60ADA4CB2CC} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {F5D0C534-AD54-49FB-846F-4A24DCAAC7CD} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search &amp; Destroy 2\SDUpdate.exe
Task: {F892C6BB-AF0E-44B3-9D1B-66E914D9F6DF} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-15] (Google Inc.)
Task: {FA314E56-C11D-49E1-A80E-8147F406A2A8} - System32\Tasks\MotoHelper Initial Update => C:\Program Files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-04-26] ()
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1d03ffb336d4bb.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3770295148-3722998716-3168685681-1172Core.job => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3770295148-3722998716-3168685681-1172UA.job => C:\Users\User\AppData\Local\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2010-05-12 12:02 - 2010-05-12 12:02 - 00126264 _____ () C:\Windows\System32\HPCP1020LM.DLL
2011-04-26 15:23 - 2011-04-26 15:23 - 00223088 _____ () C:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
2015-03-12 11:22 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2015-03-12 11:22 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2015-03-12 11:22 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2015-03-12 11:22 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2015-03-12 11:22 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2011-04-26 15:22 - 2011-04-26 15:22 - 00681840 _____ () C:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
2015-03-23 17:42 - 2015-03-14 05:12 - 01174856 _____ () C:\Program Files\Google\Chrome\Application\41.0.2272.101\libglesv2.dll
2015-03-23 17:42 - 2015-03-14 05:12 - 00080200 _____ () C:\Program Files\Google\Chrome\Application\41.0.2272.101\libegl.dll
2015-03-23 17:42 - 2015-03-14 05:12 - 09278792 _____ () C:\Program Files\Google\Chrome\Application\41.0.2272.101\pdf.dll
2015-03-11 10:11 - 2015-03-04 11:01 - 00232632 _____ () C:\Users\signage\AppData\Roaming\Dashlane\DashlanePlugin.exe
2015-03-11 10:10 - 2015-03-04 10:57 - 05735608 _____ () C:\Users\signage\AppData\Roaming\Dashlane\3.2.5.80399\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}\components\KWData.3.2.5.80399.dll
2015-03-11 10:10 - 2015-03-04 10:57 - 00442552 _____ () C:\Users\signage\AppData\Roaming\Dashlane\3.2.5.80399\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}\components\KWUtils.3.2.5.80399.dll
2015-03-11 10:10 - 2015-03-04 10:57 - 00310456 _____ () C:\Users\signage\AppData\Roaming\Dashlane\3.2.5.80399\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}\components\KWDebugDll_win32.3.2.5.80399.dll
2015-03-11 10:10 - 2015-03-04 10:57 - 00419000 _____ () C:\Users\signage\AppData\Roaming\Dashlane\3.2.5.80399\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}\components\KWDebug.3.2.5.80399.dll
2015-03-11 10:10 - 2015-03-04 10:57 - 30919864 _____ () C:\Users\signage\AppData\Roaming\Dashlane\3.2.5.80399\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}\components\KWExternLib.3.2.5.80399.dll
2015-03-11 10:10 - 2015-03-04 10:57 - 12737720 _____ () C:\Users\signage\AppData\Roaming\Dashlane\3.2.5.80399\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}\components\KWMainLib.3.2.5.80399.dll
2015-03-11 10:10 - 2015-03-04 10:57 - 00266936 _____ () C:\Users\signage\AppData\Roaming\Dashlane\3.2.5.80399\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}\components\KWMainLib_win.3.2.5.80399.dll
2015-03-11 10:10 - 2015-03-04 10:57 - 02060984 _____ () C:\Users\signage\AppData\Roaming\Dashlane\3.2.5.80399\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}\components\KWMainLibData.3.2.5.80399.dll
2015-03-11 10:10 - 2015-03-04 10:57 - 00183992 _____ () C:\Users\signage\AppData\Roaming\Dashlane\3.2.5.80399\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}\components\Kwift_DP.3.2.5.80399.dll
2015-03-11 10:11 - 2015-03-04 11:01 - 00227512 _____ () C:\Users\signage\AppData\Roaming\Dashlane\Dashlane.exe
2015-03-11 10:10 - 2015-03-04 10:57 - 06746808 _____ () C:\Users\signage\AppData\Roaming\Dashlane\3.2.5.80399\bin\Firefox_Extension\{442718d9-475e-452a-b3e1-fb1ee16b8e9f}\components\KWApplication.3.2.5.80399.dll
2015-03-23 17:42 - 2015-03-14 05:12 - 14974280 _____ () C:\Program Files\Google\Chrome\Application\41.0.2272.101\PepperFlash\pepflashplayer.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\Users\signage\Downloads\Question about 'unapplied payments'.eml:OECustomProperty
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist Remote Support Customer => ""="Service"
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3770295148-3722998716-3168685681-1189\Control Panel\Desktop\\Wallpaper -> C:\Users\signage\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.100
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: atnthost => 2
MSCONFIG\Services: CouponPrinterService => 2
MSCONFIG\Services: GoToAssist Remote Support Customer => 3
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: Dashlane => "C:\Users\signage\AppData\Roaming\Dashlane\Dashlane.exe" autoLaunchAtStartup
MSCONFIG\startupreg: GoogleChromeAutoLaunch_33B36909B9068A43430215E25798F174 => "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\QTTask.exe" -atboottime
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2419088479-3728914674-3847077574-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-2419088479-3728914674-3847077574-501 - Limited - Disabled)
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/30/2015 02:42:59 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\wbem\wmiprvse.exe; Description = ComboFix created restore point; Error = 0x8007043c).
 
Error: (03/30/2015 02:42:59 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x8007043c, This service cannot be started in Safe Mode
.
 
 
Operation:
   Instantiating VSS server
 
Error: (03/30/2015 02:42:59 PM) (Source: VSS) (EventID: 18) (User: )
Description: Volume Shadow Copy Service error: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name IVssCoordinatorEx2 cannot be started during Safe Mode.
The Volume Shadow Copy service cannot start while in safe mode. [0x8007043c, This service cannot be started in Safe Mode
]
 
 
Operation:
   Instantiating VSS server
 
Error: (03/30/2015 02:19:06 PM) (Source: MsiInstaller) (EventID: 11920) (User: BUYALLSEASONS)
Description: Product: Garmin Express -- Error 1920. Service 'Garmin Core Update Service' (Garmin Core Update Service) failed to start.  Verify that you have sufficient privileges to start system services.
 
Error: (03/30/2015 02:18:24 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Garmin.Cartography.MapUpdate.CoreService.exe, version: 2.9.6.108, time stamp: 0x54c8f14b
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x531599f6
Exception code: 0xe0434352
Fault offset: 0x0000812f
Faulting process id: 0x22f8
Faulting application start time: 0xGarmin.Cartography.MapUpdate.CoreService.exe0
Faulting application path: Garmin.Cartography.MapUpdate.CoreService.exe1
Faulting module path: Garmin.Cartography.MapUpdate.CoreService.exe2
Report Id: Garmin.Cartography.MapUpdate.CoreService.exe3
 
Error: (03/30/2015 02:18:24 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Garmin.Cartography.MapUpdate.CoreService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.UnauthorizedAccessException
Stack:
   at System.IO.__Error.WinIOError(Int32, System.String)
   at System.IO.Directory.InternalCreateDirectory(System.String, System.String, System.Object)
   at System.IO.Directory.CreateDirectory(System.String)
   at Garmin.Cartography.MapUpdate.GLib.IO.GDirectory.EnsureExists(Garmin.Cartography.MapUpdate.GLib.IO.PathType, System.String)
   at Garmin.Cartography.MapUpdate.CoreService.Program.Load()
   at Garmin.Cartography.MapUpdate.CoreService.Program.Run()
   at Garmin.Cartography.MapUpdate.CoreService.Program.Main()
 
Error: (03/30/2015 02:18:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Garmin.Cartography.MapUpdate.CoreService.exe, version: 2.9.6.108, time stamp: 0x54c8f14b
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x531599f6
Exception code: 0xe0434352
Fault offset: 0x0000812f
Faulting process id: 0x1e84
Faulting application start time: 0xGarmin.Cartography.MapUpdate.CoreService.exe0
Faulting application path: Garmin.Cartography.MapUpdate.CoreService.exe1
Faulting module path: Garmin.Cartography.MapUpdate.CoreService.exe2
Report Id: Garmin.Cartography.MapUpdate.CoreService.exe3
 
Error: (03/30/2015 02:18:00 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Garmin.Cartography.MapUpdate.CoreService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.UnauthorizedAccessException
Stack:
   at System.IO.__Error.WinIOError(Int32, System.String)
   at System.IO.Directory.InternalCreateDirectory(System.String, System.String, System.Object)
   at System.IO.Directory.CreateDirectory(System.String)
   at Garmin.Cartography.MapUpdate.GLib.IO.GDirectory.EnsureExists(Garmin.Cartography.MapUpdate.GLib.IO.PathType, System.String)
   at Garmin.Cartography.MapUpdate.CoreService.Program.Load()
   at Garmin.Cartography.MapUpdate.CoreService.Program.Run()
   at Garmin.Cartography.MapUpdate.CoreService.Program.Main()
 
Error: (03/30/2015 02:17:46 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Garmin.Cartography.MapUpdate.CoreService.exe, version: 2.9.6.108, time stamp: 0x54c8f14b
Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x531599f6
Exception code: 0xe0434352
Fault offset: 0x0000812f
Faulting process id: 0x2550
Faulting application start time: 0xGarmin.Cartography.MapUpdate.CoreService.exe0
Faulting application path: Garmin.Cartography.MapUpdate.CoreService.exe1
Faulting module path: Garmin.Cartography.MapUpdate.CoreService.exe2
Report Id: Garmin.Cartography.MapUpdate.CoreService.exe3
 
Error: (03/30/2015 02:17:46 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Garmin.Cartography.MapUpdate.CoreService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.UnauthorizedAccessException
Stack:
   at System.IO.__Error.WinIOError(Int32, System.String)
   at System.IO.Directory.InternalCreateDirectory(System.String, System.String, System.Object)
   at System.IO.Directory.CreateDirectory(System.String)
   at Garmin.Cartography.MapUpdate.GLib.IO.GDirectory.EnsureExists(Garmin.Cartography.MapUpdate.GLib.IO.PathType, System.String)
   at Garmin.Cartography.MapUpdate.CoreService.Program.Load()
   at Garmin.Cartography.MapUpdate.CoreService.Program.Run()
   at Garmin.Cartography.MapUpdate.CoreService.Program.Main()
 
 
System errors:
=============
Error: (03/30/2015 03:04:17 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (03/30/2015 03:04:09 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.195.795.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.6.0305.00
 
Source Path: 4.6.0305.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (03/30/2015 03:01:41 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (03/30/2015 02:55:52 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (03/30/2015 02:53:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services service which failed to start because of the following error: 
%%0
 
Error: (03/30/2015 02:52:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/30/2015 02:52:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/30/2015 02:52:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/30/2015 02:52:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (03/30/2015 02:52:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
 
Microsoft Office Sessions:
=========================
Error: (11/22/2011 05:36:54 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6612.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 7536 seconds with 5400 seconds of active time.  This session ended with a crash.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Duo CPU E7500 @ 2.93GHz
Percentage of memory in use: 49%
Total physical RAM: 3291.65 MB
Available physical RAM: 1661.68 MB
Total Pagefile: 6581.59 MB
Available Pagefile: 4916.08 MB
Total Virtual: 2047.88 MB
Available Virtual: 1896.56 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:221.64 GB) (Free:162.18 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 232.8 GB) (Disk ID: C648A420)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=11.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=221.6 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================


#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:44 PM

Posted 30 March 2015 - 04:18 PM

Hi Aprill,
please do the following:

Step 1

Download mbar.PNGMalwarebytes Anti-Rootkit to your Desktop.
  • Double-click "mbar.exe" to start the tool.
  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder and paste the content of the following files in your next reply:
    • "mbar-log-{date} (xx-xx-xx).txt"
    • "system-log.txt"
mbar.gif


I will post further instructions tomorrow. It's already late in Germany. :)
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 aprill85

aprill85
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 31 March 2015 - 08:04 AM

Hi Jürgen,

I ran the scan and these are the results:

 

mbar-log-2015-03-30 (16-57-51):
Malwarebytes Anti-Rootkit BETA 1.09.1.1004
www.malwarebytes.org
 
Database version:
  main:    v2015.03.30.09
  rootkit: v2015.03.26.01
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Signage :: RECEPTIONIST [administrator]
 
3/30/2015 4:57:51 PM
mbar-log-2015-03-30 (16-57-51).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 467792
Time elapsed: 15 minute(s), 57 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
 
 
system-log:
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.1.1004
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.1.7601 Windows 7 Service Pack 1 x86
 
Account is Administrative
 
Internet Explorer version: 8.0.7601.17514
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.926000 GHz
Memory total: 3451543552, free: 1753464832
 
Downloaded database version: v2015.03.30.09
Downloaded database version: v2015.03.26.01
Downloaded database version: v2015.03.09.01
Initializing...
======================
------------ Kernel report ------------
     03/30/2015 16:57:36
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\vmbus.sys
\SystemRoot\system32\drivers\winhv.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\vmstorfl.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\system32\DRIVERS\PBADRV.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\k57nd60x.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTDVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\hidusb.sys
\SystemRoot\system32\drivers\HIDCLASS.SYS
\SystemRoot\system32\drivers\HIDPARSE.SYS
\SystemRoot\system32\drivers\USBD.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\drivers\USBSTOR.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\DRIVERS\aksfridge.sys
\SystemRoot\system32\drivers\hardlock.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\drivers\rdpdr.sys
\SystemRoot\system32\drivers\tdtcp.sys
\SystemRoot\System32\DRIVERS\tssecsrv.sys
\SystemRoot\System32\Drivers\RDPWD.SYS
\??\C:\Windows\system32\Drivers\PROCEXP113.SYS
\??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E95AF80A-EF92-48CF-BFE8-7D84370F284F}\MpKslbbcfa47d.sys
\??\C:\Users\signage\AppData\Local\Temp\catchme.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
Done!
 
Scan started
Database versions:
  main:    v2015.03.30.09
  rootkit: v2015.03.26.01
 
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff86b02030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff86b02d10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff86b02030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff86a2b030, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C648A420
 
Partition information:
 
    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 80262
 
    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920  Numsec = 23384064
    Partition file system is NTFS
    Partition is bootable
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 23465984  Numsec = 464812032
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 250000000000 bytes
Sector size: 512 bytes
 
Done!
Scan finished
=======================================
 
 
Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-81920-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 


#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:44 PM

Posted 31 March 2015 - 10:55 AM

:thumbup2:

Step 1

Please download fss.pngFarbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 aprill85

aprill85
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 31 March 2015 - 11:12 AM

I am very glad you can understand all these logs! :)

 

FSS:

 

Farbar Service Scanner Version: 17-01-2015
Ran by Signage (administrator) on 31-03-2015 at 11:11:16
Running from "C:\Users\signage\Desktop\Bleeping Help"
Microsoft Windows 7 Professional  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
 
 
**** End of log ****


#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:44 PM

Posted 31 March 2015 - 11:18 AM

I am very glad you can understand all these logs! :)


Me too! :lol:
 

Step 1


Don't remove on your own anything that HitmanPro detects!
This scanner, as it is a really good for checking, has been known for deleting files instead of curing them, which in some cases may render the machine unbootable.
Any removals will be done manually after careful analysis of the scan results!


Please download hitmanpro_32.pngHitmanPro 32-bit / HitmanPro 64-bit by SurfRight and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
  • Right-click onhitmanpro.pngicon and select admin.PNGRun as Administrator to start the tool.
  • If the program won't run please run it while holding down the left CTRL key until it's loaded!
  • Click on the Next button (1). You must agree with the terms of EULA (2 - if asked).
  • Check the box beside "No, I only want to perform a one-time scan to check this computer" and click on the Next button. (3)
  • The program will start to scan the computer. It would only take several minutes.
  • When the scan is done click on Save Log (4) and close HitmanPro! (5)
  • Copy and paste the content of the log file in your next reply.
hitman.gif


Step 2

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
esetlog.png
Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 aprill85

aprill85
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 31 March 2015 - 03:19 PM

Here are my latest logs:

 

HitmanPro_20150331_1234:

HitmanPro 3.7.9.240
www.hitmanpro.com
 
   Computer name . . . . : RECEPTIONIST
   Windows . . . . . . . : 6.1.1.7601.X86/2
   User name . . . . . . : BUYALLSEASONS\Signage
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free
 
   Scan date . . . . . . : 2015-03-31 11:57:24
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 7m 35s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 41
 
   Objects scanned . . . : 1,164,874
   Files scanned . . . . : 40,774
   Remnants scanned  . . : 290,813 files / 833,287 keys
 
Suspicious files ____________________________________________________________
 
   C:\Users\signage\Desktop\Bleeping Help\FRST.exe
      Size . . . . . . . : 1,135,104 bytes
      Age  . . . . . . . : 0.9 days (2015-03-30 15:14:45)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 27600BC2D6D1CBBD1FA5BB7A9157ACCCF3A068A6800ED4B6DC50D24A747F6CAB
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -10.4s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000025
         -10.4s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000026
         -10.0s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000027
         -9.6s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000028
         -9.6s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000029
         -8.3s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00002a
         -8.3s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00002b
         -8.2s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00002c
         -3.4s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00002d
         -3.3s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00002e
          0.0s C:\Users\signage\Desktop\Bleeping Help\FRST.exe
          3.9s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{EEFF036A-A95D-4262-8A7E-9982FE9B3A61}
          7.1s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\
          7.1s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\
          7.1s C:\Users\signage\AppData\Local\temp\Low\
          7.1s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IKIM5D5Z\
          7.2s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MetaStore\2\14\92AB5EF1FAA8568A.dat
          7.2s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MetaStore\2\14\
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IKIM5D5Z\desktop.ini
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5MDN9M4W\
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5MDN9M4W\desktop.ini
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8MX2H1S8\
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8MX2H1S8\desktop.ini
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZYV8MFUI\
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZYV8MFUI\desktop.ini
          7.2s C:\Users\signage\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
          8.3s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{0810073A-82A3-4573-8AC8-9E1A45F480AD}
         26.5s C:\FRST\Logs\
         26.5s C:\FRST\
         26.5s C:\FRST\Hives\
         26.5s C:\FRST\Quarantine\
         27.8s C:\FRST\Hives\ERDNT.INF
         27.8s C:\FRST\Hives\ERDNT.CON
         27.8s C:\FRST\Hives\BCD
         27.9s C:\FRST\Hives\system
         28.4s C:\FRST\Hives\software
         28.8s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{A007822C-46D2-41CD-BA0D-A988E5BCBC98}
         29.3s C:\FRST\Hives\default
         29.4s C:\FRST\Hives\security
         29.5s C:\FRST\Hives\sam
         29.6s C:\FRST\Hives\Users\
         29.6s C:\FRST\Hives\Users\00000001\
         29.6s C:\FRST\Hives\Users\00000001\ntuser.dat
         29.7s C:\FRST\Hives\Users\00000002\
         29.7s C:\FRST\Hives\Users\00000002\UsrClass.dat
         30.1s C:\FRST\Hives\ERDNT.EXE
         30.1s C:\FRST\Hives\ERDNTWIN.LOC
         30.1s C:\FRST\Hives\ERDNTDOS.LOC
 
   C:\Users\signage\Desktop\Bleeping Help\FSS.exe
      Size . . . . . . . : 415,232 bytes
      Age  . . . . . . . : 0.0 days (2015-03-31 11:09:44)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : CF5F35213C6434469F1B4F614A2366A2A88F3CBC7C9965A458F64545A76C5AC1
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -3.6s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00041e
         -3.5s C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00041f
          0.0s C:\Users\signage\Desktop\Bleeping Help\FSS.exe
          3.0s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{9C7A60B5-0F02-407B-BAC2-67BD6C7DB19F}
          9.1s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{F5B4BBA1-E46C-400E-9AB0-746E270C0992}
 
 
Potential Unwanted Programs _________________________________________________
 
   C:\Users\signage\AppData\Roaming\OpenCandy\ (Conduit)
   C:\Users\signage\AppData\Roaming\OpenCandy\EE37CBD7EC424B488BAEB7A2C4EC70F6\ (Conduit)
   C:\Users\signage\AppData\Roaming\OpenCandy\EE37CBD7EC424B488BAEB7A2C4EC70F6\AVG Safeguard.exe (Conduit)
      Size . . . . . . . : 2,940,496 bytes
      Age  . . . . . . . : 24.8 days (2015-03-06 17:17:26)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 953FCD61D43FFF986BCC29A84DDAAE62FD95F51444089DA3DEDD58D31431FDE4
      Product  . . . . . : AVG Installer
      RSA Key Size . . . : 2048
      LanguageID . . . . : 9
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 7.0
      Forensic Cluster
         -11.1s C:\Users\signage\AppData\Roaming\OpenCandy\
         -11.1s C:\Users\signage\AppData\Roaming\OpenCandy\EE37CBD7EC424B488BAEB7A2C4EC70F6\
         -8.9s C:\Users\signage\AppData\Roaming\OpenCandy\EE37CBD7EC424B488BAEB7A2C4EC70F6\AVG_Toolbar_CB_ALL_p3v6.exe
          0.0s C:\Users\signage\AppData\Roaming\OpenCandy\EE37CBD7EC424B488BAEB7A2C4EC70F6\AVG Safeguard.exe
 
   C:\Users\signage\AppData\Roaming\OpenCandy\EE37CBD7EC424B488BAEB7A2C4EC70F6\AVG_Toolbar_CB_ALL_p3v6.exe (Conduit)
      Size . . . . . . . : 2,968,010 bytes
      Age  . . . . . . . : 24.8 days (2015-03-06 17:17:17)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 74980B81CB8487352C1B3D4DFB68A65918A56B3D52A4D785925F132132D9269D
      Fuzzy  . . . . . . : 14.0
      Forensic Cluster
         -2.2s C:\Users\signage\AppData\Roaming\OpenCandy\
         -2.2s C:\Users\signage\AppData\Roaming\OpenCandy\EE37CBD7EC424B488BAEB7A2C4EC70F6\
          0.0s C:\Users\signage\AppData\Roaming\OpenCandy\EE37CBD7EC424B488BAEB7A2C4EC70F6\AVG_Toolbar_CB_ALL_p3v6.exe
          8.9s C:\Users\signage\AppData\Roaming\OpenCandy\EE37CBD7EC424B488BAEB7A2C4EC70F6\AVG Safeguard.exe
 
   C:\Windows\Reimage.ini (ReimageRepair)
   HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL\ (ReimageRepair)
   HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}\ (ReimageRepair)
   HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ (ReimageRepair)
   HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine\ (ReimageRepair)
   HKLM\SOFTWARE\Conduit\ (Conduit)
   HKLM\SOFTWARE\Microsoft\Tracing\ProtectorUpdater_RASAPI32\ (ReimageRepair)
   HKLM\SOFTWARE\Microsoft\Tracing\ProtectorUpdater_RASMANCS\ (ReimageRepair)
   HKLM\SOFTWARE\Microsoft\Tracing\Reimage_RASAPI32\ (ReimageRepair)
   HKLM\SOFTWARE\Microsoft\Tracing\Reimage_RASMANCS\ (ReimageRepair)
   HKLM\SOFTWARE\Microsoft\Tracing\ReimagePackage_RASAPI32\ (ReimageRepair)
   HKLM\SOFTWARE\Microsoft\Tracing\ReimagePackage_RASMANCS\ (ReimageRepair)
   HKLM\SOFTWARE\Microsoft\Tracing\ReimageRepair_RASAPI32\ (ReimageRepair)
   HKLM\SOFTWARE\Microsoft\Tracing\ReimageRepair_RASMANCS\ (ReimageRepair)
   HKLM\SOFTWARE\Microsoft\Tracing\UniProtectorPackage_RASAPI32\ (ReimageRepair)
   HKLM\SOFTWARE\Microsoft\Tracing\UniProtectorPackage_RASMANCS\ (ReimageRepair)
   HKLM\SOFTWARE\Reimage\ (ReimageRepair)
   HKU\S-1-5-21-3770295148-3722998716-3168685681-1189\Software\Local AppWizard-Generated Applications\Reimage - Windows Problem Relief.\ (ReimageRepair)
   HKU\S-1-5-21-3770295148-3722998716-3168685681-1189\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}\ (ReimageRepair)
   HKU\S-1-5-21-3770295148-3722998716-3168685681-1189\Software\Reimage\ (ReimageRepair)
 
Cookies _____________________________________________________________________
 
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:smartadserver.com
   C:\Users\signage\AppData\Local\Google\Chrome\User Data\Default\Cookies:www6.smartadserver.com
 
 
 
 
 
ESET:
C:\Documents and Settings\signage\Downloads\ccsetup504.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\signage\Downloads\ccsetup504.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
 
 
 
Hope your day is going good in Germany!!!!


#10 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:44 PM

Posted 31 March 2015 - 03:41 PM

Hi,

please try to post the ESET Log as instructed. :)


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#11 aprill85

aprill85
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 31 March 2015 - 03:54 PM

Im so sorry, I must have went into the wrong foler.

 

ESET:

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=6e945dad279bc247b1d64dfe343f3655
# engine=23172
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-03-31 06:49:07
# local_time=2015-03-31 01:49:07 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Microsoft Security Essentials'
# compatibility_mode=5895 16777213 100 100 1457810 155207793 0 0
# scanned=191469
# found=2
# cleaned=0
# scan_time=4202
sh=95515E5CD54F8D3B375FAFB34E53C0C1D2E7C344 ft=1 fh=00a7bfbc17a0357b vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Documents and Settings\signage\Downloads\ccsetup504.exe"
sh=95515E5CD54F8D3B375FAFB34E53C0C1D2E7C344 ft=1 fh=00a7bfbc17a0357b vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="C:\Users\signage\Downloads\ccsetup504.exe"
ESETSmartInstaller@High as downloader log:
all ok


#12 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:44 PM

Posted 01 April 2015 - 05:41 AM

Thank you!

Step 1

wraioneu.PNGWindows Repair (All-in-One)tweaking2.png

  • Please download and install Windows Repair.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following Link.
  • Right-Click Windows Repair and select Run as administrator to run the tool.
  • Please follow the instructions of the pictures.
  • Note: Do NOT use your computer whilst the programme is running.
  • Upon completion, start your computer and re-enable your Anti-Virusprogram.
  • Using Windows Explorer, navigate to the following folder:
    • 64-bit Systems: C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
    • 32-bit Systems: C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs
  • Open the log. Copy the contents and paste in your next reply.

1.png
2.png
3.png
4.png
5.png


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#13 aprill85

aprill85
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 02 April 2015 - 09:33 AM

Hey there! 

 

Sorry for my absence yesterday. I took off of work to celebrate my birthday. But I am back and ready.

 

I am not sure if this is the log you asked for, there are many files in the log folder:

_Windows_Repair_Log:

 
 
Tweaking.com - Windows Repair v3.0.0
--------------------------------------------------------------------------------
 
System Variables
--------------------------------------------------------------------------------
OS: Windows 7 Professional
OS Architecture: 32-bit
OS Version: 6.1.7601
OS Service Pack: Service Pack 1
Computer Name: RECEPTIONIST
Windows Drive: C:\
Windows Path: C:\Windows
Program Files: C:\Program Files
Current Profile: C:\Users\signage
Current Profile SID: S-1-5-21-3770295148-3722998716-3168685681-1189
Current Profile Classes: S-1-5-21-3770295148-3722998716-3168685681-1189_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\Windows\ServiceProfiles
Local Settings AppData: C:\Users\signage\AppData\Local
--------------------------------------------------------------------------------
 
System Information
--------------------------------------------------------------------------------
System Up Time: 01 Day 00:12:50
 
Process Count: 73
Commit Total: 2.45 GB
Commit Limit: 6.43 GB
Commit Peak: 3.39 GB
Handle Count: 24179
Kernel Total: 278.11 MB
Kernel Paged: 240.29 MB
Kernel Non Paged: 37.82 MB
System Cache: 1.28 GB
Thread Count: 823
--------------------------------------------------------------------------------
 
Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 3.21 GB
Memory Used: 1.92 GB(59.6292%)
Memory Avail.: 1.30 GB
--------------------------------------------------------------------------------
 
Cleaning Memory Before Starting Repairs...
 
Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 3.21 GB
Memory Used: 1.57 GB(48.8767%)
Memory Avail.: 1.64 GB
--------------------------------------------------------------------------------
 
Starting Repairs...
   Started at (4/2/2015 9:07:29 AM)
 
Setting Any Missing 'InstallDate' From Uninstall Sections Before Running Repair...
Total Missing 'InstallDate' Fixed: 73
 
01 - Reset Registry Permissions 01/03
   HKEY_CURRENT_USER & Sub Keys
   Start (4/2/2015 9:07:34 AM)
 
   Running Repair Under Current User Account
   Done (4/2/2015 9:07:44 AM)
 
01 - Reset Registry Permissions 02/03
   HKEY_LOCAL_MACHINE & Sub Keys
   Start (4/2/2015 9:07:44 AM)
 
 
Decompressing & Updating Windows Permission File services.txt
Done,  0.22 seconds.
 
   Running Repair Under System Account
   Done (4/2/2015 9:11:07 AM)
 
01 - Reset Registry Permissions 03/03
   HKEY_CLASSES_ROOT & Sub Keys
   Start (4/2/2015 9:11:07 AM)
 
   Running Repair Under System Account
   Done (4/2/2015 9:11:57 AM)
 
03 - Reset Service Permissions
   Start (4/2/2015 9:11:57 AM)
 
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:12:40 AM)
 
04 - Register System Files
   Start (4/2/2015 9:12:40 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:13:00 AM)
 
05 - Repair WMI
   Start (4/2/2015 9:13:00 AM)
 
   Starting Security Center So We Can Export The Security Info.
 
   Exporting Antivirus Info...
   Microsoft Security Essentials Exported.
 
   Exporting AntiSpyware Info...
   Microsoft Security Essentials Exported.
   Windows Defender Exported.
   Spybot - Search and Destroy Exported.
 
   Exporting 3rd Party Firewall Info...
   No Firewall Products Reported.
 
   Running Repair Under Current User Account
   Done (4/2/2015 9:16:33 AM)
 
06 - Repair Windows Firewall
   Start (4/2/2015 9:16:33 AM)
   Running Repair Under Current User Account
 
Decompressing & Updating Windows Permission File services.txt
Done,  0.15 seconds.
 
   Running Repair Under System Account
   Done (4/2/2015 9:17:13 AM)
 
07 - Repair Internet Explorer
   Start (4/2/2015 9:17:13 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:17:26 AM)
 
08 - Repair MDAC/MS Jet
   Start (4/2/2015 9:17:26 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:17:32 AM)
 
09 - Repair Hosts File
   Start (4/2/2015 9:17:32 AM)
   Running Repair Under System Account
   Done (4/2/2015 9:17:34 AM)
 
10 - Remove Policies Set By Infections
   Start (4/2/2015 9:17:34 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:17:38 AM)
 
12 - Repair Icons
   Start (4/2/2015 9:17:38 AM)
   Running Repair Under Current User Account
   Done (4/2/2015 9:17:41 AM)
 
13 - Repair Winsock & DNS Cache
   Start (4/2/2015 9:17:41 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:17:56 AM)
 
15 - Repair Proxy Settings
   Start (4/2/2015 9:17:56 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:17:59 AM)
 
17 - Repair Windows Updates
   Start (4/2/2015 9:17:59 AM)
   Running Repair Under Current User Account
 
Decompressing & Updating Windows Permission File services.txt
Done,  0.15 seconds.
 
   Running Repair Under System Account
   Setting Windows Updates Files That Are In Use To Be Removed At Next Boot.
   Done (4/2/2015 9:18:31 AM)
 
18 - Repair CD/DVD Missing/Not Working
   Start (4/2/2015 9:18:31 AM)
   iTunes not found, not applying UpperFilters iTunes Reg Key
   Done (4/2/2015 9:18:31 AM)
 
19 - Repair Volume Shadow Copy Service
   Start (4/2/2015 9:18:31 AM)
   Running Repair Under Current User Account
 
Decompressing & Updating Windows Permission File services.txt
Done,  0.14 seconds.
 
   Running Repair Under System Account
   Done (4/2/2015 9:18:52 AM)
 
21 - Repair MSI (Windows Installer)
   Start (4/2/2015 9:18:52 AM)
   Running Repair Under Current User Account
 
Decompressing & Updating Windows Permission File services.txt
Done,  0.14 seconds.
 
   Running Repair Under System Account
   Done (4/2/2015 9:19:03 AM)
 
23.01 - Repair bat Association
   Start (4/2/2015 9:19:03 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:06 AM)
 
23.02 - Repair cmd Association
   Start (4/2/2015 9:19:06 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:08 AM)
 
23.03 - Repair com Association
   Start (4/2/2015 9:19:08 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:11 AM)
 
23.04 - Repair Directory Association
   Start (4/2/2015 9:19:11 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:13 AM)
 
23.05 - Repair Drive Association
   Start (4/2/2015 9:19:13 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:15 AM)
 
23.06 - Repair exe Association
   Start (4/2/2015 9:19:15 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:17 AM)
 
23.07 - Repair Folder Association
   Start (4/2/2015 9:19:17 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:19 AM)
 
23.08 - Repair inf Association
   Start (4/2/2015 9:19:19 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:21 AM)
 
23.09 - Repair lnk (Shortcuts) Association
   Start (4/2/2015 9:19:21 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:23 AM)
 
23.10 - Repair msc Association
   Start (4/2/2015 9:19:24 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:26 AM)
 
23.11 - Repair reg Association
   Start (4/2/2015 9:19:26 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:28 AM)
 
23.12 - Repair scr Association
   Start (4/2/2015 9:19:28 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:30 AM)
 
24 - Repair Windows Safe Mode
   Start (4/2/2015 9:19:30 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:19:32 AM)
 
25 - Repair Print Spooler
   Start (4/2/2015 9:19:32 AM)
   Running Repair Under Current User Account
 
Decompressing & Updating Windows Permission File services.txt
Done,  0.14 seconds.
 
   Running Repair Under System Account
   Done (4/2/2015 9:19:47 AM)
 
26 - Restore Important Windows Services
   Start (4/2/2015 9:19:47 AM)
   Running Repair Under Current User Account
 
Decompressing & Updating Windows Permission File services.txt
Done,  0.14 seconds.
 
   Running Repair Under System Account
   Done (4/2/2015 9:19:56 AM)
 
27 - Set Windows Services To Default Startup
   Start (4/2/2015 9:19:56 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:20:07 AM)
 
   Skipping Repair.
   Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
   Current version: 6.1
 
   Skipping Repair.
   Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
   Current version: 6.1
 
   Skipping Repair.
   Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
   Current version: 6.1
 
31 - Repair Windows 'New' Submenu
   Start (4/2/2015 9:20:07 AM)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (4/2/2015 9:20:09 AM)
 
33 - Repair Performance Counters
   Start (4/2/2015 9:20:09 AM)
   Running Repair Under Current User Account
   Done (4/2/2015 9:20:19 AM)
 
Cleaning up empty logs...
 
All Selected Repairs Done.
   Done at (4/2/2015 9:20:19 AM)
   Total Repair Time: 00:12:51
 
 
...YOU MUST RESTART YOUR SYSTEM...


#14 aprill85

aprill85
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 02 April 2015 - 10:12 AM

Also, when I started my pc today, I am getting a LOT of ads popping up in new tabs. This is a completely new issue.



#15 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:11:44 PM

Posted 02 April 2015 - 11:46 AM

First of all:
Belated happy birthday! :flowers:
 

I am getting a LOT of ads popping up in new tabs. This is a completely new issue.

 
Step 1

frst.pngfrstscan.png

Start FRST with administator privileges.

  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users